Use encryption - Amazon Elastic Compute Cloud

Use encryption

When you start a new snapshot using StartSnapshot, the encryption status depends on the values that you specify for Encrypted, KmsKeyArn, and ParentSnapshotId, and whether your AWS account is enabled for encryption by default.

Note
  • You might need additional IAM permissions to use the EBS direct APIs with encryption. For moreinformation, see Permissions to use AWS KMS keys.

  • If Amazon EBS encryption by default is enabled on your AWS account, you can't create unencrypted snapshots.

  • If Amazon EBS encryption by default is enabled on your AWS account, you cannot start a new snapshot using an unencrypted parent snapshot. You must first encrypt the parent snapshot by copying it. For more information, see Copy an Amazon EBS snapshot.

Encryption outcomes: Unencrypted parent snapshot

The following table describes the encryption outcome for each possible combination of settings when specifying an unencrypted parent snapshot.

ParentSnapshotId Encrypted KmsKeyArn Encryption by default Result
Unencrypted Omitted Omitted Enabled The request fails with ValidationException.
Disabled The snapshot is unencrypted.
Specified Enabled
Disabled
Unencrypted True Omitted Enabled The request fails with ValidationException.
Disabled
Specified Enabled
Disabled
Unencrypted False Omitted Enabled The request fails with ValidationException.
Disabled
Specified Enabled
Disabled

Encryption outcomes: Encrypted parent snapshot

The following table describes the encryption outcome for each possible combination of settings when specifying an encrypted parent snapshot.

ParentSnapshotId Encrypted KmsKeyArn Encryption by default Result
Encrypted Omitted Omitted Enabled The snapshot is encrypted using the same KMS key as the parent snapshot.
Disabled
Specified Enabled The request fails with ValidationException.
Disabled
Encrypted True Omitted Enabled The request fails with ValidationException.
Disabled
Specified Enabled
Disabled
Encrypted False Omitted Enabled The request fails with ValidationException.
Disabled
Specified Enabled
Disabled

Encryption outcomes: No parent snapshot

The following tables describe the encryption outcome for each possible combination of settings when not using a parent snapshot.

ParentSnapshotId Encrypted KmsKeyArn Encryption by default Result
Omitted True Omitted Enabled The snapshot is encrypted using the default KMS key for your account. *
Disabled
Specified Enabled The snapshot is encrypted using the KMS key specified for KmsKeyArn.
Disabled
Omitted False Omitted Enabled The request fails with ValidationException.
Disabled The snapshot is unencrypted.
Specified Enabled The request fails with ValidationException.
Disabled
Omitted Omitted Omitted Enabled The snapshot is encrypted using the default KMS key for your account. *
Disabled The snapshot is unencrypted.
Specified Enabled The snapshot is encrypted using the KMS key specified for KmsKeyArn.
Disabled

* This default KMS key could be a customer managed key or the default AWS managed KMS key for Amazon EBS encryption.