Work with Amazon EBS encryption - Amazon EBS

Work with Amazon EBS encryption

Use the following procedures to work with Amazon EBS encryption.

Select a KMS key for EBS encryption

Amazon EBS automatically creates a unique AWS managed key in each Region where you store AWS resources. This KMS key has the alias alias/aws/ebs. By default, Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a symmetric customer managed encryption key that you created as the default KMS key for EBS encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Important

Amazon EBS does not support asymmetric encryption KMS keys. For more information, see Using symmetric and asymmetric encryption KMS keys in the AWS Key Management Service Developer Guide.

Amazon EC2 console
To configure the default KMS key for EBS encryption for a Region
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select the Region.

  3. From the navigation pane, select EC2 Dashboard.

  4. In the upper-right corner of the page, choose Account Attributes, Data protection and security.

  5. Choose Manage.

  6. For Default encryption key, choose a symmetric customer managed encryption key.

  7. Choose Update EBS encryption.

Enable encryption by default

You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.

Encryption by default has no effect on existing EBS volumes or snapshots.

Considerations
  • Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.

  • Amazon EBS encryption by default is supported on all current generation and previous generation instance types.

  • If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.

  • When migrating servers using AWS Server Migration Service (SMS), do not turn on encryption by default. If encryption by default is already on and you are experiencing delta replication failures, turn off encryption by default. Instead, enable AMI encryption when you create the replication job.

Amazon EC2 console
To enable encryption by default for a Region
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select the Region.

  3. From the navigation pane, select EC2 Dashboard.

  4. In the upper-right corner of the page, choose Account Attributes, Data protection and security.

  5. Choose Manage.

  6. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key.

  7. Choose Update EBS encryption.

AWS CLI
To view the encryption by default setting
  • For a specific Region

    $ aws ec2 get-ebs-encryption-by-default --region region
  • For all Regions in your account

    $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do default=$(aws ec2 get-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region --- $default --- $kms_key"; done
To enable encryption by default
  • For a specific Region

    $ aws ec2 enable-ebs-encryption-by-default --region region
  • For all Regions in your account

    $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do default=$(aws ec2 enable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region --- $default --- $kms_key"; done
To disable encryption by default
  • For a specific Region

    $ aws ec2 disable-ebs-encryption-by-default --region region
  • For all Regions in your account

    $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do default=$(aws ec2 disable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region --- $default --- $kms_key"; done
PowerShell
To view the encryption by default setting
  • For a specific Region

    PS C:\> Get-EC2EbsEncryptionByDefault -Region region
  • For all Regions in your account

    PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Get-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize
To enable encryption by default
  • For a specific Region

    PS C:\> Enable-EC2EbsEncryptionByDefault -Region region
  • For all Regions in your account

    PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Enable-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize
To disable encryption by default
  • For a specific Region

    PS C:\> Disable-EC2EbsEncryptionByDefault -Region region
  • For all Regions in your account

    PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Disable-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize

You cannot change the KMS key that is associated with an existing snapshot or encrypted volume. However, you can associate a different KMS key during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new KMS key.

Manage encryption by default using the API and CLI

You can manage encryption by default and the default KMS key using the following API actions and CLI commands.

API action CLI command Description

DisableEbsEncryptionByDefault

disable-ebs-encryption-by-default

Disables encryption by default.

EnableEbsEncryptionByDefault

enable-ebs-encryption-by-default

Enables encryption by default.

GetEbsDefaultKmsKeyId

get-ebs-default-kms-key-id

Describes the default KMS key.

GetEbsEncryptionByDefault

get-ebs-encryption-by-default

Indicates whether encryption by default is enabled.

ModifyEbsDefaultKmsKeyId

modify-ebs-default-kms-key-id

Changes the default KMS key used to encrypt EBS volumes.

ResetEbsDefaultKmsKeyId

reset-ebs-default-kms-key-id

Resets the AWS managed key as the default KMS key used to encrypt EBS volumes.