- By default, EBS volumes are plain text.
- EBS encryption happens at EC2 host instance.
- EBS supports only symmetric KMS keys (Same key is used for encryption and decryption).
- This flag is super helpful to help maintaining data encryption at rest/in transit policy for all EBS volumes, especially if there are multiple implementation teams.
- This option will force EBS encryption using default encryption key (AWS managed key: aws/ebs) that chosen while enabling it, of course you can choose your own customer managed keys.
- If AWS managed key is selected, you will only be charged for API requests not key creation.
- In case there’s a specific encryption requirement (using other key), Default EBS encryption can be overridden at EC2 creation time.
- This feature is regional; meaning you have to enable it separately in each desired region.
- To enable EBS Default Encryption the process is very straightforward:
- Navigate to EC2 dashboard and to your right you will find EBS encryption under Account attributes as shown below:
- Select enable > select desired encryption key> update EBS encryption
References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Top comments (0)