AWS::EC2::EBSEncryptionByDefault

[rdearm1]

You can turn on ebs encryption by default in the console for each region via API or SDK but not via CF.

https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_EnableEbsEncryptionByDefault.html

[atheiman]

Until this is supported by CloudFormation natively, this can be done with a simple Lambda-backed custom resource (below).

Another (potentially "better") way to implement EBS default encryption in an account is AWS Config. There is an AWS-Managed Config Rule ec2-ebs-encryption-by-default and AWS-Managed Runbook / Automation Document AWSConfigRemediation-EnableEbsEncryptionByDefault.

Resources:
  EbsEncryptionByDefault:
    Type: Custom::EbsEncryptionByDefault
    Properties:
      ServiceToken: !Sub '${EbsEncryptionByDefaultLambdaFunction.Arn}'

  EbsEncryptionByDefaultLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Role: !Sub '${EbsEncryptionByDefaultLambdaExecutionRole.Arn}'
      Handler: index.handler
      Timeout: 20
      Runtime: python3.7
      Code:
        ZipFile: !Sub |
          import boto3
          import os
          import cfnresponse

          def handler(event, context):
              try:
                  ec2 = boto3.client("ec2", region_name="${AWS::Region}")
                  res = ec2.enable_ebs_encryption_by_default()
                  res.update(ec2.modify_ebs_default_kms_key_id(KmsKeyId="alias/aws/ebs"))
                  res.pop("ResponseMetadata", None)
                  cfnresponse.send(event, context, cfnresponse.SUCCESS, res)
              except Exception as e:
                  print("Error:", repr(e))
                  cfnresponse.send(event, context, cfnresponse.FAILED, {"Message": "Error"})

  EbsEncryptionByDefaultLambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: ['sts:AssumeRole']
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - ec2:DisableEbsEncryptionByDefault
                  - ec2:EnableEbsEncryptionByDefault
                  - ec2:GetEbsDefaultKmsKeyId
                  - ec2:GetEbsEncryptionByDefault
                  - ec2:ModifyEbsDefaultKmsKeyId
                  - ec2:ResetEbsDefaultKmsKeyId
                Resource: '*'

Outputs:
  EbsEncryptionByDefault:
    Description: The updated status of encryption by default.
    Value:
      !Sub '${EbsEncryptionByDefault.EbsEncryptionByDefault}'
  EbsDefaultKmsKeyArn:
    Description: The Amazon Resource Name (ARN) of the default CMK for encryption by default.
    Value:
      !Sub '${EbsEncryptionByDefault.KmsKeyId}'

[tennex-adam]

Even though this has shipped, it doesn't appear to be available per the cfnspec (us-east-1). Am I missing something or did this perhaps get incorrectly moved on the roadmap?

[loomly-rsuarez]

Even though this has shipped, it doesn't appear to be available per the cfnspec (us-east-1). Am I missing something or did this perhaps get incorrectly moved on the roadmap?

I also don't see this in the spec. Bump for any guidance on where to find this?

[carpnick]

Where is this?

[AffiTheCreator]

Has this feature been implemented? It's frustrating to implement AWS best practices and not have support at the CloudFormation level.

[ericzbeard]

This feature has not yet shipped, it was closed by mistake - sorry for the confusion!

[tennex-adam]

This looks like it may have been closed by mistake again. I'm still not able to find any reference in the us-east-1 cfnspec.

[carpnick]

Confirmation from @ericzbeard from Discord this is not in fact shipped and needs to be reopened.

[carpnick]

Closed by mistake again?

[nmeisen]

Yes seems to have been a mistake again --- I am sorry about that :(