How can I turn on automatic encryption of new Amazon EBS volumes and snapshot copies created in my account?
Last updated: 2019-11-21
I have to manually encrypt each new Amazon Elastic Block Storage (Amazon EBS) volume that I create in a Region. How can I automatically encrypt new Amazon EBS volumes and snapshot copies created in my account?
New Amazon EBS volumes aren't encrypted by default. However, there is a setting in the Amazon Elastic Compute Cloud (Amazon EC2) console that turns on encryption by default for all new Amazon EBS volumes and snapshot copies created within a specified Region.
Keep the following points in mind before enabling encryption:
- Encryption by default is a Region-specific setting. If encryption is enabled for a Region, it can't be disabled for individual volumes or snapshots in that Region.
- After enabling encryption by default, you can launch an instance only if the instance type supports Amazon EBS encryption.
- Don't turn on encryption by default when migrating servers using AWS Server Migration Service. If encryption by default is already on and you are experiencing delta replication failures, turn off encryption by default. Instead, enable AMI encryption when you create the replication job.
- Open the Amazon EC2 console.
- Select the Region from the drop-down menu.
- On the EC2 Dashboard, under Account Attributes, select Settings.
- Under EBS Storage, select Always encrypt new EBS volumes.
- Select Change the default key and choose any of your keys (default/CMKs) as the Default encryption key.
- Select Save Settings.
Repeat these steps for other Regions as needed.