Compliance

Encrypt EBS and EFS storage at rest

One capability across EBS volumes, the account-level EBS default, EFS file systems and WorkSpaces virtual desktops: make sure the block and file storage your compute reads and writes is encrypted on disk rather than left in the clear.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: EC2.3 EC2.7 EFS.1 EFS.8 WorkSpaces.1 WorkSpaces.2

Encrypting block and file storage: the basics

Why disks and file systems each have their own version of the same finding

EBS volumes, EFS file systems and WorkSpaces desktop disks are the storage layers your compute reads and writes directly. Encryption at rest scrambles the bytes on those disks with an AWS KMS key, so a stolen volume, a leaked snapshot or a mis-shared backup reveals ciphertext instead of data. Security Hub turns each storage type into its own control: EC2.3 covers attached EBS volumes, EC2.7 covers the account-level EBS default-encryption toggle, EFS.1 and EFS.8 cover EFS file systems, and WorkSpaces.1 and WorkSpaces.2 cover the user and root volumes of virtual desktops. Different resources, identical risk: storage readable on disk.

They look like separate problems on the report, but they are one capability: prove that every block and file volume in the estate, and every snapshot or backup derived from it, is encrypted under a key you can govern. The bytes are protected with AES-256 and the encryption is hardware-accelerated, so there is no measurable performance cost; the value is the KMS key boundary, which lets you authorise, log and revoke access to the data without touching the workload.

The trait that makes this capability sharp is that EFS and WorkSpaces bind encryption to creation: an EFS file system's Encrypted flag and a WorkSpace's RootVolumeEncryptionEnabled flag are read-only after the resource is built, so the only fix is a migration to a new, encrypted resource. EBS is the reverse: existing volumes still cannot be encrypted in place, but the account-level default (EC2.7) is a single per-region toggle that makes every new volume encrypted from creation. The work is to find the unencrypted storage, migrate what is immutable, and flip the EBS default everywhere so the gap cannot grow.

In this lesson you will learn how AWS expresses encryption at rest across block and file storage, why EFS and WorkSpaces make encryption immutable at creation while the EBS default is a free per-region toggle, how to migrate the immutable resources without an outage, and how to stop new unencrypted storage from ever appearing. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The default AWS shipped but never turned on

EBS encryption launched in 2014, but for years the account-level default was off in every account in every region. AWS finally shipped the per-region toggle in 2019, and made EFS console encryption default-on the same year, but it never auto-enabled them: silently changing a default would have broken every cross-account snapshot copy in existence. The result is a long tail. In 2026 there are still large accounts where EC2.7 fails in three regions because someone flipped it on in us-east-1 and called it done, and EFS file systems created from a 2017 CloudFormation template that never set Encrypted=true. The defaults exist, but every resource created before them still has to be checked and, for the immutable ones, migrated.

Finding unencrypted storage across an estate

Marco is closing out a SOC 2 readiness sprint. Security Hub shows storage encryption failures across EBS, EFS and WorkSpaces in three accounts: the EBS default was flipped on in the home region years ago but never in the two newer regions, and a handful of file systems and desktops pre-date the encryption standard.

Rather than work the findings resource by resource, he starts by confirming the cheapest, highest-leverage gap first: whether the per-region EBS default is actually on everywhere, because that single toggle stops new unencrypted volumes before he touches the migrations.

Check the EBS default-encryption state per region. A false here is what causes EC2.7 to fail and lets new volumes be created unencrypted.

$ aws ec2 get-ebs-encryption-by-default --region eu-west-2 --query 'EbsEncryptionByDefault'

false

# Any new volume in eu-west-2 right now is unencrypted by default.

$ aws ec2 enable-ebs-encryption-by-default --region eu-west-2

{ "EbsEncryptionByDefault": true }

# Fixed forward in one idempotent call. Existing volumes still need EC2.3 handling.

Flip the per-region default first: it is free, instant, and stops the gap growing while you migrate the immutable storage.

How AWS encrypts block and file storagedeep dive

All three storage types use AES-256 envelope encryption keyed by KMS, applied inside the storage layer so the guest OS sees ordinary disks. EBS encrypts each volume with a data key wrapped by a KMS key (the AWS-managed aws/ebs key or a customer-managed one); WorkSpaces is built directly on EBS encryption, so its root and user volumes follow the same model with a VolumeEncryptionKey chosen at creation; EFS encrypts each 4 KiB block with a per-file-system data key wrapped by KMS, and is hardware-accelerated so IOPS, throughput and latency are unchanged versus an unencrypted file system. In every case, revoking access to the KMS key makes the data unreadable, which is the access-management property the controls are really about.

