Overview

Configure EBS default encryption for all EC2 instances in that region. Includes a CloudFormation custom resource to enable this setting.

Configuration includes the option to create a new KMS customer managed key for encryption, use the default aws-managed KMS key (aws/ebs), or specify an existing KMS key. 

Configuration Templates

Items
3
Size
1.5 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  Ec2DefaultEncryption:
    Type: 'Custom::Ec2DefaultEncryption'
    Properties:
      KmsKeyId: aws/ebs
      ServiceToken:
        'Fn::GetAtt':
          - Ec2DefaultEncryptionLambda
          - Arn
  Ec2DefaultEncryptionLambdaRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
        - 'arn:aws:iam::aws:policy/AmazonEC2FullAccess'
      Policies:
        - PolicyName: kmsReadInline
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'kms:DescribeKey'
                Resource: '*'
  Ec2DefaultEncryptionLambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        S3Bucket:
          'Fn::Sub':
            - 'asecure-cloud-cf-aux-${Region}'
            - Region:
                Ref: 'AWS::Region'
        S3Key: ec2-enable-default-encryption-lambda.zip
      Handler: lambda_function.lambda_handler
      MemorySize: 128
      Role:
        'Fn::GetAtt':
          - Ec2DefaultEncryptionLambdaRole
          - Arn
      Runtime: python3.6
      Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}

Actions



* Required field

Sources and Documentation

Configuration Source: AWS Documentation: EBS Encryption by Default

Additional Documentation: