Requirements for Amazon EBS encryption - Amazon EBS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Requirements for Amazon EBS encryption

Before you begin, verify that the following requirements are met.

Supported volume types

Encryption is supported by all EBS volume types. You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency. You can access encrypted volumes the same way that you access unencrypted volumes. Encryption and decryption are handled transparently, and they require no additional action from you or your applications.

Supported instance types

Amazon EBS encryption is available on all current generation and previous generation instance types.

Permissions for users

When you use a KMS key for EBS encryption, the KMS key policy allows any user with access to the required Amazon KMS actions to use this KMS key to encrypt or decrypt EBS resources. You must grant users permission to call the following actions in order to use EBS encryption:

  • kms:CreateGrant

  • kms:Decrypt

  • kms:DescribeKey

  • kms:GenerateDataKeyWithoutPlainText

  • kms:ReEncrypt


To follow the principle of least privilege, do not allow full access to kms:CreateGrant. Instead, use the kms:GrantIsForAWSResource condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an Amazon service, as shown in the following example.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": [ "arn:aws-cn:kms:us-west-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef" ], "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }

For more information, see Allows access to the Amazon account and enables IAM policies in the Default key policy section in the Amazon Key Management Service Developer Guide.

Permissions for instances

When an instance attempts to interact with an encrypted AMI, volume, or snapshot, a KMS key grant is issued to the instance's identity-only role. The identity-only role is an IAM role that is used by the instance to interact with encrypted AMIs, volumes, or snapshots on your behalf.

Identity-only roles do not need to be manually created or deleted, and they have no policies associated with them. Additionally, you can't access the identity-only role credentials.


Identity-only roles are not used by applications on your instance to access other Amazon KMS encrypted resources, such as Amazon S3 objects or Dynamo DB tables. These operations are done using the credentials of an Amazon EC2 instance role, or other Amazon credentials that you have configured on your instance.

Identity-only roles are subject to service control policies (SCPs), and KMS key policies. If an SCP or KMS key denies the identity-only role access to a KMS key, you may fail to launch EC2 instances with encrypted volumes, or using encrypted AMIs or snapshots.

If you are creating an SCP or key policy that denies access based on network location using the aws:SourceIp, aws:VpcSourceIp, aws:SourceVpc, or aws:SourceVpce Amazon global condition keys, then you must ensure that these policy statements do not apply to instance-only roles. For example policies, see Data Perimeter Policy Examples.

Identity-only role ARNs use the following format:


When a key grant is issued to an instance, the key grant is issued to the assumed-role session specific to that instance. The grantee principal ARN uses the following format: