Why am I still able to read encrypted EBS volume data in EC2 even after disabling the KMS key?

Question

I am trying to verify data encryption of EBS volume in AWS. I have encrypted one EBS volume with a KMS key and mounted it on an EC2 instance. I have some files in this volume and I was hoping that if I disable the KMS key, I won't be able to read the files in EBS volume but that is not happening. I am guessing that it might be the case that while attaching the EBS volume to the EC2 instance, we require the key. After that even if we disable the key, we will still be able to read the Data. Is my understanding correct?

Answer 1

From the docs:

For each volume, Amazon EBS asks AWS KMS to generate a unique data key encrypted under the CMK that you specify. Amazon EBS stores the encrypted data key with the volume. Then, when you attach the volume to an Amazon EC2 instance, Amazon EBS calls AWS KMS to decrypt the data key. Amazon EBS uses the plaintext data key in hypervisor memory to encrypt all disk I/O to the volume.

The instance actually only calls KMS once when it starts and attaches the volume to decrypt the data key. Afterwards it keeps that in memory as it would take too long to call KMS each time. As a result of this it shouldn't matter what you do with the key as long as the instance is running.

My assumption would be that something will fail whenever you stop and start the instance or attach the volume to another instance, because it will then try to fetch the key from KMS.

For more details I suggest you check out the complete documentation on EBS encryption.

Answer 2

Am new to AWS, but currently using KMS key to encrypt an S3 bucket. And I happened to have the same issue. I was able to access files even after disabling it. But, after 5-10 minutes, I was not able to access. So, I think it won't reflect immediately.