Enable Amazon EBS encryption by default
You can configure your AWS account to enforce the encryption of the new EBS volumes
and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created
when you launch an instance and the snapshots that you copy from an unencrypted snapshot.
For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.
Encryption by default has no effect on existing EBS volumes or snapshots.
Considerations
-
Encryption by default is a Region-specific setting. If you enable it for a
Region, you cannot disable it for individual volumes or snapshots in that Region.
-
Amazon EBS encryption by default is supported on all
current generation and
previous generation instance types.
-
If you copy a snapshot and encrypt it to a new KMS key, a complete
(non-incremental) copy is created. This results in additional storage costs.
-
When migrating servers using AWS Server Migration Service (SMS), do not turn on encryption by default.
If encryption by default is already on and you are experiencing delta replication
failures, turn off encryption by default. Instead, enable AMI encryption when you
create the replication job.
- Amazon EC2 console
-
To enable encryption by default for a Region
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
From the navigation bar, select the Region.
-
From the navigation pane, select EC2 Dashboard.
-
In the upper-right corner of the page, choose Account Attributes,
Data protection and security.
-
In the EBS encryption section, choose Manage.
-
Select Enable. You keep the AWS managed key with the alias
aws/ebs
created on your behalf as the default encryption key,
or choose a symmetric customer managed encryption key.
-
Choose Update EBS encryption.
- AWS CLI
-
To view the encryption by default setting
-
For a specific Region
$
aws ec2 get-ebs-encryption-by-default --region region
-
For all Regions in your account
$
echo -e "Region \t Encrypt \t Key"; \
echo -e "----------- \t ------- \t -------" ; \
for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text);
do
default=$(aws ec2 get-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text);
kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId');
echo -e "$region \t $default \t\t $kms_key";
done
To enable encryption by default
-
For a specific Region
$
aws ec2 enable-ebs-encryption-by-default --region region
-
For all Regions in your account
$
echo -e "Region \t Encrypt \t Key"; \
echo -e "----------- \t ------- \t -------" ; \
for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text);
do
default=$(aws ec2 enable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text);
kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId');
echo -e "$region \t $default \t\t $kms_key";
done
To disable encryption by default
-
For a specific Region
$
aws ec2 disable-ebs-encryption-by-default --region region
-
For all Regions in your account
$
echo -e "Region \t Encrypt \t Key"; \
echo -e "----------- \t ------- \t -------" ; \
for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text);
do
default=$(aws ec2 disable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text);
kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId');
echo -e "$region \t $default \t\t $kms_key";
done
- PowerShell
-
To view the encryption by default setting
-
For a specific Region
PS C:\>
Get-EC2EbsEncryptionByDefault -Region region
-
For all Regions in your account
PS C:\>
(Get-EC2Region).RegionName |`
ForEach-Object {
[PSCustomObject]@{
Region = $_;
EC2EbsEncryptionByDefault = Get-EC2EbsEncryptionByDefault -Region $_;
EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_
} } |`
Format-Table -AutoSize
To enable encryption by default
-
For a specific Region
PS C:\>
Enable-EC2EbsEncryptionByDefault -Region region
-
For all Regions in your account
PS C:\>
(Get-EC2Region).RegionName |`
ForEach-Object {
[PSCustomObject]@{
Region = $_;
EC2EbsEncryptionByDefault = Enable-EC2EbsEncryptionByDefault -Region $_;
EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_
} } | `
Format-Table -AutoSize
To disable encryption by default
-
For a specific Region
PS C:\>
Disable-EC2EbsEncryptionByDefault -Region region
-
For all Regions in your account
PS C:\>
(Get-EC2Region).RegionName |`
ForEach-Object {
[PSCustomObject]@{
Region = $_;
EC2EbsEncryptionByDefault = Disable-EC2EbsEncryptionByDefault -Region $_;
EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_
} } | `
Format-Table -AutoSize
You cannot change the KMS key that is associated with an existing snapshot or encrypted
volume. However, you can associate a different KMS key during a snapshot copy operation so
that the resulting copied snapshot is encrypted by the new KMS key.