Encrypted EBS feature guarantees data at rest encryption. That means anything saved on the volume will be protected automatically as long as it resides on the volume.
Risks for Unencrypted Volumes
By encrypting volumes, you have them protected against the below threats;
- The loss of control of storage media
- The loss of control on storage media at where the snapshots created from the volume resides.
- Compromise of the networks attached to the storage systems
Supported Instance Types and Roles
Instances that use encrypted volumes are limited to the instance types T2, C3, C4, M3, M4, and R3.
Encrypted EBS can be used with any instance role (Database, Application, Utility) selectively. For application and utility instances, encryption can be used on a case by case basis unless you set the 'Encrypt All Instances' option in the Edit Environment page.
Encrypted EBS feature provides the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency and at no additional cost.
Enable Encrypted EBS
For new instances, it can be enabled through the environment options page. When selected, the mount points /db, /data, /mnt, and swap will be encrypted on an encrypted EBS host.
It is not possible to convert an existing unencrypted volume or snapshot directly to an encrypted state. Application and Utility instances can be created using a new volume. Database instances require a migration similar to a major database version upgrade but can also be done through Professional Services.
If enabled, a key icon next to the instance names will appear on the environment page, which means the volumes are encrypted.
Database Backups & Replicas
Backups of data should also be taken into consideration to ensure data at rest encryption, as well as the volumes. It is a very straightforward process as covered on this article.
Any replicas added to a master DB which already has an encrypted volume will use encryption automatically.