Amazon EBS

Amazon EBS volumes are essentially hard disks that can be attached to a running Amazon EC2 instance.

Amazon EBS is especially suited for applications that require a database, a file system,
or access to raw block level storage.

Amazon EBS and Amazon EC2 are often used in conjunction with one another when building a fault-tolerant application on the AWS platform.

Any data that needs to persist should be stored on Amazon EBS volumes, not on the so-called “ephemeral storage” associated with each Amazon EC2 instance.

If the Amazon EC2 instance fails and needs to be replaced, the Amazon EBS volume can simply be attached to the new Amazon EC2 instance.

Since this new instance is essentially a duplicate of the original, there should be no loss of data or functionality.

Amazon EBS volumes are highly reliable, but to further mitigate the possibility of a failure, backups of these volumes can be created using a feature called snapshots. A robust backup strategy will include an interval (time between backups, generally daily but perhaps more frequently for certain applications), a retention period (dependent on the application and the business requirements for rollback), and a recovery plan. Snapshots are stored for high-durability in Amazon S3.
Snapshots can be used to create new Amazon EBS volumes, which are an exact replica of the original volume at the time the snapshot was taken. Because backups represent the on-disk state of the application, care must be taken to flush in memory data to disk before initiating a snapshot.

Amazon Elastic Block Storage (Amazon EBS) allows you to create storage volumes
from 1 GB to 16 TB that can be mounted as devices by Amazon EC2 instances.
Storage volumes behave like raw, unformatted block devices, with user supplied device
names and a block device interface. You can create a file system on top of Amazon
EBS volumes, or use them in any other way you would use a block device (like a hard
drive). Amazon EBS volume access is restricted to the AWS Account that created the
volume, and to the users under the AWS Account created with AWS IAM if the user has
been granted access to the EBS operations, thus denying all other AWS Accounts and
users the permission to view or access the volume.
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations
as part of normal operation of those services and at no additional charge. However,
Amazon EBS replication is stored within the same availability zone, not across multiple
zones; therefore, it is highly recommended that you conduct regular snapshots to
Amazon S3 for long-term data durability. For customers who have architected complex
transactional databases using EBS, it is recommended that backups to Amazon S3 be
performed through the database management system so that distributed transactions
and logs can be checkpointed. AWS does not perform backups of data that are
maintained on virtual disks attached to running instances on Amazon EC2.
You can make Amazon EBS volume snapshots publicly available to other AWS
Accounts to use as the basis for creating your own volumes. Sharing Amazon EBS
volume snapshots does not provide other AWS Accounts with the permission to alter or
delete the original snapshot, as that right is explicitly reserved for the AWS Account that
created the volume. An EBS snapshot is a block-level view of an entire EBS volume.
Note that data that is not visible through the file system on the volume, such as files that
have been deleted, may be present in the EBS snapshot. If you want to create shared
snapshots, you should do so carefully. If a volume has held sensitive data or has had
files deleted from it, a new EBS volume should be created. The data to be contained in
the shared snapshot should be copied to the new volume, and the snapshot created
from the new volume.
Amazon EBS volumes are presented to you as raw unformatted block devices that have
been wiped prior to being made available for use. Wiping occurs immediately before
reuse so that you can be assured that the wipe process completed. If you have
procedures requiring that all data be wiped via a specific method, such as those
detailed in NIST 800-88 (“Guidelines for Media Sanitization”), you have the ability to do
Amazon Web Services Amazon Web Services: Overview of Security Processes
Page 28
so on Amazon EBS. You should conduct a specialized wipe procedure prior to deleting
the volume for compliance with your established requirements.
Encryption of sensitive data is generally a good security practice, and AWS provides the
ability to encrypt EBS volumes and their snapshots with AES-256. The encryption
occurs on the servers that host the EC2 instances, providing encryption of data as it
moves between EC2 instances and EBS storage. In order to be able to do this
efficiently and with low latency, the EBS encryption feature is only available on EC2’s
more powerful instance types (e.g., M3, C3, R3, G2).