docs.aws.amazon.com Open in urlscan Pro
18.239.36.53 Public Scan

Back to summary

Submitted URL:
https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default
Effective URL:
https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html
Submission: On June 16 via api (June 16th 2024, 10:26:31 pm UTC) from US — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies

CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.

ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.

PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed

FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed

ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences

UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss

Create an AWS Account
1. AWS
2. ...

3. Documentation
4. Amazon EBS
5. User Guide

Feedback
Preferences

AMAZON EBS

USER GUIDE

* What is Amazon EBS?
* Set up for Amazon EBS
* EBS volumes
* EBS volume types
* General Purpose SSD volumes
* Provisioned IOPS SSD volumes
* Throughput Optimized HDD and Cold HDD volumes

* Size and configuration constraints
* EBS volumes and NVMe
* Volume lifecycle
* Create a volume
* Attach a volume to an instance
* Attach a volume to multiple instances
* NVMe reservations

* Make a volume available for use
* View volume details
* Modify a volume
* Requirements
* Request volume modifications
* Monitor modifications
* Extend the file system

* Detach a volume from an instance
* Delete a volume

* Replace a volume
* Monitor a volume
* Fault testing

* EBS snapshots
* Snapshot lifecycle
* Create snapshots
* View snapshot information
* Copy a snapshot
* Share a snapshot
* Archive snapshots
* Guidelines and best practices for archiving snapshots
* Required IAM permissions
* Work with snapshot archiving
* Monitor snapshot archiving

* Delete a snapshot
* Automate the snapshot lifecycle

* Fast snapshot restore
* Snapshot lock
* Concepts
* Considerations
* Required permissions
* Work with snapshot lock
* Monitor using CloudTrail
* Monitor using EventBridge

* Block public access for snapshots
* Considerations
* IAM permissions
* Enable block public access for snapshots
* Monitor events

* Recycle Bin
* Local snapshots on Outposts

* EBS encryption
* Requirements
* Work with Amazon EBS encryption
* Examples

* EBS performance
* Optimize performance
* I/O characteristics and monitoring
* Initialize volumes
* RAID configuration
* Benchmark EBS volumes

* Amazon Data Lifecycle Manager
* How Amazon Data Lifecycle Manager works
* Default policies vs custom policies
* Default policies
* Default policy for EBS snapshots
* Default policy for EBS-backed AMIs
* Enable default policies across accounts and Regions

* Custom policies
* Automate snapshot lifecycles
* Requirements for using pre and post scripts
* Automating application-consistent snapshots
* Other use cases for pre and post scripts
* How pre and post scripts work
* Identifying snapshots created with pre and post scripts
* Monitoring pre and post script execution

* Automate AMI lifecycles
* Automate cross-account snapshot copies

* View, modify, and delete lifecycle policies
* AWS Identity and Access Management
* AWS managed policies
* IAM service roles
* Permissions for users
* Permissions for encryption

* Monitor the lifecycle of snapshots and AMIs
* Monitor your policies using CloudWatch Events
* Monitor your policies using Amazon CloudWatch

* Troubleshooting

* Amazon EBS direct APIs
* IAM permissions for EBS direct APIs
* Use EBS direct APIs
* Read snapshots
* Write snapshots
* Use encryption
* Use Signature Version 4 signing
* Use checksums
* Idempotency for StartSnapshot API
* Error retries
* Optimize performance
* EBS direct APIs service endpoints

* Interface VPC endpoints
* Log API calls with AWS CloudTrail
* Frequently asked questions

* Security
* Data protection
* Identity and access management
* How Amazon Elastic Block Store works with IAM
* Identity-based policy examples
* Troubleshoot

* Compliance validation
* Resilience

* Monitoring
* AWS CloudTrail
* Amazon CloudWatch
* Amazon EventBridge
* Amazon GuardDuty

* Quotas
* Document history

Work with Amazon EBS encryption - Amazon EBS
AWSDocumentationAmazon EBSUser Guide
Select a KMS key for EBS encryptionEnable encryption by defaultManage encryption
by default using the API and CLI

WORK WITH AMAZON EBS ENCRYPTION

PDFRSS

Use the following procedures to work with Amazon EBS encryption.

TASKS

* Select a KMS key for EBS encryption
* Enable encryption by default
* Manage encryption by default using the API and CLI

SELECT A KMS KEY FOR EBS ENCRYPTION

Amazon EBS automatically creates a unique AWS managed key in each Region where
you store AWS resources. This KMS key has the alias alias/aws/ebs. By default,
Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a
symmetric customer managed encryption key that you created as the default KMS
key for EBS encryption. Using your own KMS key gives you more flexibility,
including the ability to create, rotate, and disable KMS keys.

IMPORTANT

Amazon EBS does not support asymmetric encryption KMS keys. For more
information, see Using symmetric and asymmetric encryption KMS keys in the AWS
Key Management Service Developer Guide.

Amazon EC2 console

TO CONFIGURE THE DEFAULT KMS KEY FOR EBS ENCRYPTION FOR A REGION

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. From the navigation bar, select the Region.

3. From the navigation pane, select EC2 Dashboard.

4. In the upper-right corner of the page, choose Account Attributes, Data
protection and security.

5. Choose Manage.

6. For Default encryption key, choose a symmetric customer managed encryption
key.

7. Choose Update EBS encryption.

anchor
* Amazon EC2 console

TO CONFIGURE THE DEFAULT KMS KEY FOR EBS ENCRYPTION FOR A REGION

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. From the navigation bar, select the Region.

3. From the navigation pane, select EC2 Dashboard.

4. In the upper-right corner of the page, choose Account Attributes, Data
protection and security.

5. Choose Manage.

6. For Default encryption key, choose a symmetric customer managed encryption
key.

7. Choose Update EBS encryption.

ENABLE ENCRYPTION BY DEFAULT

You can configure your AWS account to enforce the encryption of the new EBS
volumes and snapshot copies that you create. For example, Amazon EBS encrypts
the EBS volumes created when you launch an instance and the snapshots that you
copy from an unencrypted snapshot. For examples of transitioning from
unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.

Encryption by default has no effect on existing EBS volumes or snapshots.

CONSIDERATIONS

* Encryption by default is a Region-specific setting. If you enable it for a
Region, you cannot disable it for individual volumes or snapshots in that
Region.

* Amazon EBS encryption by default is supported on all current generation and
previous generation instance types.

* If you copy a snapshot and encrypt it to a new KMS key, a complete
(non-incremental) copy is created. This results in additional storage costs.

* When migrating servers using AWS Server Migration Service (SMS), do not turn
on encryption by default. If encryption by default is already on and you are
experiencing delta replication failures, turn off encryption by default.
Instead, enable AMI encryption when you create the replication job.

Amazon EC2 console

TO ENABLE ENCRYPTION BY DEFAULT FOR A REGION

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. From the navigation bar, select the Region.

3. From the navigation pane, select EC2 Dashboard.

4. In the upper-right corner of the page, choose Account Attributes, Data
protection and security.

5. Choose Manage.

6. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs
created on your behalf as the default encryption key, or choose a symmetric
customer managed encryption key.

7. Choose Update EBS encryption.

AWS CLI

TO VIEW THE ENCRYPTION BY DEFAULT SETTING

* For a specific Region

$ aws ec2 get-ebs-encryption-by-default --region region