AWS Enable EBS Encryption via cloudformation

3k Views Asked by user2562618 At 27 April 2025 at 11:48

Is there a way to create a cloudformation script which enables EBS encryption by default for all organizations? There is a aws config rule for this what I am looking for a remediation for this config rule. https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#ebs-enable-encryption

Original Q&A

There are 2 best solutions below

jellycsc On 13 October 2020 at 03:21 BEST ANSWER

This is currently not possible via CloudFormation. https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/158

Alternatively, you can enforce the policy that only encrypted EBS volumes can be created or attached by adding the following IAM policy statement:

{
  "Sid": "DenyAnythingRelatedToUnencryptedVolume",
  "Effect": "Deny",
  "Action": [
    "ec2:*"
  ],
  "Condition": {
    "Bool": {
      "ec2:Encrypted": "false"
    }
  },
  "Resource": "*"
}

poolie On 04 January 2024 at 19:47

As of December 2023, you now can configure EBS Block Public Access using CloudFormation, using AWS::EC2::SnapshotBlockPublicAccess .

This is not precisely the same as requiring EBS Encryption, but preventing public snapshots is one of the major reasons people want encryption, and this gets a similar result.

AWS Enable EBS Encryption via cloudformation

There are 2 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in ENCRYPTION

Related Questions in AMAZON-EC2

Related Questions in AWS-CLOUDFORMATION

Related Questions in AWS-CONTROL-TOWER

Trending Questions

Popular # Hahtags

Popular Questions