Skip to content

Resource: awsEbsDefaultKmsKey

Provides a resource to manage the default customer master key (CMK) that your AWS account uses to encrypt EBS volumes.

Your AWS account has an AWS-managed default CMK that is used for encrypting an EBS volume when no CMK is specified in the API call that creates the volume. By using the awsEbsDefaultKmsKey resource, you can specify a customer-managed CMK to use in place of the AWS-managed default CMK.

\~> NOTE: Creating an awsEbsDefaultKmsKey resource does not enable default EBS encryption. Use the awsEbsEncryptionByDefault to enable default EBS encryption.

\~> NOTE: Destroying this resource will reset the default CMK to the account's AWS-managed default CMK for EBS.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ebsDefaultKmsKey.EbsDefaultKmsKey(this, "example", {
  keyArn: "${aws_kms_key.example.arn}",
});

Argument Reference

The following arguments are supported:

  • keyArn - (Required, ForceNew) The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume.

Attributes Reference

No additional attributes are exported.

Import

The EBS default KMS CMK can be imported with the KMS key ARN, e.g.,

$ terraform import aws_ebs_default_kms_key.example arn:aws:kms:us-east-1:123456789012:key/abcd-1234