I'm manually encrypting new Amazon Elastic Block Storage (Amazon EBS) volumes that I create. But, I want to automatically encrypt new Amazon EBS volumes and snapshot copies.
Newly created Amazon EBS volumes aren't encrypted by default. However, you can turn on default encryption for new EBS volumes and snapshot copies that are created within a specified Region. To turn on encryption by default, use the Amazon Elastic Compute Cloud (Amazon EC2) console.
Before you turn on encryption by default, consider the following points:
- Encryption by default is a Region-specific setting. After you turn on encryption for a Region, you can't turn it off for individual volumes or snapshots in that Region.
- After you turn on encryption by default, you can launch an instance only if the instance type supports Amazon EBS encryption.
- Turning on encryption by default doesn't change any existing unencrypted or encrypted resources. It encrypts only volumes and snapshot copies that you create after turning on default encryption.
- If default encryption is turned on, and you’re experiencing delta replication failures when migrating services using AWS Server Migration Service, then turn off default encryption. For lift-and-shift migration, it's a best practice to use AWS Application Migration Service (AWS MGN).
- Open the Amazon EC2 console.
- In the navigation bar, select the Region.
- In the navigation pane, choose EC2 Dashboard.
- In the upper-right corner, choose Account Attributes, EBS encryption.
- Choose Manage.
- For Always encrypt new EBS volumes, choose Enable.
- Choose Default encryption key, and then select any of your keys to set as the default.
- Choose Update EBS encryption.
Repeat these steps for other Regions as needed.
Note: If you select the default service key (aws/ebs) as the default encryption key, then you can't share the encrypted volume across accounts. To learn more about AWS KMS keys, see AWS KMS concepts.