Amazon Web Services (AWS), EBS Default Encryption
EBS Default Encryption configures the volumes and snapshots in your account to be encrypted at rest. There is no difference in how you use encrypted volumes and snapshots with your EC2 instances. Accounts created since Aug 2022 have EBS Default Encryption enabled. Accounts created before Aug 2022 do not have it enabled yet, but are being enabled as they are migrated to the new account system. If you are uncertain if you are using EBS Default Encryption please contact aws-support@illinois.edu for assistance.
You cannot disabled EBS Volume encryption if it's been enable on your account. If you have a concern about this setting please contact aws-support@illinois.edu with your use case.
Encryption Keys for EBS Volumes
The University has shared AWS KMS Keys in the US regions (all other regions use the AWS Managed Key), and set these keys as the EBS Default Encryption key:
Region Name | Region | KMS Key ARN |
---|---|---|
N. Virginia | us-east-1 | arn:aws:kms:us-east-1:884398590082:key/mrk-3b18ac7fcde54d8d8ba0cc88749431a3 |
Ohio | us-east-2 | arn:aws:kms:us-east-2:884398590082:key/mrk-3b18ac7fcde54d8d8ba0cc88749431a3 |
N. California | us-west-1 | arn:aws:kms:us-west-1:884398590082:key/mrk-3b18ac7fcde54d8d8ba0cc88749431a3 |
Oregon | us-west-2 | arn:aws:kms:us-west-2:884398590082:key/mrk-3b18ac7fcde54d8d8ba0cc88749431a3 |
All Others | alias/aws/ebs |
You can use any KMS Key you want for EBS Volume encryption. The AWS Managed Key for EBS ("aws/ebs") is still available, and you can create your own Customer Managed Key.
Note: using a different KMS Key can cause issues when trying to copy snapshots between accounts.
You can specify these keys using the EC2 Launch Wizard, Launch Templates, or with Infrastructure as Code solutions like CloudFormation and Hashicorp Terraform. If you do not choose a different KMS Key when you create the instance or volume then the EBS Default Encryption key will be automatically used. The deprecated Launch Configurations do not support a different KMS Key and we recommend you migrate to Launch Templates.
Copying Snapshots in the Same Account
If you copy a snapshot then it will remain encrypted, but AWS might choose the AWS Managed Key ("aws/ebs") instead of the shared Organization Key. This is OK to use, however you will have issues if you want to share this snapshot with another account. If that is not a concern then you can use the AWS Managed Key, otherwise enter the correct shared Organization Key ARN for your region.
Copying Snapshots Between Accounts
When copying a snapshot between accounts the important thing to check is that the destination account can access the snapshot encryption key. Since the shared Organization Key is available to every account in our organization it is perfect to use for sharing snapshots. If you are using the AWS Managed Key or a Customer Managed Key then the destination account will not have access to the snapshot encryption key.
To copy a snapshot between accounts:
- In the source account, verify that the snapshot is using the shared Organization Key for the appropriate region (see the table above).
- If the snapshot is using a different key then copy the snapshot and specify the shared Organization Key. For the rest of these steps use this copy.
- Select "Actions", then "Modify Permissions".
- For "Shared Accounts" click "Add Account". Enter the account ID of the destination account.
- Click "Save Changes".
- Note the snapshot ID so that you can find it in the destination account.
- In the destination account, change the snapshot filter from "Owned by me" to "Private snapshots". Search for the snapshot ID you noted in the previous step.
- You should be able to make a copy of this snapshot from the destination account, so that the destination account has its own version.
If you have questions, please contact aws-support@illinois.edu.