Work with Amazon EBS encryption - Amazon EBS
Select a KMS key for EBS encryptionEnable encryption by defaultManage encryption by default using the API and CLI
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Work with Amazon EBS encryption

Use the following procedures to work with Amazon EBS encryption.

Select a KMS key for EBS encryption

Amazon EBS automatically creates a unique Amazon managed key in each Region where you create Amazon EBS resources. The alias for the KMS key is aws/ebs. By default, Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a symmetric customer managed encryption key that you create as the default KMS key for EBS encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Important

Amazon EBS does not support asymmetric encryption KMS keys. For more information, see Using symmetric and asymmetric encryption KMS keys in the Amazon Key Management Service Developer Guide.

Amazon EC2 console
To configure the default KMS key for EBS encryption for a Region

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. From the navigation bar, select the Region.

  3. From the navigation pane, select EC2 Dashboard.

  4. In the upper-right corner of the page, choose Account Attributes, Data protection and security.

  5. Choose Manage.

  6. For Default encryption key, choose a symmetric customer managed encryption key.

  7. Choose Update EBS encryption.

Enable encryption by default

You can configure your Amazon account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.

Encryption by default has no effect on existing EBS volumes or snapshots.

Considerations

  • Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.

  • Amazon EBS encryption by default is supported on all current generation and previous generation instance types.

  • If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.

  • When migrating servers using Amazon Server Migration Service (SMS), do not turn on encryption by default. If encryption by default is already on and you are experiencing delta replication failures, turn off encryption by default. Instead, enable AMI encryption when you create the replication job.

Amazon EC2 console
To enable encryption by default for a Region

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. From the navigation bar, select the Region.

  3. From the navigation pane, select EC2 Dashboard.

  4. In the upper-right corner of the page, choose Account Attributes, Data protection and security.

  5. Choose Manage.

  6. Select Enable. You keep the Amazon managed key with the alias aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key.

  7. Choose Update EBS encryption.

Amazon CLI
To view the encryption by default setting

  • For a specific Region

    $ aws ec2 get-ebs-encryption-by-default --region region

  • For all Regions in your account

    $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do   default=$(aws ec2 get-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region  --- $default  --- $kms_key"; done
To enable encryption by default

  • For a specific Region

    $ aws ec2 enable-ebs-encryption-by-default --region region

  • For all Regions in your account

    $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do   default=$(aws ec2 enable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region  --- $default  --- $kms_key"; done
To disable encryption by default

  • For a specific Region

    $ aws ec2 disable-ebs-encryption-by-default --region region

  • For all Regions in your account

    $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do   default=$(aws ec2 disable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region  --- $default  --- $kms_key"; done
PowerShell
To view the encryption by default setting

  • For a specific Region

    PS C:\> Get-EC2EbsEncryptionByDefault -Region region

  • For all Regions in your account

    PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Get-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize
To enable encryption by default

  • For a specific Region

    PS C:\> Enable-EC2EbsEncryptionByDefault -Region region

  • For all Regions in your account

    PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Enable-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize
To disable encryption by default

  • For a specific Region

    PS C:\> Disable-EC2EbsEncryptionByDefault -Region region

  • For all Regions in your account

    PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Disable-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize

You cannot change the KMS key that is associated with an existing snapshot or encrypted volume. However, you can associate a different KMS key during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new KMS key.

Manage encryption by default using the API and CLI

You can manage encryption by default and the default KMS key using the following API actions and CLI commands. Note that the APIs for Amazon EC2 and Amazon KMS refer to the alias for the Amazon managed key as alias/aws/ebs while the Amazon KMS console displays this alias as aws/ebs.

API action CLI command Description

DisableEbsEncryptionByDefault

 disable-ebs-encryption-by-default

Disables encryption by default.

EnableEbsEncryptionByDefault

 enable-ebs-encryption-by-default

Enables encryption by default.

GetEbsDefaultKmsKeyId

 get-ebs-default-kms-key-id

Describes the default KMS key.

GetEbsEncryptionByDefault

 get-ebs-encryption-by-default

Indicates whether encryption by default is enabled.

ModifyEbsDefaultKmsKeyId

 modify-ebs-default-kms-key-id

Changes the default KMS key used to encrypt EBS volumes.

ResetEbsDefaultKmsKeyId

 reset-ebs-default-kms-key-id

Resets the Amazon managed key as the default KMS key used to encrypt EBS volumes.