Amazon Web Service (AWS)

EBS Volume

An EBS volume is a flexible block-level storage that can be mounted to devices on EC2 instances. Once mounted, it can be formatted with a file system, host operating systems and applications, and have snapshots or clones made from it.
EBS Volume
  • availability_zone - (Required) The AZ where the EBS volume will exist.
  • encrypted - (Optional) If true, the disk will be encrypted.
  • final_snapshot - (Optional) If true, snapshot will be created before volume deletion. Any tags on the volume will be migrated to the snapshot. By default set to false
  • iops - (Optional) The amount of IOPS to provision for the disk. Only valid for type of io1, io2 or gp3.
  • multi_attach_enabled - (Optional) Specifies whether to enable Amazon EBS Multi-Attach. Multi-Attach is supported on io1 and io2 volumes.
  • size - (Optional) The size of the drive in GiBs.
  • snapshot_id (Optional) A snapshot to base the EBS volume off of.
  • outpost_arn - (Optional) The Amazon Resource Name (ARN) of the Outpost.
  • type - (Optional) The type of EBS volume. Can be standard, gp2, gp3, io1, io2, sc1 or st1 (Default: gp2).
  • kms_key_id - (Optional) The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true. Note: Terraform must be running with credentials which have the GenerateDataKeyWithoutPlaintext permission on the specified KMS key as required by the EBS KMS CMK volume provisioning process to prevent a volume from being created and almost immediately deleted.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • throughput - (Optional) The throughput that the volume supports, in MiB/s. Only valid for type of gp3.
Associating resources with a
EBS Volume
Resources do not "belong" to a
EBS Volume
Rather, one or more Security Groups are associated to a resource.
EBS Volume
via Terraform:
The following HCL creates an EBS volume with tags

resource "aws_ebs_volume" "example" {
 availability_zone = "us-west-2a"
 size              = 40
 tags = {
   Name = "HelloWorld"

EBS Volume
via CLI:

--availability-zone <value>
[--encrypted | --no-encrypted]
[--iops <value>]
[--kms-key-id <value>]
[--outpost-arn <value>]
[--size <value>]
[--snapshot-id <value>]
[--volume-type <value>]
[--dry-run | --no-dry-run]
[--tag-specifications <value>]
[--multi-attach-enabled | --no-multi-attach-enabled]
[--throughput <value>]
[--client-token <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws ec2 create-volume \
   --availability-zone us-east-1a \
   --volume-type gp2 \
   --size 80 \
   --tag-specifications 'ResourceType=volume,Tags=[{Key=purpose,Value=production},{Key=cost-center,Value=cc123}]'

Best Practices for
EBS Volume

Categorized by Availability, Security & Compliance and Cost

EBS volume not in use
Ensure EBS volumes are encrypted
Ensure EBS volumes are of type gp3 (General purpose SSD) instead of gp2
Ensure EBS volumes are of type gp3 (General purpose SSD) instead of io1
Explore all the rules our platform covers
All Resources