I have 2 users. User 1 created a CMK and only she is the keyadmin and keyuser. I have user2 who has full ec2access on her profile, but no access to the CMK which user1 is part of. User1 created a snapshot of a volume and copied the image with CMK. When user2 logs on, she tried to copy the snapshot, but got error; this is fine since she has no access to the key, can’t copy.
However, user2 was able to create a volume using the same encrypted snapshot. Why is this?? While creating volume don’t you have to read (copy) the encrypted snapshot?
I believe that this is because no decryption is needed to create a volume from a snapshot – the volume just contains the same encrypted data as the snapshot. That volume still cannot be attached to a running instance unless you have access to the KMS CMK that it was encrypted with, keeping the data secure.