AWS IAM policy to enforce new EBS volumes are encrypted

Question

In the AWS Key Management Service Best Practices whitepaper, in the section on Data at Rest Encryption with Amazon EBS, it states:

There are two methods to ensure that EBS volumes are always encrypted. You can verify that the encryption flag as part of the CreateVolume context is set to “true” through an IAM policy. If the flag is not “true” then the IAM policy can prevent an individual from creating the EBS volume

How can I do this? I'd imagine the policy would look something like:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Stmt1509465260000",

      "Effect": "Allow",

      "Action": [

        "ec2:CreateVolume"

      ],

      "Condition": {

        "Bool": {

          "ec2:Encrypted": "true"

        }

      },

      "Resource": [

        "*"

      ]

    }

  ]

}

Based on the whitepaper and the docs, the Bool condition on the ec2:Encrypted key makes the most sense, but when trying to create an encrypted volume, I'm getting access denied.

What am I missing in the statement?

Answer 1

You will need more permissions to create these encrypted volumes:

1) ec2:DescribeAvailabilityZones

2) kms:*

Example policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "kms:*"

            ],

            "Resource": "*"

        },

        {

            "Effect": "Allow",

            "Action": [

                "ec2:DescribeAvailabilityZones"

            ],

            "Resource": "*"

        },

        {

            "Sid": "Stmt1509465260000",

            "Effect": "Allow",

            "Action": [

                "ec2:CreateVolume"

            ],

            "Condition": {

                "Bool": {

                    "ec2:Encrypted": "true"

                }

            },

            "Resource": [

                "*"

            ]

        }

    ]

}