You must be logged in to view saved presets
EBS Volume Default Encryption (Account-Level)
Configure EBS default encryption for all EC2 instances in that region. Includes a CloudFormation custom resource to enable this setting.
Configuration includes the option to create a new KMS customer managed key for encryption, use the default aws-managed KMS key (aws/ebs), or specify an existing KMS key.
Items
3
Size
1.5 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
Ec2DefaultEncryption:
Type: 'Custom::Ec2DefaultEncryption'
Properties:
KmsKeyId: aws/ebs
ServiceToken:
'Fn::GetAtt':
- Ec2DefaultEncryptionLambda
- Arn
Ec2DefaultEncryptionLambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
- 'arn:aws:iam::aws:policy/AmazonEC2FullAccess'
Policies:
- PolicyName: kmsReadInline
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'kms:DescribeKey'
Resource: '*'
Ec2DefaultEncryptionLambda:
Type: 'AWS::Lambda::Function'
Properties:
Code:
S3Bucket:
'Fn::Sub':
- 'asecure-cloud-cf-aux-${Region}'
- Region:
Ref: 'AWS::Region'
S3Key: ec2-enable-default-encryption-lambda.zip
Handler: lambda_function.lambda_handler
MemorySize: 128
Role:
'Fn::GetAtt':
- Ec2DefaultEncryptionLambdaRole
- Arn
Runtime: python3.9
Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}
Actions
Customize Template
* Required field
© 2024 asecurecloud. All rights reserved.