Recently in my job I had to perform some data recovery activities for an Ec2 instance in AWS. The instance had been powered off for more than a year and the key pair for logging in had been lost. The instance’s root was an EBS volume that was not encrypted. We had a couple of options, we could have mounted the volume to another instance to insert a new key so we can log back in. It turned out that the client was just interested in the data. So ultimately it was just a matter of mounting the volume to an instance and pulling out the desired files. If this sounds simple it’s because it is. I think this is why it’s important to consider carefully who has elevated access to your AWS account. Even with encryption you can perform these activities, only if the application inside the instance had encrypted the data would I have gotten stuck.