Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configure EBS default encryption for all EC2 instances in that region. Includes a CloudFormation custom resource to enable this setting.
Configuration includes the option to create a new KMS customer managed key for encryption, use the default aws-managed KMS key (aws/ebs), or specify an existing KMS key.
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
Ec2DefaultEncryption:
Type: "Custom::Ec2DefaultEncryption"
Properties:
KmsKeyId: "aws/ebs"
ServiceToken:
Fn::GetAtt:
- "Ec2DefaultEncryptionLambda"
- "Arn"
Ec2DefaultEncryptionLambdaRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
- "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
Policies:
- PolicyName: "kmsReadInline"
PolicyDocument:
Statement:
- Effect: "Allow"
Action:
- "kms:DescribeKey"
Resource: "*"
Ec2DefaultEncryptionLambda:
Type: "AWS::Lambda::Function"
Properties:
Code:
S3Bucket:
Fn::Sub:
- "asecure-cloud-cf-aux-${Region}"
- Region:
Ref: "AWS::Region"
S3Key: "ec2-enable-default-encryption-lambda.zip"
Handler: "lambda_function.lambda_handler"
MemorySize: 128
Role:
Fn::GetAtt:
- "Ec2DefaultEncryptionLambdaRole"
- "Arn"
Runtime: "python3.9"
Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}