The EBS default (EC2.7) is stored in the regional EC2 service configuration, separate from any individual resource. When a volume is created (directly, from an AMI, or from a snapshot restore) EC2 checks the regional default before allocating storage and encrypts the new volume if it is on. The setting is per region, which is the single most common reason an org thinks it has done the encryption thing while Security Hub keeps firing: it was flipped in the home region and never in the others, and new regions start with it off. AMI launches honour the default even when the source snapshot was unencrypted.

EFS and WorkSpaces are immutable because, like an existing EBS volume, the storage was provisioned around a specific encryption decision and cannot be flipped in place. EFS exposes Encrypted as a create-only input and has no modify path, so remediation is create-a-new-encrypted-file-system and migrate the data (AWS DataSync runs incremental EFS-to-EFS passes so the cutover window is minutes). WorkSpaces exposes RootVolumeEncryptionEnabled and UserVolumeEncryptionEnabled as create-only, with no UpdateWorkspaceEncryption API, so remediation is to back up the user volume, recreate the WorkSpace encrypted, migrate the data and terminate the old one. Snapshots and AWS Backup recovery points inherit the source's unencrypted state, so a single unencrypted volume seeds many unencrypted artefacts over time.

What is the impact of leaving storage unencrypted?

The direct impact is data exposure. An unencrypted volume or file system stores its contents as plaintext on disk and in every snapshot and backup derived from it. The root volume of a virtual desktop is not the throwaway disk people assume: it holds the pagefile and swap (which can contain anything that was in memory, including decrypted secrets), browser caches, temporary download folders and registry hives that cache credential material. If any of that storage leaks, through a misconfigured backup, a leaked image or insider access to the storage layer, it is readable. Encryption turns those scenarios into ciphertext.

The compliance impact is mechanical. SOC 2, ISO 27001, HIPAA, PCI DSS and FedRAMP all expect encryption of data at rest as a baseline control (NIST SC-13 and SC-28). EC2.7 failing in any production region, or an EFS holding regulated data unencrypted, becomes audit evidence that the control is not enforced: even if 95 percent of your volumes happen to be encrypted, the auditor's question is what stops the next one from being unencrypted, and the answer needs to be the regional default, not vigilance.

The structural impact is the immutability constraint on EFS and WorkSpaces. Because they cannot be toggled later, every unencrypted file system or desktop is a deferred migration project whose cost scales with data volume and the number of dependent mounts or users. A 380 GB file system is a sprint; a multi-terabyte one feeding a dozen services is a multi-week project. There is a second-order tell, too: an unencrypted root volume next to an encrypted user volume usually means provisioning was not governed, so a cluster of these findings is a prompt to review the whole provisioning path, not just patch the symptoms.

How do you encrypt the storage estate safely?

Work the capability as one loop rather than chasing individual resource findings. The order matters: flip the free EBS default everywhere first, inventory and prioritise the immutable storage by data sensitivity, migrate it, then enforce the defaults with a guardrail so the gap cannot reopen.

1. Flip the EBS default in every enabled region

Use aws ec2 describe-regions to enumerate every region the account has opted into, then enable-ebs-encryption-by-default in each. The call is idempotent, takes effect immediately, and only governs new volumes. Do not trust memory: someone has almost certainly enabled a region for an experiment that nobody else tracks. This single step is the cheapest, highest-leverage part of the whole capability.

2. Inventory and prioritise the immutable storage by data sensitivity

List every EFS file system on Encrypted==false and every WorkSpace on RootVolumeEncryptionEnabled==false, scoring each by data classification (PHI, PII, PCI scope), size, and the number of dependent mounts or users. Migrate the highest-risk one first so it builds the runbook for the rest. Note that existing attached EBS volumes (EC2.3) also need migrating; the default only protects new ones.

3. Migrate the immutable resources to encrypted replacements

For EFS, create a new file system with --encrypted and the right KMS key, mirror the source's performance and mount-target configuration, run AWS DataSync incremental passes leading up to a brief cutover, repoint the mounts, verify, then delete the source. For WorkSpaces, back up the user volume, call create-workspaces with both encryption flags true and a VolumeEncryptionKey, confirm the user's data, then terminate the old desktop. For existing EBS volumes, snapshot, copy the snapshot with a KMS key, and replace.

