Elastic Block Storage (EBS) volumes can be encrypted using AWS Key Management Service (KMS). In this configuration, encryption and decryption are handled transparently and require no additional action from the user, an Amazon EC2 instance, or application. When an encrypted Amazon EBS volume is attached to a supported Amazon EC2 instance type,the data stored at rest on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host Amazon EC2 instances.Additionally, snapshots of encrypted volumes are automatically encrypted, and volumes that are created from encrypted snapshots are also automatically encrypted. It is recommended that all EBS volumes be encrypted.
Using the Amazon unified command line interface: