EBS default encryption

AWS-EC2-006 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if EBS default encryption is enabled in each scanned region. When disabled, new volumes are not automatically encrypted.

Why it matters

Without default EBS encryption enabled, every developer and automation tool must explicitly set encrypted=true on each volume - a step that is frequently forgotten. This creates an inconsistent security posture where some volumes are encrypted and others are not, violating compliance requirements. AWS data shows that organizations without default encryption have 40% of their volumes unencrypted on average. Enabling default encryption is a one-time, region-level setting with zero performance impact. It applies to all new EBS volumes and snapshots automatically, using either the default aws/ebs key or a customer-managed KMS key. Existing unencrypted volumes must be migrated separately via snapshot copy.

Common causes

EBS default encryption is a regional setting that must be enabled separately in every region, and teams often only enable it in their primary region. Accounts created before AWS introduced this feature in 2019 start without it, and nobody retroactively enables it across all regions. Automated account vending machines in AWS Organizations may not include this setting in the baseline configuration.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws ec2 enable-ebs-encryption-by-default --region REGION

Remediation: Terraform

resource "aws_ebs_encryption_by_default" "this" {
  enabled = true
}

Compliance mapping

This check maps to CIS 2.2.1 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.