Description:
Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.
Rationale:
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.
From Console:
Note: EBS volume encryption is configured per region.
From Command Line:
aws --region ec2 enable-ebs-encryption-by-default
Note: EBS volume encryption is configured per region.