4. Enforce the defaults with Config rules and SCPs

Enable the AWS Config rules ec2-ebs-encryption-by-default, efs-encrypted-check and workspaces-root-volume-encryption-enabled so any drift or new unencrypted resource is flagged within minutes. Bake encrypted=true into your Terraform and CloudFormation modules and add CI policy (Checkov or tfsec) that fails on an unencrypted volume or file system. At the org level, an SCP denying ec2:DisableEbsEncryptionByDefault and creation of unencrypted file systems makes the prevention durable across the whole organisation.

# 1. Flip the EBS default across every enabled region (idempotent, free, new volumes only).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  aws ec2 enable-ebs-encryption-by-default --region "$region" >/dev/null
  echo "$region: EBS default encryption on"
done

# 2. Inventory the immutable storage that needs migrating.
aws efs describe-file-systems \
  --query 'FileSystems[?Encrypted==`false`].[FileSystemId,Name,SizeInBytes.Value]' --output table
aws workspaces describe-workspaces \
  --query 'Workspaces[?RootVolumeEncryptionEnabled==`false`].[WorkspaceId,UserName]' --output table

# 3. Create an encrypted EFS replacement (then migrate data with AWS DataSync, cut over, delete source).
aws efs create-file-system --encrypted \
  --kms-key-id alias/storage-encryption \
  --performance-mode generalPurpose --throughput-mode elastic

# 4. Confirm the default holds, then back it with a Config rule and an SCP.
aws ec2 get-ebs-encryption-by-default --query 'EbsEncryptionByDefault'

Quick quiz

Question 1 of 5

Security Hub shows storage encryption failures across EC2.7, EFS.1 and WorkSpaces.2. What is the most efficient way to think about them?

Keep learning

Go deeper on how at-rest encryption works across the storage types in this capability.

You can now treat block and file storage encryption as one capability rather than a scatter of findings: flip the free per-region EBS default everywhere first, inventory the immutable EFS and WorkSpaces resources and migrate the regulated-data ones, replace existing unencrypted EBS volumes, and lock the defaults with Config rules and an SCP so the gap cannot reopen. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Encrypting block and file storage: the cost and risk view

A near-free capability whose only real cost is the migration of immutable storage if you leave it late

Encryption at rest on storage is one of the rare controls with essentially zero AWS spend. The AWS-managed key is free, encrypted volumes and snapshots cost the same per GB as unencrypted ones, there is no performance penalty, and the only recurring charge is a customer-managed KMS key at roughly a dollar a month. There is no savings line to chase, which is exactly why it gets deprioritised and exactly why it should not be.

The genuine cost lives in the migration for the immutable storage types. EFS cannot be encrypted in place, so remediation is a create-and-migrate using AWS DataSync; WorkSpaces cannot be encrypted in place, so each non-compliant desktop has to be rebuilt with the user's data migrated across. Both scale with size and complexity, and both get more expensive the longer the resource has been accumulating data and dependencies. The EBS default, by contrast, is a free per-region toggle, so the cheapest version of this whole capability is to flip it everywhere before unencrypted volumes accumulate.

Frame each failing control by data sensitivity, not control count. An unencrypted EFS holding regulated files is a real audit liability that grows with every backup and cross-account copy that inherits the unencrypted state; an unencrypted root volume on a disposable test box is not. Track the count of unencrypted storage resources holding regulated data, trending to zero, each with an owner and a date.

This lesson is for the finance partner who sees a cluster of storage encryption findings on the security report and wants to know what the right response is and what it costs. It covers why the encryption itself is essentially free, why the real exposure is the historical unencrypted storage and the migration of the immutable resources, when a customer-managed KMS key is worth the cost, and the guardrails (the EBS default plus an SCP) that keep the gap from reopening.

Fun fact

The default AWS shipped but never turned on

How a finance partner separates the free flip from the migration bill

Priya, the finance partner at a healthcare SaaS, sees a SOC 2 readiness scan light up with storage encryption failures across EBS, EFS and WorkSpaces in three accounts, and her instinct is to slow the team down before they treat every finding the same way. She knows this capability splits into two cost shapes that look identical on the report: a free per-region toggle for EBS, and a real migration project for the immutable EFS and WorkSpaces resources that cannot be encrypted in place.

She asks for the inventory split three ways. The EBS default (EC2.7) is on in the home region but off in two newer ones, which is a free, idempotent flip she insists happens immediately so no more unencrypted volumes accumulate while the rest is worked. The unencrypted EFS file systems and WorkSpaces desktops are sorted by data sensitivity: an EFS holding regulated patient files is funded first as a create-and-migrate using AWS DataSync, with the temporary double-running storage and the fractions-of-a-cent-per-GB transfer booked as a distinct one-time line; a root volume on a disposable test box drops to the bottom. The AWS-managed key is free, so she only approves the roughly-a-dollar-a-month customer-managed key where the compliance regime actually demands custody. What was a vague pile of red findings becomes a free fix, a sensitivity-ordered migration backlog and a small number of justified key decisions.

