By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

EC2 Security Controls

EBS Volume Default Encryption (Account-Level)

Configure EBS default encryption for all EC2 instances in that region. Includes a CloudFormation custom resource to enable this setting.

Configuration includes the option to create a new KMS customer managed key for encryption, use the default aws-managed KMS key (aws/ebs), or specify an existing KMS key. 

Items
3
Size
1.5 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  Ec2DefaultEncryption:
    Type: "Custom::Ec2DefaultEncryption"
    Properties:
      KmsKeyId: "aws/ebs"
      ServiceToken:
        Fn::GetAtt:
          - "Ec2DefaultEncryptionLambda"
          - "Arn"
  Ec2DefaultEncryptionLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
        - "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
      Policies:
        - PolicyName: "kmsReadInline"
          PolicyDocument:
            Statement:
              - Effect: "Allow"
                Action:
                  - "kms:DescribeKey"
                Resource: "*"
  Ec2DefaultEncryptionLambda:
    Type: "AWS::Lambda::Function"
    Properties:
      Code:
        S3Bucket:
          Fn::Sub:
            - "asecure-cloud-cf-aux-${Region}"
            - Region:
                Ref: "AWS::Region"
        S3Key: "ec2-enable-default-encryption-lambda.zip"
      Handler: "lambda_function.lambda_handler"
      MemorySize: 128
      Role:
        Fn::GetAtt:
          - "Ec2DefaultEncryptionLambdaRole"
          - "Arn"
      Runtime: "python3.6"
      Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

* Required field