Key Management

Customers can specify Amazon KMS keys, including bring your own keys (BYOK), to use for envelope encryption with Amazon S3 input/output buckets and machine learning (ML) Amazon EBS volumes. ML volumes for notebook instances and for processing, training, and hosted model Docker containers can be optionally encrypted by using Amazon KMS customer-owned keys. All instance OS volumes are encrypted with an Amazon-managed Amazon KMS key.

Note

Certain Nitro-based instances include local storage, dependent on the instance type. Local storage volumes are encrypted using a hardware module on the instance. You can't request a VolumeKmsKeyId when using an instance type with local storage.

For a list of instance types that support local instance storage, see Instance Store Volumes.

For more information about local instance storage encryption, see SSD Instance Store Volumes.

For more information about storage volumes on nitro-based instances, see Amazon EBS and NVMe on Linux Instances.

For information about Amazon KMS keys see What is Amazon Key Management Service? in the Amazon Key Management Service Developer Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Protect Communications Between ML Compute Instances in a Distributed Training Job

Internetwork Traffic Privacy