Why storage encryption belongs on the risk register

The cost model is asymmetric in a way that is rare for security work. The AWS-managed key is free, encrypted storage is priced identically to unencrypted, and there is no performance penalty, so there is no savings column to populate. Leaving storage unencrypted creates an unbounded tail risk: a leak of a file system holding regulated data carries notification, forensics, legal and reputational costs that dwarf any engineering spend. The right framing is liability discharge, not cost reduction.

The finance role is to make the cheap prevention happen and to fund the migrations by priority. Insist the EBS default is on in every region and protected by an SCP before signing off, because flipping it forward-protects new volumes for free; then attach data sensitivity to each immutable EFS and WorkSpaces finding, fund the regulated-data migrations on a committed timeline, and budget the temporary double-running and DataSync transfer (fractions of a cent per GB) as a distinct one-time line. Track the regulated-data subset, not the raw total.

What finance can actually do about this

Finance cannot run a DataSync job, but it can make the cheap prevention a condition of sign-off and fund the migrations by priority. Three levers, used at the monthly risk-and-cost review.

1. Make the EBS default and its SCP a precondition for closing the item

The forward fix for EBS is free, so the only governance ask is that the default is on in every region and an SCP denies ec2:DisableEbsEncryptionByDefault. Without the SCP, any privileged engineer can silently undo the toggle, leaving the control point-in-time compliant rather than durable. Require both before recording EC2.7 as remediated.

2. Budget the immutable migrations as a distinct line, by sensitivity

Re-encrypting an EFS or rebuilding a WorkSpace is a project with engineering time, temporary double-running storage and a brief cutover, scaled by size and mount complexity. Ask for the count of unencrypted storage holding regulated data, fund those first on a committed date, and book the one-time spike (DataSync transfer plus engineer time) separately from the free EBS work.

3. Weigh a customer-managed KMS key only where the regime requires it

The AWS-managed key is free and correct for most workloads. A customer-managed key costs about a dollar a month plus operational overhead and is worth it only when the compliance regime (FedRAMP High, specific HIPAA custody requirements) or cross-account key custody actually demands it. Do not treat every resource as a CMK decision.

Quick quiz

Question 1 of 5

What is the AWS spend impact of the encryption itself across this storage capability?

Keep learning

Go deeper on how at-rest encryption works across the storage types in this capability.

You have finished the finance view of encrypting block and file storage. You know the encryption itself is essentially free, that the only AWS spend is a roughly-a-dollar-a-month customer-managed key where a regime demands it, and that the real money is the create-and-migrate for the immutable EFS and WorkSpaces resources, booked by data sensitivity. Next time these findings land, you will make the free per-region EBS default and its SCP a precondition for sign-off, fund the regulated-data migrations first on a committed date, and track that subset trending to zero rather than the raw count.

Back to the library

Encrypting block and file storage: the headline

Whether data written to disk is protected by default, or only when someone remembers

EBS, EFS and WorkSpaces disks hold the data your cloud workloads write: application data, user uploads, cached credentials, temporary files. This capability checks whether that data is encrypted on disk, and the report shows the gap as a scatter of findings across block storage, file storage and virtual desktops.

The leadership question is whether encryption is enforced by configuration or by human memory. For EBS the answer can be a single account-level default per region, which is free and instant; for EFS and WorkSpaces the fix cannot be retrofitted in place, so each unencrypted resource is a deferred migration project. That asymmetry is the point: prevent new unencrypted storage cheaply at the front door, and treat the legacy immutable resources as an owned, dated backlog.

This is a governance decision, not a budget one. The defensible end state is that every region enforces the EBS default, no file system or desktop holding regulated data is unencrypted, every exception has an owner and a date, and a guardrail such as a Service Control Policy stops the defaults being switched off.

A short read for the leader who needs to know what unencrypted storage exposes, why the EBS default makes prevention free while EFS and WorkSpaces require migration, and what a defensible end state looks like: the default enforced in every region, regulated file systems and desktops encrypted, and an SCP so the setting cannot be quietly turned off.

