oam/knowledge base/cloud computing/aws/ebs.md

# Elastic Block Store

Persistent [block storage][what is block storage?] for [EC2 Instances][ec2].

1. [TL;DR](#tldr)
1. [Snapshots](#snapshots)
1. [Encryption](#encryption)
1. [Further readings](#further-readings)
   1. [Sources](#sources)

## TL;DR

<details>
  <summary>Real world use cases</summary>

```sh
# Clean up unused volumes.
aws ec2 describe-volumes --output 'text' --filters 'Name=status,Values=available' \
  --query "Volumes[?CreateTime<'2018-03-31'].VolumeId" \
| xargs -pn '1' aws ec2 delete-volume --volume-id

# Check state of snapshots.
aws ec2 describe-snapshots --snapshot-ids 'snap-0123456789abcdef0' \
  --query 'Snapshots[].{"State": State,"Progress": Progress}' --output 'yaml'

# Wait for snapshots to finish.
aws ec2 wait snapshot-completed --snapshot-ids 'snap-0123456789abcdef0'
```

</details>

Volumes can have their size **increased**, but **not** reduced.<br/>
After increase, the filesystem **must** be [extended][Extend the file system after resizing an EBS volume] to take
advantage of the change in size.<br/>
Apparently, Linux machines are able to do that automatically with a reboot.

## Snapshots

The first snapshot is **complete**, with all the volume's blocks being copied. All successive snapshots of the same
volume are **incremental**, with only the changes being copied.<br/>
Incremental snapshots are stored in EBS' standard tier.

Snapshots can be unbearably slow depending on the amount of data needing to be copied.<br/>
For comparison, the first snapshot of a 200 GiB volume took about 2h to complete.

Snapshots can be [archived][archive amazon ebs snapshots] to save money should they **not** need frequent nor fast
retrieval.<br/>
When archived, incremental snapshots are converted to **full snapshots** and moved to EBS' archive tier.

> The minimum archive period is 90 days.<br/>
> If deleting or permanently restoring an archived snapshot before the minimum archive period, one is billed for all the
> remaining days in the archive tier, rounded to the nearest hour.

When access to archived snapshots is needed, they need to be restored to the standard tier before use. Restoring can
take **up to 72h**.

## Encryption

Refer [How Amazon EBS encryption works].

One can encrypt both boot and data volumes.

At the time of writing, only **symmetric** keys are supported.

Volumes attached to supported instance types encrypt the following types of data:

- Data **at rest** inside the volume.
- Data moving between the volume and the attached instance.
- Snapshots created from the volume.
- Volumes created from said snapshots.

Volumes are encrypted with a AES-256 data key.<br/>
The key is:

1. Generated by KMS.
1. Encrypted by KMS with another KMS-managed key.
1. Stored with the volume's information.

EBS automatically creates a unique AWS-managed key in **each** Region where one creates EBS resources, using the
`aws/ebs` alias. EBS then uses this KMS key for encryption by default.<br/>
Alternatively, one can use a **symmetric** customer managed encryption key of one's own creation.

EC2 integrates with KMS to encrypt and decrypt EBS volumes in ways that differ depending on whether the original
snapshot for encrypted volumes is itself encrypted or unencrypted.

<details>
  <summary>The original snapshot is <b>encrypted</b></summary>

1. EC2 sends a `GenerateDataKeyWithoutPlaintext` request to KMS specifying the KMS key for volume encryption.
1. If the volume is encrypted using the same key as the snapshot, KMS encrypts that key using that same data key as
   the snapshot.<br/>
   If the volume is encrypted using a different KMS key, KMS generates a new data key and encrypts it using the
   specified key. The encrypted data key is then sent to EBS to be stored with the volume metadata.
1. When attaching the encrypted volume to an instance, EC2 sends a `CreateGrant` request to KMS to be allowed to
   decrypt the data key.
1. KMS decrypts the encrypted data key and sends the decrypted data key to EC2.
1. EC2 uses the plaintext data key in the Nitro hardware to encrypt disk I/O to the volume.<br/>
   The plaintext data key persists in memory as long as the volume is attached to the instance.

