Based on Jeff Barr Recent Blog AWS make it easier and simpler for you to protect your data from unauthorized access. I feel this should be enabled by anyone who use AWS.
If you prefer to do via AWS CLI then make sure you have updated to latest version of CLI [aws-cli/1.16.169 Python/2.7.10 Darwin/17.7.0 botocore/1.12.159 ]
aws ec2 enable-ebs-encryption-by-default
Note: You will have to run this command in all the regions you operate.
Below is the python script that can help you with enabling it using below for region you interested are
import boto3 # list the regions you are interested to run this script on regions = ['us-east-1'] for region in regions: client = boto3.client('ec2', region) response = client.enable_ebs_encryption_by_default() print("Default EBS Encryption for region", region,": ", response['EbsEncryptionByDefault'])
Note: Shared script will use the default ebs key. If you are interested in using different KMS key then use below
response = client.modify_ebs_default_kms_key_id( KmsKeyId='string' )