20 Oct 2020 AWS Cloud

👁15views
Example IAM Policy to Enforce EBS encryption

CloudScale AI SEO - Article Summary
  • 1.
    What it is
    This policy uses IAM conditions to automatically require encryption whenever EBS volumes are created by EC2 instances.
  • 2.
    Why it matters
    It prevents accidental creation of unencrypted volumes, which could expose sensitive data and violate compliance requirements.
  • 3.
    Key takeaway
    Use IAM conditional policies to enforce encryption at the infrastructure level rather than relying on manual processes.
Related Articles

Here is a useful IAM conditional policy which will force EBS volumes to be encrypted when created by an EC2 instances.

Powered by CloudScale 
{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "Stmt2222222222222",
       "Effect": "Allow",
       "Action": [
         "ec2:CreateVolume"
       ],
       "Condition": {
         "Bool": {
           "ec2:Encrypted": "true"
         }
       },
       "Resource": [
         "*"
       ]
     },
     {
       "Sid": "Stmt1111111111111",
       "Effect": "Allow",
       "Action": [
         "ec2:DescribeVolumes",
         "ec2:DescribeAvailabilityZones",
         "ec2:CreateTags",
         "kms:ListAliases"
       ],
       "Resource": [
         "*"
       ]
     },
     {
       "Sid": "allowKmsKey",
       "Effect": "Allow",
       "Action": [
         "kms:Encrypt"
       ],
       "Resource": [
         "arn:aws:kms:us-east-1:999999999999:alias/aws/ebs"
       ]
     }
   ]
 }

You Might Also Like