EBS & Security Labs¶
Hands-on security labs — ap-southeast-2, February 2026. These go beyond theory into real attack chains and defensive patterns.
Ultra-Short Summary¶
EBS (Elastic Block Store) is AWS's persistent network-attached block storage for EC2. Understanding EBS deeply means understanding its security model: how data persists, what happens when you delete it, how snapshots work, and how an attacker with the right IAM permissions can exfiltrate data without ever SSH-ing into an instance.
EBS vs Instance Store¶
EBS (Elastic Block Store)
→ Network attached (separate physical hardware)
→ Persists independently of the EC2 instance
→ Survives stop/start/reboot
→ Snapshottable → stored in S3 internally
→ Replicated within the AZ
Instance Store
→ Physically attached NVMe on the host machine
→ Ephemeral — destroyed on stop/terminate
→ Not snapshottable
→ Good for: scratch space, cache, temp data
→ Fast (no network hop)
Instance Store Trap
Instance store survives reboot but is wiped on stop or terminate. This catches people out on exams and in production.
Lab 1 — Volume Reuse Zeroing¶
When you create a new EBS volume, all blocks read as zeroes — even if the physical storage was previously used by another customer.
AWS zeroes blocks at the hypervisor/storage layer before exposing them. You don't inherit a previous tenant's data.
Lab 2 — Snapshot Forensics: Deleted Data Recovery¶
Setup: Created EBS volume → wrote sensitive data → deleted the file → created a snapshot → restored and inspected raw blocks.
Finding: The data was still there.
rm file → filesystem marks blocks as FREE
→ actual bytes stay on disk until overwritten
snapshot → captures current state, including "freed" blocks
restore → new volume contains the un-overwritten data
Security Implications¶
- Deleted files ≠ deleted data until blocks are overwritten
- Snapshots can contain old secrets, credentials, DB records
- Encryption at rest does not protect against this if the attacker has snapshot permissions
- Over-permissioned IAM roles are the real threat
Lab 3 — SSRF → IMDS → EBS Snapshot Exfiltration¶
Reproduced the mechanics of the Capital One breach (2019).
The Attack Chain¶
1. SSRF vulnerability in web app
↓
2. Query IMDS: http://169.254.169.254/latest/meta-data/iam/security-credentials/
↓
3. Retrieve temporary IAM credentials (Access Key + Secret + Token)
↓
4. ec2:CreateSnapshot → snapshot the target volume
↓
5. ec2:CreateVolume + ec2:AttachVolume → mount to attacker's instance
↓
6. Read raw disk blocks → exfiltrate deleted secrets, DB files, credentials
This does not require SSH access to the victim instance.
IMDSv2 Caveat¶
IMDSv2 blocks simple SSRF (requires a PUT to get a token first). But if an attacker has arbitrary code execution on the EC2 instance, they can still get the token. IMDSv2 is defence-in-depth, not a complete fix.
Mitigations¶
| Control | What It Does |
|---|---|
| Enforce IMDSv2 | Blocks simple SSRF → IMDS attacks |
| Least-privilege IAM | Limit blast radius of credential theft |
Deny ec2:CreateSnapshot broadly |
Direct prevention |
Deny ec2:AttachVolume to non-approved instances |
Block mounting |
| KMS CMK encryption | Attacker also needs KMS decrypt permission |
| CloudTrail alerting | Alert on unexpected CreateSnapshot calls |
Lab 4 — Instance Store Ephemerality Proof¶
Instance type: m5d.large (has NVMe instance store)
| Device | Type | Size |
|---|---|---|
/dev/nvme0n1 |
Root EBS | — |
/dev/nvme1n1 |
Extra EBS | 1 GiB |
/dev/nvme2n1 |
Instance Store | 75 GiB |
Wrote data to both → stopped instance → started instance.
- Instance store → GONE (wiped on stop)
- EBS → SURVIVED
The physical NVMe is tied to the host. When the instance stops and moves to a different host, that drive stays behind.
Real Debugging Encountered¶
str | None (Python 3.10+ syntax) on a 3.9 instance.
Fix: Install Python 3.11, reinstall boto3 for it.
CreateSnapshot description.
Fix: Replace with a regular hyphen in vim.
vol-0abc1234 — trailing space in argument.
Lesson: Always .strip() input in automation scripts.
NVMe device numbers (nvme0n1, nvme1n1) are not guaranteed consistent across reboots.
Always identify by model string via nvme list, not by device number assumption.
EBS Encryption¶
| Method | Key Control | CloudTrail | Use Case |
|---|---|---|---|
| SSE (AWS managed default) | AWS | No | General |
| SSE-KMS (CMK) | You | Yes | Compliance, audit |
Encrypting a volume does not prevent snapshot exfiltration if the attacker has snapshot permissions AND KMS decrypt access. Encryption is one layer — doesn't replace IAM least privilege.
Mental Model¶
EBS = network drive attached to your EC2 over AWS's internal network
stop instance → drive stays, waits
delete instance → drive stays (unless DeleteOnTermination=true)
snapshot it → point-in-time copy lives in S3 indefinitely
Instance Store = USB stick physically plugged into the server
reboot → survives
stop/terminate → gone
SAA Patterns¶
| Scenario | Answer |
|---|---|
| Persistent storage for EC2 | EBS |
| Fast temp scratch space | Instance Store |
| Shared across multiple EC2s | EFS |
| Backup an EBS volume | Snapshot |
| SSRF protection | Enforce IMDSv2 + least-privilege IAM |
| Audit snapshot access | CloudTrail + KMS CMK |
| Instance moves host — what survives? | EBS yes, Instance Store no |
30-Second Takeaway¶
- EBS is persistent network block storage. Instance Store is ephemeral physical NVMe.
- Deleted files are recoverable from snapshots until blocks are overwritten.
- Attacker with
ec2:CreateSnapshot+ec2:AttachVolumecan exfiltrate data without SSH. - IMDSv2 blocks simple SSRF but not code execution attacks.
- Defence: least-privilege IAM + IMDSv2 + KMS + CloudTrail alerts.
Self-Quiz¶
- What happens to instance store on reboot vs stop vs terminate?
- Why can deleted file data still appear in an EBS snapshot?
- Walk through the full SSRF → IMDS → exfiltration chain. What IAM permissions make it possible?
- Does EBS encryption prevent snapshot exfiltration? Why or why not?
- A new EC2 needs fast temp storage for ML inference. Which storage type?
- What's the difference between IMDSv1 and IMDSv2? When does v2 still fail?
- Which two IAM actions are most dangerous to over-grant on EBS?
- How does the Capital One breach relate to IMDS and IAM?