AWS EC2 data at rest - security

Question

My java servlet web app is hosted in AWS EC2 instance. Is storing sensitive data (say db credentials) in my property (config) file of my java web app safe? When the EBS volumn is deallocated, will it contain the data I saved and used by someone else with in the same/different AWS account? Are there any security risks?

Answer 1

I went with another approach considering the reason that anyone who has access to the file (via remote or someway) can read and pass it across. I used AWS systems manager (param store) to store the sensitive values as secure string. App retrieves it from param store and use it at run time. To reduce multiple hits, the value is cached for a configurable time. The original question is about the security of EBS and not about the alternate. However sharing my approach to let someone aware the alternate.

Answer 2

Yes, the blocks on the EBS volume will be zeroed after you delete the volume.

From Amazon EBS volumes - Amazon Elastic Compute Cloud:

The data persists on the volume until the volume is deleted explicitly. The physical block storage used by deleted EBS volumes is overwritten with zeroes before it is allocated to another account. If you are dealing with sensitive data, you should consider encrypting your data manually or storing the data on a volume protected by Amazon EBS encryption.

For more information on EBS encryption, see Amazon EBS encryption - Amazon Elastic Compute Cloud

Answer 3

Data stored on the EBS volume is zeroed out after you delete the volume. This is carried out by AWS automatically.