AWS Enable EBS Encryption via cloudformation

Question

Is there a way to create a cloudformation script which enables EBS encryption by default for all organizations? There is a aws config rule for this what I am looking for a remediation for this config rule. https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#ebs-enable-encryption

score 2 · Accepted Answer · answered Oct 13 '20 at 03:21

This is currently not possible via CloudFormation. https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/158

Alternatively, you can enforce the policy that only encrypted EBS volumes can be created or attached by adding the following IAM policy statement:

{
  "Sid": "DenyAnythingRelatedToUnencryptedVolume",
  "Effect": "Deny",
  "Action": [
    "ec2:*"
  ],
  "Condition": {
    "Bool": {
      "ec2:Encrypted": "false"
    }
  },
  "Resource": "*"
}

AWS Enable EBS Encryption via cloudformation

1 Answers1