</details>

<details>
  <summary>The original snapshot is <b>not</b> encrypted</summary>

1. EC2 sends a `CreateGrant` request to KMS to be allowed to encrypt the volume that is being created from the snapshot.
1. EC2 sends a `GenerateDataKeyWithoutPlaintext` request to KMS specifying the key chosen for volume encryption.
1. KMS generates a new data key, encrypts it using the specified key, and sends the encrypted data key to EBS to be
   stored with the volume metadata.
1. EC2 sends a `Decrypt` request to KMS to decrypt the encrypted data key, which it then uses to encrypt the volume's
   data.
1. When attaching the encrypted volume to an instance, EC2 sends:

   1. A `CreateGrant` request to KMS to be allowed to decrypt the data key.
   1. A `Decrypt` request to KMS specifying the encrypted data key.

1. KMS decrypts the encrypted data key and sends the decrypted data key back to EC2.
1. EC2 uses the plaintext data key in the Nitro hardware to encrypt disk I/O to the volume.<br/>
   The plaintext data key persists in memory as long as the volume is attached to the instance.

When KMS keys become unusable, the effect is **almost immediately** subject to **eventual** consistency.<br/>
The key state of the impacted KMS keys change to reflect their new condition, and all requests to use those keys in
cryptographic operations fail.

EC2 uses the **data** key, not the KMS key itself, to encrypt all disk I/O while a volume is attached to
the instance. As such, there is **no** immediate effect on the EC2 instance or its attached EBS volumes when performing
an action that makes a key unusable.<br/>
When the encrypted EBS volume is detached from the instance, however, EBS removes the data key from the Nitro hardware.
As such, the next time the encrypted EBS volume is attached to an EC2 instance the attachment will fail due EBS being
unable to use the KMS key to decrypt the volume's encrypted data key. To use the EBS volume again, one must make the KMS
key usable again.

## Further readings

- [Amazon Web Services]
- [What is block storage?]
- AWS' [CLI]
- [Archive Amazon EBS snapshots]
- [Automate snapshot lifecycles]
- [Choose the best Amazon EBS volume type for your self-managed database deployment]
- [Extend the file system after resizing an EBS volume]

### Sources

- [Documentation]
- [Delete Unused AWS EBS Volumes]
- [`describe-volumes`][describe-volumes]
- [`delete-volume`][delete-volume]
- [How do I increase or decrease the size of my EBS volume?]
- [How Amazon EBS encryption works]

<!--
  Reference
  ═╬═Time══
  -->

<!-- Knowledge base -->
[amazon web services]: README.md
[cli]: cli.md
[ec2]: ec2.md

<!-- Upstream -->
[archive amazon ebs snapshots]: https://docs.aws.amazon.com/ebs/latest/userguide/snapshot-archive.html
[automate snapshot lifecycles]: https://docs.aws.amazon.com/ebs/latest/userguide/snapshot-ami-policy.html
[choose the best amazon ebs volume type for your self-managed database deployment]: https://aws.amazon.com/blogs/storage/how-to-choose-the-best-amazon-ebs-volume-type-for-your-self-managed-database-deployment/
[delete-volume]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-volume.html
[describe-volumes]: https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html
[documentation]: https://docs.aws.amazon.com/ebs/
[extend the file system after resizing an ebs volume]: https://docs.aws.amazon.com/ebs/latest/userguide/recognize-expanded-volume-linux.html
[how amazon ebs encryption works]: https://docs.aws.amazon.com/ebs/latest/userguide/how-ebs-encryption-works.html
[how do i increase or decrease the size of my ebs volume?]: https://repost.aws/knowledge-center/ebs-increase-decrease-volume-size
[what is block storage?]: https://aws.amazon.com/what-is/block-storage/

<!-- Others -->
[delete unused aws ebs volumes]: https://www.nops.io/unused-aws-ebs-volumes/