DEV Community

Cover image for How to enable encryption by default for newly launched Instances, volumes, snapshots
Dinesh Rathee
Dinesh Rathee

Posted on

How to enable encryption by default for newly launched Instances, volumes, snapshots

#aws #devops #linux

Start-How to Enable encryption by default for newly launched Instances, volumes, snapshots

Issue :
➜ By default, when you create a new Instance (let say from a public AMI) the Root volume which gets created is always "unencrypted" and you need to manually apply encryption later following manual steps. Please note that here I'm not talking about all AMIs behaviour by default (some of your own AMIs might have encryption enabled already ). So let's take it easy with a public Amazon Linux 2 AMI as per example listed below.

Solution :
➜ You can achieve this with a single setting which is specific to individual AWS regions in your account. I'll explain detailed information with an example below.

References :

  • Announcement Link
  • Blog Link
  • Amazon EBS encryption

    • Basically

    You can now specify that you want all newly created EBS volumes to be created in encrypted form, with the option to use the default key provided by AWS, or a key that you create. Because keys and EC2 settings are specific to individual AWS regions, you must opt-in on a region-by-region basis. Going forward, all EBS volumes that you will create in this region will be encrypted, with no additional effort on your part.

  • This will also ensure when you launch an Instance, its root volume will be encrypted automatically on launch.
  • This setting applies to a single AWS region; I will need to repeat the steps above for each region of interest, checking the option and choosing the key.

    • Example

    I am applying this setting in a particular region (Ireland). You may choose yourself as per your use case.
    Also,I'm using New Console experience view , It may look bit different if you're on older version, you can also change using "New EC2 Experience"

    Let's get started....

    [1] Navigate to EC2 Console --> Account Attributes --> Settings --> “EBS Encryption”

    Quick Link Example

    Step-1

    [2] Click on “Manage”

    Step-2

    [3] Now, you can click on checkbox “Always Encrypt new EBS Volumes”, specify the key, and click “Update EBS Encryption”

    Step-3

    [4] It will look like below:

    Step-4

    [5] Now, let us try to launch an instance:

    Step-5

    [6] Now you can see the Volume and click on volume id to check the Encryption details

    Step-6

    [7] Now, you can see the volume has been encrypted with a Key for newly launched Instance

    Step-7

    Lastly...

    "If you want to get information using AWS CLI Commands for your Volumes, Snapshots to know if it is Encrypted or not and If yes, then with which key it is encrypted with (AWS Managed CMK or Customer Manager CMK)", please refer my previous post here:,

  • Blog Post
    •                    😇 Happy learning 😇

    Happy Learning

    Top comments (0)

    Read next

    aws-cloudsec profile image

    Issue 38 of AWS Cloud Security Weekly

    AJ -

    shyam1 profile image

    🌟FREE Microsoft Exam Vouchers With AI Skills Cloud Skills Challenge⚡🔥🚀

    Shyam Gupta -

    karadza profile image

    Kubernetes Through the Developer's Perspective

    Juraj -

    olawde profile image

    Add alternate contacts to AWS Organization member accounts programmatically

    Olawale Adepoju -