Issue
Is there a way to create a cloudformation script which enables EBS encryption by default for all organizations? There is a aws config rule for this what I am looking for a remediation for this config rule. https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#ebs-enable-encryption
Solution
This is currently not possible via CloudFormation. https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/158
Alternatively, you can enforce the policy that only encrypted EBS volumes can be created or attached by adding the following IAM policy statement:
{
"Sid": "DenyAnythingRelatedToUnencryptedVolume",
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
},
"Resource": "*"
}
Answered By - jellycsc Answer Checked By - Terry (WPSolving Volunteer)