ModifyEbsDefaultKmsKeyId - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Changes the default Amazon KMS key for EBS encryption by default for your account in this Region.

Amazon creates a unique Amazon managed KMS key in each Region for use with encryption by default. If you change the default KMS key to a symmetric customer managed KMS key, it is used instead of the Amazon managed KMS key. To reset the default KMS key to the Amazon managed KMS key for EBS, use ResetEbsDefaultKmsKeyId. Amazon EBS does not support asymmetric KMS keys.

If you delete or disable the customer managed KMS key that you specified for use with encryption by default, your instances will fail to launch.

For more information, see Amazon EBS encryption in the Amazon EBS User Guide.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.


Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No


The identifier of the Amazon Key Management Service (Amazon KMS) KMS key to use for Amazon EBS encryption. If this parameter is not specified, your Amazon KMS key for Amazon EBS is used. If KmsKeyId is specified, the encrypted state must be true.

You can specify the KMS key using any of the following:

  • Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab.

  • Key alias. For example, alias/ExampleAlias.

  • Key ARN. For example, arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab.

  • Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.

Amazon authenticates the KMS key asynchronously. Therefore, if you specify an ID, alias, or ARN that is not valid, the action can appear to complete, but eventually fails.

Amazon EBS does not support asymmetric KMS keys.

Type: String

Required: Yes

Response Elements

The following elements are returned by the service.


The Amazon Resource Name (ARN) of the default KMS key for encryption by default.

Type: String


The ID of the request.

Type: String


For information about the errors that are common to all actions, see Common client error codes.

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: