You can now encrypt new EBS volumes in your account in a region with a single setting

Posted on: May 23, 2019

You can now enable Amazon Elastic Block Store (EBS) Encryption by Default, ensuring that all new EBS volumes created in your account are encrypted. Encryption by Default opt-in settings are specific to individual AWS regions in your account. With increasingly strict regulations on data, this feature makes it easier for you to encrypt data on EBS so that you achieve your compliance and security goals. 

Previously, you explicitly specified encryption for every new EBS volume that was created. In order to ensure that all new volumes were encrypted, you either wrote an IAM policy to terminate an instance launch when encryption was not specified or maintained custom scripts to detect unencrypted volumes and copied the data to encrypted volumes. Now you can enable EBS Encryption by Default with a single API call per region. Once you enable EBS Encryption by Default, all newly created volumes are encrypted without having to specify encryption for each volume. This simplifies your workflow to ensure that only encrypted volumes are created. Furthermore, you can set one of your customer-managed customer master keys (CMK) as the default CMK for EBS encryption instead of an AWS-managed CMK. As a result, you can have more granular control over who can access data that is encrypted by default.  

To get started, see the technical documentation on enabling EBS Encryption by Default. This feature is now available through the AWS Command Line Interface (CLI) or AWS SDKs at no extra charge in AWS GovCloud and all commercial regions except China.