if Decrypt key is assigned to role and if user ssh in to that instance and see the contents of that file It will be seen in clear textis there a way to allow only instance to see decrypted contents
2 Answers
Use the EBS service to encrypt your volume with a KMS key using the industry-standard AES-256 algorithm. Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK—it never appears there in plaintext.
The EC2 Role and an API authentication with Access Key & Secret Access Key would allow decryption at CLI on Machine if it had CLI tools installed and the proper commands were issued. The SSH Key Pair alone would not. Be careful not to confuse Data plane key pairs (SSH & RDP) with Access Key / Secret Access Key Control Plane keys for the CLI and SDKs…
Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
The plain text KMS data key for EBS volume is stored EC2 in hypervisor memory. So it is invisible to users.
Server side encryption e.g. EBS volume encryption then it’s true. If data encryption before send to storage then you will have to decrypt data before you can see.