Work with Amazon EBS encryption
Use the following procedures to work with Amazon EBS encryption.
Tasks
Select a KMS key for EBS encryption
Amazon EBS automatically creates a unique AWS managed key in each Region where you
create Amazon EBS resources. The alias
for the KMS key is aws/ebs
. By default, Amazon EBS uses this KMS key
for encryption. Alternatively, you can specify a symmetric customer managed encryption
key that you create as the default KMS key for EBS encryption. Using your own
KMS key gives you more flexibility, including the ability to create, rotate, and
disable KMS keys.
Important
Amazon EBS does not support asymmetric encryption KMS keys. For more information, see Using symmetric and asymmetric encryption KMS keys in the AWS Key Management Service Developer Guide.
Enable encryption by default
You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.
Encryption by default has no effect on existing EBS volumes or snapshots.
Considerations
-
Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.
-
Amazon EBS encryption by default is supported on all current generation and previous generation instance types.
-
If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.
-
When migrating servers using AWS Server Migration Service (SMS), do not turn on encryption by default. If encryption by default is already on and you are experiencing delta replication failures, turn off encryption by default. Instead, enable AMI encryption when you create the replication job.
You cannot change the KMS key that is associated with an existing snapshot or encrypted volume. However, you can associate a different KMS key during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new KMS key.
Manage encryption by default using the API and CLI
You can manage encryption by default and the default KMS key using the following
API actions and CLI commands. Note that the APIs for Amazon EC2 and AWS KMS refer to the
alias for the AWS managed key as alias/aws/ebs
while the AWS KMS
console displays this alias as aws/ebs
.
API action | CLI command | Description |
---|---|---|
disable-ebs-encryption-by-default |
Disables encryption by default. |
|
enable-ebs-encryption-by-default |
Enables encryption by default. |
|
get-ebs-default-kms-key-id |
Describes the default KMS key. |
|
get-ebs-encryption-by-default |
Indicates whether encryption by default is enabled. |
|
modify-ebs-default-kms-key-id |
Changes the default KMS key used to encrypt EBS volumes. |
|
reset-ebs-default-kms-key-id |
Resets the AWS managed key as the default KMS key used to encrypt EBS volumes. |