Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The EC2 default EBS encryption solution enables the account level default EBS encryption within each AWS account and AWS region in the AWS Organization.
You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.
Encryption by default has no effect on existing EBS volumes or snapshots.
Key solution features:
- Sets EC2 Default EBS Encryption settings for all existing accounts and provided regions including the
management accountand future accounts. - Ability to exclude accounts via provided account tags.
- Triggered when new accounts are added to the AWS Organization, account tag updates, and on account status changes.
- Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.
- When you enable encryption by default, you can launch an instance only if the instance type supports EBS encryption. For more information, see Supported instance types.
- If you copy a snapshot and encrypt it to a new KMS key, a complete (non-incremental) copy is created. This results in additional storage costs.
- When migrating servers using AWS Server Migration Service (SMS), do not turn on encryption by default. If encryption by default is already on and you are experiencing delta replication failures, turn off encryption by default. Instead, enable AMI encryption when you create the replication job.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin the management account or a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. - For parameter details, review the AWS CloudFormation templates.
- The
Lambda IAM Roleis used by the Lambda function to identify existing and future accounts that need EC2 Default EBS Encryption configured. - The EC2 default EBS encryption IAM role is deployed into each account within the AWS Organization and it is assumed by the central
AWS Lambda Functionto configure the default encryption setting for the account and region. - The
Event Rule IAM Roleis assumed by EventBridge to forward Global events to theHome Regiondefault Event Bus.
- The
AWS Control Tower Lifecycle Event Ruletriggers theAWS Lambda Functionwhen a new AWS Account is provisioned through AWS Control Tower. - The
Organization Compliance Scheduled Event Ruletriggers theAWS Lambda Functionto capture AWS Account status updates (e.g. suspended to active).- A parameter is provided to set the schedule frequency.
- See the Instructions to Manually Run the Lambda Function for triggering the
AWS Lambda Functionbefore the next scheduled run time.
- The
AWS Organizations Event Ruletriggers theAWS Lambda Functionwhen updates are made to accounts within the organization.- When AWS Accounts are added to the AWS Organization outside of the AWS Control Tower Account Factory. (e.g. account created via AWS Organizations console, account invited from another AWS Organization).
- When tags are added or updated on AWS Accounts.
- If the
Home Regionis different from theGlobal Region (e.g. us-east-1), then global event rules are created within theGlobal Regionto forward events to theHome Regiondefault Event Bus. - The
AWS Organizations Event Ruleforwards AWS Organization account update events.
- SQS dead letter queue used for retaining any failed Lambda events.
- The AWS Lambda Function contains the logic for configuring the EC2 default EBS encryption settings within each account and region.
- All the
AWS Lambda Functionlogs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>to help with debugging and traceability of the actions performed. - By default the
AWS Lambda Functionwill create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key. - Parameters are provided for changing the default log group retention and encryption KMS key.
- SNS Topic used to notify subscribers when messages hit the Dead Letter Queue (DLQ).
- SNS Topic used to fanout the Lambda function for setting the EC2 default EBS encryption configuration.
- The
AWS Lambda Functionconfigures the default EBS encryption for the account and region with theAWS managed EBS encryption key(alias/aws/ebs).
- The EC2 default EBS encryption IAM role is deployed into each account within the AWS Organization and it is assumed by the central
AWS Lambda Functionto configure the default encryption setting for the account and region.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
- No AWS Organizations Service Control Policies (SCPs) are blocking the
ec2:GetEbsEncryptionByDefaultandec2:EnableEbsEncryptionByDefaultAPI actions - All targeted regions need to be enabled in all accounts within the AWS Organization
- Choose a Deployment Method:
In the management account (home region), launch the sra-ec2-default-ebs-encryption-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml --stack-name sra-ec2-default-ebs-encryption-main-ssm --capabilities CAPABILITY_NAMED_IAMRegion parameter definitions:
- Control Tower Regions Only
true= All AWS Control Tower governed regionsfalse= All default AWS enabled regions
- Enabled Regions = User provided regions. Leave blank to enable all regions. Note: All provided regions need to be enabled in all accounts within the AWS Organization.
- How to verify after the solution deployment completes?
- Log into an account and navigate to the EC2 console page
- Select a region where the EBS default encryption was enabled
- Select the
EBS Encryptionfrom theAccount attributessection and verify the settings match the parameters provided in the configuration
- Download and Stage the SRA Solutions. Note: Get the latest code and run the staging script.
- Update the existing CloudFormation Stack or CFCT configuration. Note: Make sure to update the
SRA Solution Versionparameter and any new added parameters.
- In the
management account (home region), delete the AWS CloudFormation Stack created in step 3 of the solution deployment. Note: The solution will not modify the default EBS encryption setting on aDeleteevent. Only the SSM configuration parameter is deleted in this step. - In the
management account (home region), delete the AWS CloudFormation Stack created in step 2 of the solution deployment. - In the
management account (home region), delete the AWS CloudFormation StackSet created in step 1 of the solution deployment. Note: there should not be anystack instancesassociated with this StackSet. - In the
management account (home region), delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed in step 2 of the solution deployment.
- In the
management account (home region). - Navigate to the AWS Lambda Functions page.
- Select the
checkboxnext to the Lambda Function and selectTestfrom theActionsmenu. - Scroll down to view the
Test event. - Click the
Testbutton to trigger the Lambda Function with the default values. - Verify that the updates were successful within the expected account(s).