cloudformation-coverage-roadmap
cloudformation-coverage-roadmap copied to clipboard
aws-cloudformation
AWS::EC2::EBSEncryptionByDefault
You can turn on ebs encryption by default in the console for each region via API or SDK but not via CF.
https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_EnableEbsEncryptionByDefault.html
Until this is supported by CloudFormation natively, this can be done with a simple Lambda-backed custom resource (below).
Another (potentially "better") way to implement EBS default encryption in an account is AWS Config. There is an AWS-Managed Config Rule ec2-ebs-encryption-by-default and AWS-Managed Runbook / Automation Document AWSConfigRemediation-EnableEbsEncryptionByDefault.
Resources:
EbsEncryptionByDefault:
Type: Custom::EbsEncryptionByDefault
Properties:
ServiceToken: !Sub '${EbsEncryptionByDefaultLambdaFunction.Arn}'
EbsEncryptionByDefaultLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Role: !Sub '${EbsEncryptionByDefaultLambdaExecutionRole.Arn}'
Handler: index.handler
Timeout: 20
Runtime: python3.7
Code:
ZipFile: !Sub |
import boto3
import os
import cfnresponse
def handler(event, context):
try:
ec2 = boto3.client("ec2", region_name="${AWS::Region}")
res = ec2.enable_ebs_encryption_by_default()
res.update(ec2.modify_ebs_default_kms_key_id(KmsKeyId="alias/aws/ebs"))
res.pop("ResponseMetadata", None)
cfnresponse.send(event, context, cfnresponse.SUCCESS, res)
except Exception as e:
print("Error:", repr(e))
cfnresponse.send(event, context, cfnresponse.FAILED, {"Message": "Error"})
EbsEncryptionByDefaultLambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:DisableEbsEncryptionByDefault
- ec2:EnableEbsEncryptionByDefault
- ec2:GetEbsDefaultKmsKeyId
- ec2:GetEbsEncryptionByDefault
- ec2:ModifyEbsDefaultKmsKeyId
- ec2:ResetEbsDefaultKmsKeyId
Resource: '*'
Outputs:
EbsEncryptionByDefault:
Description: The updated status of encryption by default.
Value:
!Sub '${EbsEncryptionByDefault.EbsEncryptionByDefault}'
EbsDefaultKmsKeyArn:
Description: The Amazon Resource Name (ARN) of the default CMK for encryption by default.
Value:
!Sub '${EbsEncryptionByDefault.KmsKeyId}'
Even though this has shipped, it doesn't appear to be available per the cfnspec (us-east-1). Am I missing something or did this perhaps get incorrectly moved on the roadmap?
Even though this has shipped, it doesn't appear to be available per the cfnspec (us-east-1). Am I missing something or did this perhaps get incorrectly moved on the roadmap?
I also don't see this in the spec. Bump for any guidance on where to find this?
Has this feature been implemented? It's frustrating to implement AWS best practices and not have support at the CloudFormation level.
This feature has not yet shipped, it was closed by mistake - sorry for the confusion!
This looks like it may have been closed by mistake again. I'm still not able to find any reference in the us-east-1 cfnspec.
Confirmation from @ericzbeard from Discord this is not in fact shipped and needs to be reopened.
