Skip to main content

EBS Default Encryption Enabled

Overview

This check verifies that your AWS account has EBS (Elastic Block Store) encryption enabled by default. When enabled, all newly created EBS volumes and snapshots are automatically encrypted without requiring you to specify encryption settings each time.

Risk

Without default EBS encryption, new volumes may be created unencrypted, exposing data to potential risks:

  • Data exposure: Unencrypted volumes can be read directly if an attacker gains access to the underlying storage or creates unauthorized snapshots
  • Accidental data leaks: Shared snapshots from unencrypted volumes can expose sensitive data to unintended recipients
  • Compliance violations: Many security frameworks (CIS, PCI-DSS, HIPAA) require encryption of data at rest
  • Manual encryption burden: Relying on users to manually enable encryption leads to inconsistent protection

Remediation Steps

Prerequisites

You need:

  • AWS Console access with permissions to modify EC2 account settings
  • Optionally, a customer-managed KMS key (recommended for better access control)
Required IAM permissions (for administrators)

Your IAM user or role needs these permissions:

  • ec2:EnableEbsEncryptionByDefault
  • ec2:GetEbsEncryptionByDefault
  • ec2:ModifyEbsDefaultKmsKeyId (if specifying a custom KMS key)
  • kms:DescribeKey (if using a custom KMS key)

AWS Console Method

  1. Open the EC2 Console

  2. Navigate to EBS settings

    • In the left sidebar, scroll down and click Settings (under Account attributes)
    • Or go directly to EC2 Settings

  3. Enable default encryption

    • Find the EBS encryption section
    • Click Manage
    • Check the box for Enable
    • Optionally, select a Default encryption key (choose a customer-managed KMS key for better control, or leave as the AWS-managed key aws/ebs)
    • Click Update EBS encryption

  4. Repeat for other regions

    • EBS encryption settings are per-region
    • Switch to each region you use and repeat steps 2-3
AWS CLI (optional)

Enable default encryption

aws ec2 enable-ebs-encryption-by-default --region us-east-1

Expected output:

{
    "EbsEncryptionByDefault": true
}

To use a customer-managed KMS key instead of the AWS-managed key:

aws ec2 modify-ebs-default-kms-key-id \
    --kms-key-id alias/my-ebs-key \
    --region us-east-1

Replace alias/my-ebs-key with your KMS key alias or ARN.

Enable across all regions

To enable default encryption in all regions:

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    echo "Enabling EBS encryption in $region..."
    aws ec2 enable-ebs-encryption-by-default --region "$region"
done
CloudFormation (optional)

CloudFormation does not directly support enabling EBS encryption by default as a resource. However, you can use a CloudFormation Custom Resource with a Lambda function, or enable this setting via AWS CLI/console before deploying infrastructure.

For organizations, use an AWS Service Control Policy (SCP) to enforce encryption:

AWSTemplateFormatVersion: '2010-09-09'
Description: SCP to deny unencrypted EBS volume creation

Resources:
  DenyUnencryptedEBSSCP:
    Type: AWS::Organizations::Policy
    Properties:
      Name: DenyUnencryptedEBSVolumes
      Description: Denies creation of unencrypted EBS volumes
      Type: SERVICE_CONTROL_POLICY
      TargetIds:
        - !Ref OrganizationRootId
      Content:
        Version: '2012-10-17'
        Statement:
          - Sid: DenyUnencryptedVolumes
            Effect: Deny
            Action:
              - ec2:CreateVolume
            Resource: '*'
            Condition:
              Bool:
                ec2:Encrypted: 'false'

Parameters:
  OrganizationRootId:
    Type: String
    Description: The ID of your AWS Organization root (e.g., r-abc123)

Note: This SCP approach requires AWS Organizations and applies organization-wide enforcement.

Terraform (optional)
# Enable EBS encryption by default
resource "aws_ebs_encryption_by_default" "enabled" {
  enabled = true
}

# Optionally set a custom default KMS key
resource "aws_ebs_default_kms_key" "custom" {
  key_arn = aws_kms_key.ebs.arn
}

# Create a customer-managed KMS key for EBS (optional but recommended)
resource "aws_kms_key" "ebs" {
  description             = "KMS key for default EBS encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow EBS to use the key"
        Effect = "Allow"
        Principal = {
          AWS = "*"
        }
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:CreateGrant",
          "kms:DescribeKey"
        ]
        Resource = "*"
        Condition = {
          StringEquals = {
            "kms:ViaService"   = "ec2.us-east-1.amazonaws.com"
            "kms:CallerAccount" = data.aws_caller_identity.current.account_id
          }
        }
      }
    ]
  })
}

resource "aws_kms_alias" "ebs" {
  name          = "alias/ebs-default-encryption"
  target_key_id = aws_kms_key.ebs.key_id
}

data "aws_caller_identity" "current" {}

output "ebs_encryption_enabled" {
  description = "Whether EBS encryption by default is enabled"
  value       = aws_ebs_encryption_by_default.enabled.enabled
}

output "default_kms_key_arn" {
  description = "ARN of the default KMS key for EBS"
  value       = aws_kms_key.ebs.arn
}

Deploy with:

terraform init
terraform plan
terraform apply

Verification

After enabling default encryption, verify the setting:

  1. In the AWS Console:

    • Go to EC2 > Settings (under Account attributes)
    • Check that EBS encryption shows Enabled
    • Verify the default encryption key is set to your preferred KMS key

  2. Test with a new volume:

    • Create a new EBS volume without specifying encryption settings
    • Check the volume properties - it should show as encrypted
CLI verification commands

Check current encryption status:

aws ec2 get-ebs-encryption-by-default --region us-east-1

Expected output when enabled:

{
    "EbsEncryptionByDefault": true
}

Check the default KMS key:

aws ec2 get-ebs-default-kms-key-id --region us-east-1

Check all regions:

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    status=$(aws ec2 get-ebs-encryption-by-default --region "$region" --query 'EbsEncryptionByDefault' --output text)
    echo "$region: $status"
done

Additional Resources

Notes

  • Existing volumes: Enabling default encryption only affects newly created volumes. Existing unencrypted volumes remain unencrypted. To encrypt existing volumes, you must create an encrypted snapshot and restore from it.
  • Per-region setting: EBS encryption settings are region-specific. You must enable this in each AWS region you use.
  • Instance type compatibility: Some older instance types do not support encrypted volumes. Enabling encryption by default may prevent launching these instances. Check instance type support before enabling.
  • KMS key selection: Using a customer-managed KMS key (instead of the AWS-managed aws/ebs key) gives you more control over key access policies and enables CloudTrail logging of key usage.
  • No additional cost for encryption: EBS encryption itself is free. However, customer-managed KMS keys incur charges ($1/month per key plus API usage).
  • Snapshot sharing: Encrypted snapshots can only be shared if you use a customer-managed KMS key (not the default AWS-managed key) and grant the recipient account access to the key.