How do I turn on automatic encryption for new Amazon EBS volumes and snapshot copies created in my account?

Short description

Newly created Amazon EBS volumes aren't encrypted by default. However, you can turn on default encryption for new EBS volumes and snapshot copies that are created within a specified Region. To turn on encryption by default, use the Amazon Elastic Compute Cloud (Amazon EC2) console.

Before you turn on encryption by default, note the following:

• Encryption by default is a Region-specific setting. After you turn on encryption for a Region, you can't turn encryption off for individual volumes or snapshots in that Region.
• After you turn on encryption by default, you can launch an instance only if the instance type supports Amazon EBS encryption.
• When you turn on encryption by default, that change doesn't affect existing unencrypted or encrypted resources. The encryption configuration change affects only volumes and snapshot copies that you create after you turn on encryption by default.
• If encryption by default is turned on and you experience delta replication failures when you use AWS Server Migration Service, then turn off encryption by default. For lift-and-shift migration, it's a best practice to use Application Migration Service.

Resolution

To turn on encryption by default, complete the following steps:

1. Open the Amazon EC2 console.
2. Select the appropriate Region.
3. In the navigation pane, choose EC2 Dashboard.
4. Choose Data protection and security.
5. In the EBS encryption section, choose Manage.
6. For Always encrypt new EBS volumes, select Enable.
7. For Default encryption key, select any of your keys to set as the default.
8. Choose Update EBS encryption.

Repeat these steps for other Regions as needed.

Note: If you select the default service key (aws/ebs) as the default encryption key, then you can't share the encrypted volume across accounts. To learn more about AWS KMS keys, see AWS KMS concepts.