[AWS Architect] (35) Elastic Block Store (EBS)

Elastic Block Store (EBS) is a network-attached storage service that creates and manages persistent volumes.

  • Volumes are persistent (removed and attached) and are replicated within a single AZ.
  • You can change the EBS volume size and the storage type on the fly.
  • EBS supports a maximum per-instance throughput of 1,750 MiB/s.
  • EBS supports 80,000 IOPS per instance or 64,000 IOPS per volume.
  • By default, EBS volumes are replicated within the AZ.
  • Termination Protection is turned off by default. You must turn it on.
  • On an EBS-backed instance, the root volume will be deleted by default when the instance is terminated.

EBS Volume Types

  • Cold HDD (sc1)
    • low cost, infrequent access such as file servers
    • can not be a boot volume
    • 500 GiB ~ 16 TiB, ~ 250 IOPS, (12MiB/Tib) ~ 250 MiB/s
  • Throughput Optimized HDD (st1)
    • low cost, throughput intensive(streaming)
    • can’t be boot volume
    • 500 GiB ~ 16 TiB, ~ 500 IOPS, (40MiB/Tib) ~ 500 MiB/s
  • General Purpose SSD (gp2)
    • default for most workload, balanced IOPs & MiB/s
    • 1GiB ~ 16 TiB, 3 IOPS/GiB (100 ~ 16,000 IOPS), Bursts up to 3000 IOPS, ~ 250MiB/s
  • Provisioned IOPS SSD (io1)
    • consistent and low-latency performance, for large relational databases or NoSQL databases
    • can adjust size and IOPS separately
    • 4GiB ~ 16 TiB, 100 IOPS up to 64,000 IOPS, ~ 1,000 MiB/s

EBS Snapshots

A snapshot is a point-in-time backup of an ESB Volume stored in S3.

  • To protect against AZ failure, EBS snapshots (to S3) can be used.
  • Snapshots are incremental. The initial snapshot is a full copy, and future ones only store the data changed since the last snapshot, which can reduce the storage cost.
  • You can take a snapshot while the instance is running except the root volume.
  • You can create an AMI from a snapshot.
  • EBS volumes are in the same AZ of the EC2 instance.
  • Use case 1: Move volumes between AZs.
    1. Take a snapshot
    2. Create an AMI from it
    3. Launch an instance using the AMI.
  • Use case 2: Move volumes between regions.
    1. Take a snapshot
    2. Create an AMI from it
    3. Copy the AMI to another region
    4. Launch a new instance using the AMI.
  • Snapshots can be copied between regions, shared, and automated using Data Lifecycle Manager (DLM).
  • Snapshots copied from an encrypted EBS volume will also be encrypted. Since CMK (Customer Master Key) is regional, a new CMK from the destination region will be needed for cross-region copies.
  • You can share snapshots with other accounts.
  • Fast Snapshot Restore (FSR) allows you to promptly restore fully provisioned EBS volumes from snapshots, regardless of the size of the volume or snapshot.

EBS Volume Encryption

Volume encryption uses EC2 host hardware to encrypt data at rest and in-transit between EBS and EC2 instances.

  • KMS (Key Management Service) generates a Data Encryption Key (DEK) from a Customer Master Key (CMK) in each region. A unique DEK encrypts each volume. Snapshots of that volume are encrypted with the same DEK.
  • Encrypted DEKs (stored in a volume) are decrypted by KMS using a CMK and given to the EC2 host.
  • A decrypted (text) DEK is stored in EC2 memory while it is active and used to encrypt/decrypt data. The plaintext DEK is discarded when an instance is rebooted. KMS must resend the plaintext DEK.
  • Case 1: Encrypting the EBS volume
    • Select an “Encrypt” option while creating an instance.
    • When you enable the encryption for EBS, you can override the default key and select symmetric customer-managed CMK. EBS does not support asymmetric CMKs.
    • You can encrypt data before saving them on ESB by calling KMS API.
  • Case 2: Encrypting an unencrypted EBS volume
    • You cannot directly enable encryption in an existing unencrypted volume.
    • Use the Operating System level encryption such as bit locker.
    • Take a snapshot -> create a copy with encryption
    • If you need to use the volume as a root volume, make an AMI with an encrypted volume and deploy the AMI.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s