Enforcing EBS Encryption within AWS Organization using SCP (Service Control Policy)

Updated Sept 2020

The information on the AWS page linked below has changed. The limitation around EC2 and root users appears to have been removed. The following policy should work

{
  "Effect": "Deny",
  "Action": "ec2:CreateVolume",
  "Resource": "*",
  "Condition": {
    "Bool": {
      "ec2:Encrypted": "false"
    }
  }
},
{
  "Sid": "PreventEc2MountUnencryptedVolume",
  "Effect": "Deny",
  "Action": "ec2:RunInstances",
  "Resource": "arn:aws:ec2:*:*:volume/*",
  "Condition": {
    "Bool": {
      "ec2:Encrypted": "false"
     }
   }
}

You can and probably should restrict the root user more generally using a policy such as the one found on this page. The root user shouldn't be used for routine administration, but having them available and with permissions to do key tasks as a break-glass is sensible.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictEC2ForRoot",
      "Effect": "Deny",
      "Action": [
        "ec2:*",
        "s3:*",
        "kms:*"
      ],
      "Resource": [
        "*"
      ],    
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:root"
          ]
        }
      }
    }
  ]
}

Original Answer April 2019

It turns out that SCP works as expected, but there's a catch - according to this AWS page "All condition keys that start with "ec2" aren't evaluated when using root credentials".

Because the requirement for the volume to be encrypted is within a condition key it was not enforced while I was logged in as root. When I logged in as an IAM user the SCP was enforced as expected.

Here's the full text from the AWS documentation.

AWS Docs

Currently, when using root user credentials to make Amazon EC2 requests, the resource and condition policy elements don't function as expected in the following ways:

Resource ARNs – If you specify an AWS resource ARN in an SCP's resource element, it won't match the resource the root user performs

the Amazon EC2 action on during policy evaluation. This means that the specified restrictions for this action don't apply to the root user. Deny statements that specify all resources ("Resource": "*") for Amazon EC2 actions are correctly evaluated for root users.

Amazon EC2 condition keys – All condition keys that start with "ec2" aren't evaluated when using root credentials. Because policy

conditions aren't correctly evaluated for root users, users with root credentials might have unintended access to Amazon EC2 actions.

This issue doesn't affect IAM users and roles or any AWS service except Amazon EC2. Only the root user is subject to this issue. If you don’t want your root user to have access to Amazon EC2 actions, attach an SCP like the Restrict Access to Amazon EC2 for Root User example to your organization root.

Here's the SCP they link to

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictEC2ForRoot",
      "Effect": "Deny",
      "Action": [
        "ec2:*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:root"
          ]
        }
      }
    }
  ]
}