How to enable the "Always encrypt new EBS volumes" regionwide setting?

Question

AWS has this "automatic encryption" setting that I'd like to turn on for my account: https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/ .

I've spent a while poking around, and I cannot figure out how to enable that setting with CDK. Is it possible?

Possibly relevant links from my research:

• It looks like terraform supports this: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default
• Here are the awscli docs on this: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html
• It looks like CDK has an AWS Config rule for this: https://github.com/aws/aws-cdk/blob/v2.13.0/packages/@aws-cdk/aws-config/lib/rule.ts#L661-L665 , but AFAIK, that's just to get warnings when you don't have this setting turned on, which is nice, but doesn't actually turn the setting on for me

Answer 1

Is it possible to share code?? I guess you need to do something like below (btw this is python code)

host = ec2.BastionHostLinux(self, "BastionHost",
    vpc=vpc,
    block_devices=[ec2.BlockDevice(
        device_name="EBSBastionHost",
        volume=ec2.BlockDeviceVolume.ebs(10,
            encrypted=True
        )
    )]
)

look at 'encrypted=True' option, which will encrypt your EBS volumes.

Reference: https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_ec2/EbsDeviceOptions.html

(Not sure if this was your requirement)