########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
This template deploys a Lambda function that enables the EC2 default ebs encryption in each account and region. - 'ec2_default_ebs_encryption'
solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse40)
Metadata:
SRA:
Version: 1.3
Order: 3
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: General Properties
Parameters:
- pSRASolutionName
- pSRAStagingS3BucketName
- pSRAAlarmEmail
- Label:
default: Lambda Function Properties
Parameters:
- pEC2DefaultEBSEncryptionLambdaFunctionName
- pEC2DefaultEBSEncryptionLambdaRoleName
- pOrganizationId
- Label:
default: Custom Resource Properties
Parameters:
- pControlTowerRegionsOnly
- pEnabledRegions
- pEC2DefaultEBSEncryptionRoleName
- pExcludeEC2DefaultEBSEncryptionTags
- Label:
default: General Lambda Function Properties
Parameters:
- pCreateLambdaLogGroup
- pLambdaLogGroupRetention
- pLambdaLogGroupKmsKey
- pLambdaLogLevel
- Label:
default: EventBridge Rule Properties
Parameters:
- pComplianceFrequency
- pControlTowerLifeCycleRuleName
- pEventRuleRoleName
ParameterLabels:
pComplianceFrequency:
default: Frequency to Check for Organizational Compliance
pControlTowerLifeCycleRuleName:
default: Control Tower Lifecycle Rule Name
pCreateLambdaLogGroup:
default: Create Lambda Log Group
pEC2DefaultEBSEncryptionLambdaFunctionName:
default: Lambda Function Name
pEC2DefaultEBSEncryptionLambdaRoleName:
default: Lambda Role Name
pEC2DefaultEBSEncryptionRoleName:
default: EC2 Enable Default Encryption Role Name
pEnabledRegions:
default: Enabled Regions
pEventRuleRoleName:
default: Event Rule Role Name
pExcludeEC2DefaultEBSEncryptionTags:
default: (Optional) Exclude EC2 Default EBS Encryption Tags
pLambdaLogGroupKmsKey:
default: (Optional) Lambda Logs KMS Key
pLambdaLogGroupRetention:
default: Lambda Log Group Retention
pLambdaLogLevel:
default: Lambda Log Level
pManagementAccountId:
default: Management Account ID
pOrganizationId:
default: Organization ID
pSRAAlarmEmail:
default: (Optional) SRA Alarm Email
pSRASolutionName:
default: SRA Solution Name
pSRAStagingS3BucketName:
default: SRA Staging S3 Bucket Name
Parameters:
pComplianceFrequency:
ConstraintDescription: Compliance Frequency must be a number between 1 and 30, inclusive.
Default: 7
Description: Frequency (in days between 1 and 30, default is 7) to check organizational compliance
MinValue: 1
MaxValue: 30
Type: Number
pControlTowerLifeCycleRuleName:
AllowedPattern: '^[\w.-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric and underscore characters. Also special characters supported [., -]
Default: sra-ec2-default-ebs-encryption-trigger
Description: The name of the AWS Control Tower Life Cycle Rule.
Type: String
pControlTowerRegionsOnly:
Type: String
Description: Only enable in the Control Tower governed regions
Default: true
AllowedValues: [true, false]
pCreateLambdaLogGroup:
AllowedValues: [true, false]
Default: false
Description:
Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
Key for encryption.
Type: String
pEC2DefaultEBSEncryptionLambdaFunctionName:
AllowedPattern: '^[\w-]{0,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
Default: sra-ec2-default-ebs-encryption
Type: String
pEC2DefaultEBSEncryptionLambdaRoleName:
AllowedPattern: '^[\w+=,.@-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
Default: sra-ec2-default-ebs-encryption-lambda
Description: EC2 Default EBS Encryption Lambda Role Name
Type: String
pEC2DefaultEBSEncryptionRoleName:
AllowedPattern: '^[\w+=,.@-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
Default: sra-ec2-default-ebs-encryption
Description: EC2 Default EBS Encryption Role Name
Type: String
pEnabledRegions:
AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
ConstraintDescription:
Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
us-east-1,ap-southeast-2)
Default: ''
Description:
(Optional) If Control Tower Regions Only = false, list the regions to enable (AWS regions, separated by commas). Leave blank to enable all
regions. Regions must be enabled in all accounts within the AWS Organization.
