Skip to main content

Amazon Elastic Block Store (Amazon EBS)

Service Details

Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2 instances. EBS volumes behave like raw, unformatted block devices. EBS volumes can be mounted as devices on EC2 instances.

EBS volumes can be used to store a verity of content. However, EBS provides different types of volumes depending on the main purpose of the storage media, the volume types available are:

SSD Based Volumes

Volume NameMax SizeMax IOPS Per Volume
gp3 / gp21 GiB - 16 TiB16,000
io2 Block Express4 GiB - 64 TiB256,000
io2 / io14 GiB - 16 TiB64,000

HDD Based Volumes

Volume NameMax SizeMax IOPS Per Volume
st1125 GiB - 16 TiB500
sc1125 GiB - 16 TiB250
  • Any of the gp (general purpose) drives will suit the vast majority of workloads, but AWS provides options as required.
  • More IOPS = more performance.
  • The full specs of each EBS volumes can be found here

Availability Zones

  • EBS drives are deployed into specific availability zones (AZ).
  • EC2 instances and EBS volumes must be in the same AZ when attaching.

EC2 Specifics

  • Depending on the configuration of an EC2 instance the EBS volume may be deleted on instance termination, if you don't want this to happen set the delete on termination flag to false


  • EBS volumes can be encrypted with AWS owned KMS keys or customer managed keys (CMKs)
  • Snapshots will be created with the same encryption method as the current EBS
  • It is not possible to change encryption settings after creation. If an EBS is accidentally created unencrypted, it must be snapshotted and then a new EBS created form the snapshot (with encryption applied on the new EBS volume).
  • It is possible to enforce encryption at the account level, see Assessment Notes.

Access Control

  • EBS drives do not support resource based policies, so all permissions will be granted via IAM.
  • EBS drives can be tagged allowing for tag based access control.

Fault Injection

  • EBS provides the ability to fault test by either pausing I/O on a specified volume or using AWS Fault Injection Simulator (FIS). Disable this permission if you never intend to use it.

Assessment Notes

Useful CLI Commands

  • aws ec2 get-ebs-encryption-by-default - Retrieves the default encryption status for EBS resources in current region.
  • aws ec2 describe-volumes --volume-id <Volume-ID> --region <Region> --query 'Volumes[].{Encrypted:Encrypted}'* - Retrieves the encryption status for the specified volume.
  • aws ec2 describe-snapshots --snapshot-id <Snapshot-ID> --region <Region> --query 'Snapshots[].{Encrypted:Encrypted}' - Retrieves the encryption status for the specified snapshot.
  • aws ec2 describe-snapshot-attribute --snapshot-id <Snapshot-ID> --attribute createVolumePermission --region <Region> - Checks whether the specified snapshot is public.