How can you secure data at rest on an EBS volume?
A.
Attach the volume to an instance using EC2’s SSL interface.
B.
Write the data randomly instead of sequentially.
C.
Encrypt the volume using the S3 server-side encryption service.
D.
Create an IAM policy that restricts read and write access to the volume.
E.
Use an encrypted file system on top of the EBS volume.
Explanation:
https://aws.amazon.com/blogs/aws/protect-your-data-with-new-ebs-encryption/
Hm… C? what S3 to do with EBS in this case?
Imho E.
Background:
https://d0.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf
check table at page 18,row corresponding to EBS volume.
A,B,C,D are wrong
Only E makes sense
I have the same idea. C
Answer is E
E
https://aws.amazon.com/blogs/aws/protect-your-data-with-new-ebs-encryption/
I’m with Kamlesh E is the answer!
“You can enable EBS encryption when you create a new volume…”
C
We take data protection very seriously! Over the years we have added a number of security and encryption features to various parts of AWS. We protect data at rest with Server Side Encryption for Amazon S3 and Amazon Glacier, multiple tiers of encryption for Amazon Redshift, and Transparent Data Encryption for Oracle and SQL Server databases via Amazon RDS. We protect data in motion with extensive support for SSL/TLS in CloudFront, Amazon RDS, and Elastic Load Balancing.
Yes you can encrypt S3 , EC2 instances etc.. But the question is how to encrypt at rest the volume on EBS, it has nothing to do with S3.
E
E Refer- http://www.aiotestking.com/amazon/how-can-you-secure-data-at-rest-on-an-ebs-volume/
E, make sense
C is right
D
https://d0.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf
Because Amazon EBS volumes are presented to an instance as a block device, you can
leverage most standard encryption tools for file system-level or block-level encryption.
Some common block-level open source encryption solutions for Linux are Loop-AES,
dm-crypt (with or without) LUKS, and TrueCrypt. Each of these operates below the file
system layer using kernel space device drivers to perform encryption and decryption of
data. These tools are useful when you want all data written to a volume to be encrypted
regardless of what directory the data is stored in.
Another option would be to use file system-level encryption, which works by stacking an
encrypted file system on top of an existing file system. This method is typically used to
encrypt a specific directory. eCryptfs and EncFs are two Linux-based open source
examples of file system-level encryption tools.
As per this explanation the correct answer is E:
E. Use an encrypted file system on top of the EBS volume.
So the right answer is E.
Encrypted Filesystem is inside EC2 operation , and that can not be done by any AWS services (its sys admin task ) .But Server side encryption can done when Volume (Not Filesystem) are created .
So Answer is C i guess .
I think even if EBS volume is stored on S3 and encrypted with SSE-S3, the E option is not wrong and thus better, more obvious fit.
Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use
with Amazon EC2 instances. Amazon EBS volumes are network-attached, and persist
independently from the life of an instance.
Because Amazon EBS volumes are presented to an instance as a block device, you can
leverage most standard encryption tools for file system-level or block-level encryption.
Some common block-level open source encryption solutions for Linux are Loop-AES,
dm-crypt (with or without) LUKS, and TrueCrypt. Each of these operates below the file
system layer using kernel space device drivers to perform encryption and decryption of
data. These tools are useful when you want all data written to a volume to be encrypted
regardless of what directory the data is stored in.
Another option would be to use file system-level encryption, which works by stacking an
encrypted file system on top of an existing file system. This method is typically used to
encrypt a specific directory. eCryptfs and EncFs are two Linux-based open source
examples of file system-level encryption tools.
Answer: E (as we don’t see block level encryption in the options)
Answer is E:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Amazon EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key management infrastructure. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
Data at rest inside the volume
All data moving between the volume and the instance
All snapshots created from the volume
E
Some common block-level open source encryption solutions for Linux are LoopAES,
dm-crypt (with or without) LUKS, and TrueCrypt. Each of these operates below the file system layer using kernel
space device drivers to perform encryption and decryption of data. These tools are useful when you want all data
written to a volume to be encrypted regardless of what directory the data is stored in. Another option would be to use
file system-level encryption, which works by stacking an encrypted file system on top of an existing file system.
E