You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.
Encryption by default has no effect on existing EBS volumes or snapshots.
ConsiderationsEncryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.
Amazon EBS encryption by default is supported on all current generation and previous generation instance types.
If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.
When migrating servers using AWS Server Migration Service (SMS), do not turn on encryption by default. If encryption by default is already on and you are experiencing delta replication failures, turn off encryption by default. Instead, enable AMI encryption when you create the replication job.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
From the navigation bar, select the Region.
From the navigation pane, select EC2 Dashboard.
In the upper-right corner of the page, choose Account Attributes, Data protection and security.
In the EBS encryption section, choose Manage.
Select Enable. You keep the AWS managed key with the alias aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key.
Choose Update EBS encryption.
Use the get-ebs-encryption-by-default command.
For a specific Region
aws ec2 get-ebs-encryption-by-default --region regionFor all Regions in your account
echo -e "Region \t Encrypt \t Key"; \
echo -e "----------- \t ------- \t -------" ; \
for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text);
do
default=$(aws ec2 get-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text);
kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId');
echo -e "$region \t $default \t\t $kms_key";
doneUse the enable-ebs-encryption-by-default command.
For a specific Region
aws ec2 enable-ebs-encryption-by-default --region regionFor all Regions in your account
echo -e "Region \t Encrypt \t Key"; \
echo -e "----------- \t ------- \t -------" ; \
for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text);
do
default=$(aws ec2 enable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text);
kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId');
echo -e "$region \t $default \t\t $kms_key";
doneUse the disable-ebs-encryption-by-default command.
For a specific Region
aws ec2 disable-ebs-encryption-by-default --region regionFor all Regions in your account
echo -e "Region \t Encrypt \t Key"; \
echo -e "----------- \t ------- \t -------" ; \
for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text);
do
default=$(aws ec2 disable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text);
kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId');
echo -e "$region \t $default \t\t $kms_key";
doneUse the Get-EC2EbsEncryptionByDefault cmdlet.
For a specific Region
Get-EC2EbsEncryptionByDefault -Region regionFor all Regions in your account
(Get-EC2Region).RegionName |`
ForEach-Object {
[PSCustomObject]@{
Region = $_;
EC2EbsEncryptionByDefault = Get-EC2EbsEncryptionByDefault -Region $_;
EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_
} } |`
Format-Table -AutoSizeUse the Enable-EC2EbsEncryptionByDefault cmdlet.
For a specific Region
Enable-EC2EbsEncryptionByDefault -Region regionFor all Regions in your account
(Get-EC2Region).RegionName |`
ForEach-Object {
[PSCustomObject]@{
Region = $_;
EC2EbsEncryptionByDefault = Enable-EC2EbsEncryptionByDefault -Region $_;
EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_
} } | `
Format-Table -AutoSizeUse the Disable-EC2EbsEncryptionByDefault cmdlet.
For a specific Region
Disable-EC2EbsEncryptionByDefault -Region regionFor all Regions in your account
(Get-EC2Region).RegionName |`
ForEach-Object {
[PSCustomObject]@{
Region = $_;
EC2EbsEncryptionByDefault = Disable-EC2EbsEncryptionByDefault -Region $_;
EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_
} } | `
Format-Table -AutoSizeYou can't change the KMS key that is associated with an existing snapshot or encrypted volume. However, you can associate a different KMS key during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new KMS key.
Requirements
Rotate KMS keys
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4