You might want to re-encrypt an existing EBS volume with a new CMK if an existing CMK becomes compromised. This allows you to re-encrypt your volumes with a new CMK, thereby safeguarding your data:
- From within the AWS Management Console, select EC2 from the Compute category.
- Select Snapshots from the ELASTIC BLOCK STORE menu on the left.
- Select your snapshot that is encrypted:
As you can see, this snapshot is encrypted using the AWS-managed aws/ebs key.
- Select Actions | Create Volume:
- You will now have the option of selecting a different encryption key. In the example here, I have selected a customer-managed CMK, called MyCMK:
- After you have selected your CMK to use for encryption via KMS, select Create Volume. Your new volume will then be encrypted using a different CMK:
Let's now look at how to apply default encryption to your EBS volumes.