Type: String
pEventRuleRoleName:
AllowedPattern: '^[\w+=,.@-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
Default: sra-ec2-default-ebs-encryption-global-events
Description: Event rule role name for putting events on the home region event bus
Type: String
pExcludeEC2DefaultEBSEncryptionTags:
AllowedPattern: '^$|.*'
Description:
'(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"},
... ]. For example, [{"Key": "exclude-ec2-default-ebs-encryption", "Value": "true"}].'
Type: String
pLambdaLogGroupKmsKey:
AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$'
ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
Default: ''
Description:
(Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side
encryption keys.
Type: String
pLambdaLogGroupRetention:
AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
Default: 14
Description: Specifies the number of days you want to retain log events
Type: String
pLambdaLogLevel:
AllowedValues: [DEBUG, INFO, ERROR]
Default: INFO
Description: Lambda Function Logging Level
Type: String
pManagementAccountId:
AllowedPattern: '^\d{12}$'
ConstraintDescription:
Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
Description: AWS Account ID of the Control Tower Management account.
Type: String
pOrganizationId:
AllowedPattern: '^o-[a-z0-9]{10,32}$'
ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567)
Description: AWS Organizations ID
Type: String
pSRAAlarmEmail:
AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$'
ConstraintDescription: Email Validation as per RFC2822 standards.
Default: ''
Description:
(Optional) Email address for receiving DLQ alarms. If empty, CloudWatch Alarm will not be created to notify when the DLQ has a queue depth of 1.
Type: String
pSRASolutionName:
AllowedValues: [sra-ec2-default-ebs-encryption]
Default: sra-ec2-default-ebs-encryption
Description: The SRA solution name. The default value is the folder name of the solution
Type: String
pSRAStagingS3BucketName:
AllowedPattern: '^(?=^.{3,63}$)(?!.*[.-]{2})(?!.*[--]{2})(?!^(?:(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(?!$)|$)){4}$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$)'
ConstraintDescription:
SRA Staging S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Description:
SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include
numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Type: String
Conditions:
cComplianceFrequencySingleDay: !Equals [!Ref pComplianceFrequency, 1]
cCreateDLQAlarm: !Not [!Equals [!Ref pSRAAlarmEmail, '']]
cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
cNotGlobalRegionUsEast1: !Not [!Equals [!Ref 'AWS::Region', us-east-1]]
cUseGraviton: !Or
- !Equals [!Ref 'AWS::Region', ap-northeast-1]
- !Equals [!Ref 'AWS::Region', ap-south-1]
- !Equals [!Ref 'AWS::Region', ap-southeast-1]
- !Equals [!Ref 'AWS::Region', ap-southeast-2]
- !Equals [!Ref 'AWS::Region', eu-central-1]
- !Equals [!Ref 'AWS::Region', eu-west-1]
- !Equals [!Ref 'AWS::Region', eu-west-2]
- !Equals [!Ref 'AWS::Region', us-east-1]
- !Equals [!Ref 'AWS::Region', us-east-2]
- !Equals [!Ref 'AWS::Region', us-west-2]
cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
Resources:
rEC2DefaultEBSEncryptionDLQ:
Type: AWS::SQS::Queue
Properties:
KmsMasterKeyId: alias/aws/sqs
QueueName: !Sub ${pSRASolutionName}-dlq
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
rEC2DefaultEBSEncryptionDLQAlarm:
Type: AWS::CloudWatch::Alarm
Condition: cCreateDLQAlarm
Properties:
AlarmDescription: SRA DLQ alarm if the queue depth is 1
Namespace: AWS/SQS
MetricName: ApproximateNumberOfMessagesVisible
Dimensions:
- Name: QueueName
Value: !GetAtt rEC2DefaultEBSEncryptionDLQ.QueueName
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- !Ref rEC2DefaultEBSEncryptionDLQAlarmTopic
InsufficientDataActions:
- !Ref rEC2DefaultEBSEncryptionDLQAlarmTopic
rEC2DefaultEBSEncryptionDLQAlarmTopic:
Type: AWS::SNS::Topic
Condition: cCreateDLQAlarm
Properties:
DisplayName: !Sub ${pSRASolutionName}-dlq-alarm
KmsMasterKeyId: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/sns
TopicName: !Sub ${pSRASolutionName}-dlq-alarm
Subscription:
