EBS uses encryption by default at the account and region level, ensuring new volumes, snapshots, and AMI-backed volumes are automatically encrypted with a chosen KMS key
Risk
Without encryption by default, data on new EBS volumes and snapshots may be stored in plaintext. A compromised account or mis-shared snapshot can expose disk contents, enabling data exfiltration, offline analysis, and loss of confidentiality.
prowler aws --checks ec2_ebs_default_encryption
prowler aws --checks ec2_ebs_default_encryption --fixer
Recommendation
Enable EBS encryption by default in every region and select a customer-managed KMS key. Apply least privilege to key use, rotate keys, and monitor access. Enforce encrypted volume creation with organizational guardrails and secure templates as defense in depth.
Remediation
aws ec2 enable-ebs-encryption-by-default --region <REGION>
- In the AWS console, switch to the affected Region
- Go to EC2 > Settings (or Account attributes) > EBS encryption
- Click Enable default encryption and Save
Source Code
Resource Type
AwsEc2Volume