For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-ebs-volume-without-kms-key-id.md.
A documentation index is available at /llms.txt.
Amazon EBS volumes should specify a customer-managed AWS KMS key (KmsKeyId) so data at rest is encrypted under keys you control and access to decrypt volumes and snapshots can be restricted via key policies.
In CloudFormation, the AWS::EC2::Volume resource must include the Properties.KmsKeyId property, and it should reference a key ARN, key ID, or alias for a customer-managed CMK. Resources missing KmsKeyId will be flagged. If account-level default EBS encryption is not enabled, this omission can result in unencrypted volumes. If default encryption is enabled, it may cause the AWS-managed key to be used instead of a customer-managed key.
AWSTemplateFormatVersion:2010-09-09Description:Creating ECS serviceResources:MyKey:Type:"AWS::KMS::Key"Properties:KeyPolicy:Version:2012-10-17Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:!Join- ""- - "arn:aws:iam::"- !Ref "AWS::AccountId"- ":root"Action:"kms:*"Resource:"*"NewVolume:Type:AWS::EC2::VolumeProperties:Size:100Encrypted:trueAvailabilityZone:!GetAtt Ec2Instance.AvailabilityZoneTags:- Key:MyTagValue:TagValueKmsKeyId:!Ref MyKeyDeletionPolicy:Snapshot
{"Resources":{"MyKey":{"Type":"AWS::KMS::Key","Properties":{"KeyPolicy":{"Version":"2012-10-17T00:00:00Z","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":["",["arn:aws:iam::","AWS::AccountId",":root"]]},"Action":"kms:*","Resource":"*"}]}}},"NewVolume":{"DeletionPolicy":"Snapshot","Type":"AWS::EC2::Volume","Properties":{"KmsKeyId":"MyKey","Size":100,"Encrypted":true,"AvailabilityZone":"Ec2Instance.AvailabilityZone","Tags":[{"Key":"MyTag","Value":"TagValue"}]}}},"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"Creating ECS service"}
