Does an EC2 instance by default get privileges to decrypt data key of any EBS volume attached to it? I dont see any policies via roles attached to EC2 instance to restrict this behavior. By EBS encryption, I understand that AWS employees with direct access to the underlying hardware cannot view your data. Hypothetically, what if they spin up an EC2, connect the underlying EBS hardware and attach an EBS volume on this hardware to EC2? Wouldn't they see the data in unencrypted format? More specifically, what other controls in addition to encryption prevents data breach in case of direct access in AWS or is just encryption & safe storage of CMK sufficient in this case?
↧