Amazon Elastic Compute Cloud

2019/05/23 - Amazon Elastic Compute Cloud - 6 new api methods

Changes  New APIs to enable EBS encryption by default feature. Once EBS encryption by default is enabled in a region within the account, all new EBS volumes and snapshot copies are always encrypted

EnableEbsEncryptionByDefault (new) Link ¶

Enables default encryption for EBS volumes that are created in your account in the current region.

Once encryption is enabled with this action, EBS volumes that are created in your account will always be encrypted even if encryption is not specified at launch. This setting overrides the encrypted setting to true in all API calls that create EBS volumes in your account. A volume will be encrypted even if you specify encryption to be false in the API call that creates the volume.

If you do not specify a customer master key (CMK) in the API call that creates the EBS volume, then the volume is encrypted to your AWS account's default CMK.

You can specify a default CMK of your choice using ModifyEbsDefaultKmsKeyId .

Enabling default encryption for EBS volumes has no effect on existing unencrypted volumes in your account. Encrypting the data in these requires manual action. You can either create an encrypted snapshot of an unencrypted volume, or encrypt a copy of an unencrypted snapshot. Any volume restored from an encrypted snapshot is also encrypted. For more information, see Amazon EBS Snapshots .

Once EBS encryption by default is enabled, you can no longer launch older-generation instance types that do not support encryption. For more information, see Supported Instance Types .

See also: AWS API Documentation

Request Syntax

client.enable_ebs_encryption_by_default(
    DryRun=True|False
)
type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'EbsEncryptionByDefault': True|False
}

Response Structure

  • (dict) --

    • EbsEncryptionByDefault (boolean) --

      Account-level encryption status after performing the action.

ModifyEbsDefaultKmsKeyId (new) Link ¶

Changes the default customer master key (CMK) that your account uses to encrypt EBS volumes if you don’t specify a CMK in the API call.

Your account has an AWS-managed default CMK that is used for encrypting an EBS volume when no CMK is specified in the API call that creates the volume. By calling this API, you can specify a customer-managed CMK to use in place of the AWS-managed default CMK.

Note: Deleting or disabling the custom CMK that you have specified to act as your default CMK will result in instance-launch failures.

See also: AWS API Documentation

Request Syntax

client.modify_ebs_default_kms_key_id(
    KmsKeyId='string',
    DryRun=True|False
)
type KmsKeyId

string

param KmsKeyId

[REQUIRED]

An identifier for the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the volume. This parameter is only required if you want to use a non-default CMK; if this parameter is not specified, the default CMK for EBS is used. If a KmsKeyId is specified, the Encrypted flag must also be set.

The CMK identifier may be provided in any of the following formats:

  • Key ID

  • Key alias

  • ARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the CMK, the AWS account ID of the CMK owner, the key namespace, and then the CMK ID. For example, arn:aws:kms:us-east-1 :012345678910 :key/abcd1234-a123-456a-a12b-a123b4cd56ef .

  • ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the CMK, the AWS account ID of the CMK owner, the alias namespace, and then the CMK alias. For example, arn:aws:kms:us-east-1 :012345678910 :alias/ExampleAlias .

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'KmsKeyId': 'string'
}

Response Structure

  • (dict) --

    • KmsKeyId (string) --

      The full ARN of the default CMK that your account uses to encrypt an EBS volume when no CMK is specified in the API call that creates the volume.

ResetEbsDefaultKmsKeyId (new) Link ¶

Resets the account's default customer master key (CMK) to the account's AWS-managed default CMK. This default CMK is used to encrypt EBS volumes when you have enabled EBS encryption by default without specifying a CMK in the API call. If you have not enabled encryption by default, then this CMK is used when you set the Encrypted parameter to true without specifying a custom CMK in the API call.

Call this API if you have modified the default CMK that is used for encrypting your EBS volume using ModifyEbsDefaultKmsKeyId and you want to reset it to the AWS-managed default CMK. After resetting, you can continue to provide a CMK of your choice in the API call that creates the volume. However, if no CMK is specified, your account will encrypt the volume to the AWS-managed default CMK.

See also: AWS API Documentation

Request Syntax

client.reset_ebs_default_kms_key_id(
    DryRun=True|False
)
type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'KmsKeyId': 'string'
}

Response Structure

  • (dict) --

    • KmsKeyId (string) --

      The full ARN of the default CMK that your account uses to encrypt an EBS volume when no CMK is specified in the API call that creates the volume.

DisableEbsEncryptionByDefault (new) Link ¶

Disables default encryption for EBS volumes that are created in your account in the current region.

Call this API if you have enabled default encryption using EnableEbsEncryptionByDefault and want to disable default EBS encryption. Once default EBS encryption is disabled, you can still create an encrypted volume by setting encrypted to true in the API call that creates the volume.

Disabling default EBS encryption will not change the encryption status of any of your existing volumes.

See also: AWS API Documentation

Request Syntax

client.disable_ebs_encryption_by_default(
    DryRun=True|False
)
type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'EbsEncryptionByDefault': True|False
}

Response Structure

  • (dict) --

    • EbsEncryptionByDefault (boolean) --

      Account-level encryption status after performing the action.

GetEbsEncryptionByDefault (new) Link ¶

Describes whether default EBS encryption is enabled for your account in the current region.

See also: AWS API Documentation

Request Syntax

client.get_ebs_encryption_by_default(
    DryRun=True|False
)
type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'EbsEncryptionByDefault': True|False
}

Response Structure

  • (dict) --

    • EbsEncryptionByDefault (boolean) --

      Indicates whether default encryption for EBS volumes is enabled or disabled.

GetEbsDefaultKmsKeyId (new) Link ¶

Describes the default customer master key (CMK) that your account uses to encrypt EBS volumes if you don’t specify a CMK in the API call. You can change this default using ModifyEbsDefaultKmsKeyId .

See also: AWS API Documentation

Request Syntax

client.get_ebs_default_kms_key_id(
    DryRun=True|False
)
type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'KmsKeyId': 'string'
}

Response Structure

  • (dict) --

    • KmsKeyId (string) --

      The full ARN of the default CMK that your account uses to encrypt an EBS volume when no CMK is specified in the API call that creates the volume.