How do I trigger AWS to create an AWS managed key for EBS in CDK Code?

Question

Use AWS CDK to create an EBS volume, configure KMS encryption, and use a KMS key managed by AWS,Key Alias: aws/ebs.

When I deploy it in a region where I haven't used EBS services before, I get error `Could not find any key with alias named alias/aws/ebs`.

Can I do something in the cdk code other than manually using EBS services once in the AWS console to let AWS create the ebs kms key?

------------The following was edited in 20240329

Current use case is in `imagebuilder.CfnImageRecipe`, as follows, if I only set `encrypted:true` and do not set `kmsKeyId`, it will show unencrypted at the end. Both properties need to be set to be configured for encryption.

```
    this.imageRecipe = new imagebuilder.CfnImageRecipe(this, 'DemoImageRecipe'{
      ...
      blockDeviceMappings: [
        {
          deviceName: '/dev/sda1',
          ebs: {
            encrypted: true,
            kmsKeyId: props.KMSKeyId,
            deleteOnTermination: true,
            iops: 150,
            volumeSize: 50,
            volumeType: 'gp3',
            throughput: 125,
          },
        },
      ],
      ...
    });
```

Answer

CDK does not provide a direct method to enable EBS encryption by default at the account or region level. This functionality is typically managed through the AWS Management Console or AWS CLI. After enabling encryption by default through AWS CLI or Console, all new EBS volumes and snapshots in the specified region are encrypted under the AWS managed key, unless you specify otherwise in your CDK code or other AWS service configurations.

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableEbsEncryptionByDefault.html

```
    // Add an EBS volume encrypted with the default AWS managed key
    instance.addBlockDevice({
      deviceName: '/dev/sdh',
      volume: ec2.BlockDeviceVolume.ebs(20, {
        encrypted: true, // Ensures the volume is encrypted
        // Do not specify the kmsKey property to use the default AWS managed key
      }),
    });
```

Answer

Hello,
To create an EBS volume and use AWS managed key for EBS encryption, you can modify the CDK code to use the default AWS managed key for EBS encryption. Here's how you can do it:

import * as cdk from '@aws-cdk/core';
import * as ec2 from '@aws-cdk/aws-ec2';

export class EbsWithEncryptionStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

// Create EBS volume with encryption using AWS managed key for EBS
    const volume = new ec2.Volume(this, 'EbsVolume', {
      availabilityZone: 'us-east-1a', // Change availability zone as per your requirement
      encrypted: true, // Enable encryption
      volumeType: ec2.EbsDeviceVolumeType.GP2, // Change volume type as per your requirement
    });

// Output volume ID
    new cdk.CfnOutput(this, 'EbsVolumeId', {
      value: volume.volumeId,
    });
  }
}

const app = new cdk.App();
new EbsWithEncryptionStack(app, 'EbsWithEncryptionStack');

The sample code above create an EBS volume using ec2.Volume and set encrypted property to true to enable encryption. Since we haven't specified any KMS key explicitly, AWS will use the default AWS managed key for EBS encryption automatically.

How do I trigger AWS to create an AWS managed key for EBS in CDK Code?

Relevant content