20 Oct 2020 Public Cloud

IAM Policy to Enforce EBS Encryption on EC2 Instances

👁23views

Enforcing EBS encryption via IAM requires attaching a policy that uses a Condition block with the `ec2:Encrypted` condition key set to `true`, denying the `ec2:CreateVolume` action when encryption is absent. Attach this policy to the relevant IAM role or user to ensure all EBS volumes created on EC2 instances are automatically encrypted at rest.

CloudScale AI SEO - Article Summary
  • 1.
    What it is
    This policy uses IAM conditions to automatically require encryption whenever EBS volumes are created by EC2 instances.
  • 2.
    Why it matters
    It prevents accidental creation of unencrypted volumes, which could expose sensitive data and violate compliance requirements.
  • 3.
    Key takeaway
    Use IAM conditional policies to enforce encryption at the infrastructure level rather than relying on manual processes.
~1 min read
Related Articles

Here is a useful IAM conditional policy which will force EBS volumes to be encrypted when created by an EC2 instances.

Powered by CloudScale 
{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "Stmt2222222222222",
       "Effect": "Allow",
       "Action": [
         "ec2:CreateVolume"
       ],
       "Condition": {
         "Bool": {
           "ec2:Encrypted": "true"
         }
       },
       "Resource": [
         "*"
       ]
     },
     {
       "Sid": "Stmt1111111111111",
       "Effect": "Allow",
       "Action": [
         "ec2:DescribeVolumes",
         "ec2:DescribeAvailabilityZones",
         "ec2:CreateTags",
         "kms:ListAliases"
       ],
       "Resource": [
         "*"
       ]
     },
     {
       "Sid": "allowKmsKey",
       "Effect": "Allow",
       "Action": [
         "kms:Encrypt"
       ],
       "Resource": [
         "arn:aws:kms:us-east-1:999999999999:alias/aws/ebs"
       ]
     }
   ]
 }

You Might Also Like