Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The EC2 default EBS encryption solution enables the account level default EBS encryption within each AWS account and AWS region in the AWS Organization.
You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.
Encryption by default has no effect on existing EBS volumes or snapshots.
- Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.
- When you enable encryption by default, you can launch an instance only if the instance type supports EBS encryption. For more information, see Supported instance types.
- If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.
- When migrating servers using AWS Server Migration Service (SMS), do not turn on encryption by default. If encryption by default is already on and you are experiencing delta replication failures, turn off encryption by default. Instead, enable AMI encryption when you create the replication job.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin the management account or a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. - For parameter details, review the AWS CloudFormation templates.
- The AWS Lambda Function contains the logic for configuring the EC2 default EBS encryption settings within each account and region.
- The function is triggered by CloudFormation Create, Update, and Delete events and also by the
Control Tower Lifecycle Event Rulewhen new accounts are provisioned.
- The Lambda Function creates/updates configuration parameters within the
SSM Parameter Storeon CloudFormation events and the parameters are used when triggered by theControl Tower Lifecycle Event Rule.
- The AWS Control Tower Lifecycle Event Rule triggers the
AWS Lambda Functionwhen a new AWS Account is provisioned through AWS Control Tower.
- All the
AWS Lambda Functionlogs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>to help with debugging and traceability of the actions performed. - By default the
AWS Lambda Functionwill create the CloudWatch Log Group with aRetention(Never expire) and are encrypted with a CloudWatch Logs service managed encryption key. - Optional parameters are included to allow creating the CloudWatch Log Group, which allows setting
KMS Encryptionusing a customer managed KMS key and setting theRetentionto a specific value (e.g. 14 days).
- The AWS Lambda Function Role allows the AWS Lambda service to assume the role and perform actions defined in the attached IAM policies.
- The role is also trusted by the EC2 Default EBS Encryption IAM Role within each account so that it can configure the default EBS encryption account settings.
- The EC2 default EBS encryption IAM role is deployed into each account within the AWS Organization and it is assumed by the central
AWS Lambda Functionto configure the default encryption setting for the account and region.
- The
AWS Lambda Functionconfigures the default EBS encryption for the account and region with theAWS managed EBS encryption key(alias/aws/ebs).
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
- No AWS Organizations Service Control Policies (SCPs) are blocking the
ec2:GetEbsEncryptionByDefaultandec2:EnableEbsEncryptionByDefaultAPI actions - All targeted regions need to be enabled in all accounts within the AWS Organization
- Choose a Deployment Method:
In the management account (home region), launch an AWS CloudFormation Stack using one of the options below:
- Option 1: (Recommended) Use the sra-ec2-default-ebs-encryption-main-ssm.yaml template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
- Option 2: Use the sra-ec2-default-ebs-encryption-main.yaml template. Input is required for the CloudFormation parameters where the default is not set.
Region parameter definitions:
- Control Tower Regions Only
true= All AWS Control Tower governed regionsfalse= All default AWS enabled regions
- Enabled Regions = User provided regions. Leave blank to enable all regions. Note: All provided regions need to be enabled in all accounts within the AWS Organization.
- How to verify after the solution deployment completes?
- Log into an account and navigate to the EC2 console page
- Select a region where the EBS default encryption was enabled
- Select the
EBS Encryptionfrom theAccount attributessection and verify the settings match the parameters provided in the configuration
- In the
management account (home region), delete the AWS CloudFormation Stack created in step 3 of the solution deployment. Note: The solution will not modify the default EBS encryption setting on aDeleteevent. Only the SSM configuration parameter is deleted in this step. - In the
management account (home region), delete the AWS CloudFormation Stack created in step 2 of the solution deployment. - In the
management account (home region), delete the AWS CloudFormation StackSet created in step 1 of the solution deployment. Note: there should not be anystack instancesassociated with this StackSet. - In the
management account (home region), delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed in step 2 of the solution deployment.