Fun fact

The default AWS shipped but never turned on

When data on disk is protected by configuration, not by memory

The leadership team learned the asymmetry of this capability from an audit deadline rather than a stolen disk. A scan run ahead of certification showed the EBS default had been flipped on in one region years ago and called done, while two newer regions and a long tail of older file systems and desktops were still unencrypted. The comfortable assumption that AWS encrypts storage by now turned out to be true only for resources created after the defaults shipped, and never auto-applied to the ones that predated them.

The response was to stop chasing individual resource findings and to set one policy with a deliberate split. EBS prevention is free and instant, a per-region default plus a Service Control Policy that stops anyone quietly switching it off, so that became a precondition for signing the item closed. EFS and WorkSpaces cannot be retrofitted in place, so each unencrypted resource holding regulated data became an owned, dated migration rather than an open-ended liability. The leadership signal at the review is no longer the raw finding count but whether the defaults are enforced so the answer cannot degrade without approval, and whether the immutable backlog is shrinking on committed dates.

Why this is a board-level risk

This capability answers a direct question: if a disk were physically removed, or its snapshot or backup were accessed by the wrong party, would the data be readable? With the storage unencrypted, the answer is yes. Most breaches of stored data trace back to exactly that root cause, and encryption is the control that makes it structurally difficult.

What makes it a leadership item is the split between prevention and cleanup. EBS prevention is free and instant via a per-region default plus an SCP; EFS and WorkSpaces cleanup is a migration project because the resources must be rebuilt. The meaningful decision is not whether to fix the current findings but whether to enforce the defaults so the org never funds this remediation twice. A persistent or recurring count signals provisioning is not governed, which is the pattern worth fixing.

The leadership move on this category

The handle for an executive is not to supervise the migrations, but to set the standard and the guardrail that make unencrypted storage a closed question.

1. Set the default: encryption on, everywhere, by policy

Make it an organisational standard that every region enabled for production has the EBS default on, enforced by an SCP rather than a checklist, and that no file system or desktop holding regulated data is unencrypted. The leadership question is whether the default is enforced such that the answer cannot degrade without approval.

2. Require an owner and a date on every immutable exception

EFS and WorkSpaces gaps cannot be fixed in place, so each unencrypted resource holding regulated data needs a named owner and a committed migration date. The date does not have to be aggressive, but it has to exist, or the liability drifts indefinitely and the answer at the next audit is still we are working on it.

3. Treat a recurring count as a governance signal

Ask for the trend, not the headcount. A count that drifts back up means provisioning is not governed, and that same gap usually shows up in other controls. A flat zero means the defaults and the guardrails are holding and attention can move elsewhere.

Quick quiz

Question 1 of 5

Why is this capability a governance decision split by cost shape rather than a single budget line?

Keep learning

Go deeper on how at-rest encryption works across the storage types in this capability.

Two takeaways. This is a governance decision split by cost shape: EBS prevention is free and instant via a per-region default plus an SCP, while EFS and WorkSpaces are owned, dated migrations because they cannot be retrofitted in place. And the metric that matters is not a zero count but whether the defaults are enforced so the answer cannot degrade without approval, every immutable exception carries an owner and a date, and a recurring count is read as the provisioning-governance signal it is.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

EC2

EFS

WorkSpaces

Part of the learning path Encrypt everything

Encrypt EBS and EFS storage at rest

Encrypting block and file storage: the basics

The default AWS shipped but never turned on

Finding unencrypted storage across an estate

How AWS encrypts block and file storagedeep dive

What is the impact of leaving storage unencrypted?

How do you encrypt the storage estate safely?

1. Flip the EBS default in every enabled region

2. Inventory and prioritise the immutable storage by data sensitivity

3. Migrate the immutable resources to encrypted replacements

4. Enforce the defaults with Config rules and SCPs

Quick quiz

Keep learning

Encrypting block and file storage: the cost and risk view

The default AWS shipped but never turned on

How a finance partner separates the free flip from the migration bill

Why storage encryption belongs on the risk register

What finance can actually do about this

1. Make the EBS default and its SCP a precondition for closing the item

2. Budget the immutable migrations as a distinct line, by sensitivity

3. Weigh a customer-managed KMS key only where the regime requires it

Quick quiz

Keep learning

Encrypting block and file storage: the headline

The default AWS shipped but never turned on

When data on disk is protected by configuration, not by memory

Why this is a board-level risk

The leadership move on this category

1. Set the default: encryption on, everywhere, by policy

2. Require an owner and a date on every immutable exception

3. Treat a recurring count as a governance signal

Quick quiz

Keep learning

Controls this lesson covers

EC2

EFS

WorkSpaces

Related compliance lessons