Certified Security - Specialty

Sign Up Free or Log In to participate!

How volume was created by a snapshot which was encrypted using CMK

I have 2 users. User 1 created a CMK and only she is the keyadmin and keyuser. I have user2 who has full ec2access on her profile, but no access to the CMK which user1 is part of. User1 created a snapshot of a volume and copied the image with CMK. When user2 logs on, she tried to copy the snapshot, but got error; this is fine since she has no access to the key, can’t copy.

However, user2 was able to create a volume using the same encrypted snapshot. Why is this?? While creating volume don’t you have to read (copy) the encrypted snapshot?

1 Answers

I believe that this is because no decryption is needed to create a volume from a snapshot – the volume just contains the same encrypted data as the snapshot. That volume still cannot be attached to a running instance unless you have access to the KMS CMK that it was encrypted with, keeping the data secure.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?