- Endpoint: !Ref pSRAAlarmEmail
Protocol: email
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
rEC2DefaultEBSEncryptionDLQPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref rEC2DefaultEBSEncryptionDLQ
PolicyDocument:
Statement:
- Effect: Allow
Action: SQS:SendMessage
Condition:
ArnEquals:
aws:SourceArn:
- !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Resource:
- !GetAtt rEC2DefaultEBSEncryptionDLQ.Arn
Principal:
Service: events.amazonaws.com
rEC2DefaultEBSEncryptionLambdaLogGroup:
Type: AWS::Logs::LogGroup
Condition: cCreateLambdaLogGroup
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
KmsKeyId: !If
- cUseKmsKey
- !Ref pLambdaLogGroupKmsKey
- !Ref AWS::NoValue
LogGroupName: !Sub '/aws/lambda/${pEC2DefaultEBSEncryptionLambdaFunctionName}'
RetentionInDays: !Ref pLambdaLogGroupRetention
rEC2DefaultEBSEncryptionLambdaRole:
Type: AWS::IAM::Role
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: service actions require a wildcard in the resource
- id: W28
reason: Using a defined role name
Properties:
RoleName: !Ref pEC2DefaultEBSEncryptionLambdaRoleName
Description: !Sub SRA IAM role for ${pEC2DefaultEBSEncryptionLambdaRoleName} Lambda function
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: '/'
Policies:
- PolicyName: sra-ec2-default-ebs-encryption-policy-cloudformation
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: CloudFormation
Effect: Allow
Action: cloudformation:ListStackInstances
Resource: !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/AWSControlTowerBP-*
- PolicyName: sra-ec2-default-ebs-encryption-policy-iam
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AssumeRole
Effect: Allow
Action: sts:AssumeRole
Resource: !Sub arn:${AWS::Partition}:iam::*:role/${pEC2DefaultEBSEncryptionRoleName}
Condition:
StringEquals:
aws:PrincipalOrgId: !Ref pOrganizationId
- PolicyName: sra-ec2-default-ebs-encryption-policy-logs
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: CreateLogStreamAndEvents
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pEC2DefaultEBSEncryptionLambdaFunctionName}:log-stream:*
- PolicyName: sra-ec2-default-ebs-encryption-policy-organizations
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: OrganizationsReadAccess
Effect: Allow
Action:
- organizations:DescribeAccount
- organizations:ListAccounts
Resource: '*'
- Sid: ListTagsForAccounts
Effect: Allow
Action: organizations:ListTagsForResource
Resource: !Sub arn:${AWS::Partition}:organizations::${pManagementAccountId}:account/${pOrganizationId}/*
- PolicyName: sra-ec2-default-ebs-encryption-policy-sns
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: SNSPublish
Effect: Allow
Action:
- sns:Publish
- sns:PublishBatch
Resource: !Ref rEC2DefaultEBSEncryptionTopic
- PolicyName: sra-ec2-default-ebs-encryption-policy-sqs
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: SQSSendMessage
Effect: Allow
Action: sqs:SendMessage
Resource: !GetAtt rEC2DefaultEBSEncryptionDLQ.Arn
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
rEC2DefaultEBSEncryptionLambdaFunction:
Type: AWS::Lambda::Function
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: Role provides access to CloudWatch.
- id: W89
reason: Lambda function does not access resources inside a VPC.
- id: W92
reason: Lambda does not need reserved concurrent executions.
checkov:
skip:
- id: CKV_AWS_115
comment: Lambda does not need reserved concurrent executions.
- id: CKV_AWS_117
comment: Lambda does not need to communicate with VPC resources.
- id: CKV_AWS_173
comment: Environment variables are not sensitive.
Properties:
FunctionName: !Ref pEC2DefaultEBSEncryptionLambdaFunctionName
Description: SRA Set the EC2 Default EBS encryption account setting
Architectures: !If
- cUseGraviton
- [arm64]
- !Ref AWS::NoValue
Handler: app.lambda_handler
Role: !GetAtt rEC2DefaultEBSEncryptionLambdaRole.Arn
Runtime: python3.9
Timeout: 900
Code:
S3Bucket: !Ref pSRAStagingS3BucketName
S3Key: !Sub ${pSRASolutionName}/lambda_code/${pSRASolutionName}.zip
DeadLetterConfig:
TargetArn: !GetAtt rEC2DefaultEBSEncryptionDLQ.Arn
Environment:
Variables:
LOG_LEVEL: !Ref pLambdaLogLevel
CONFIGURATION_ROLE_NAME: !Ref pEC2DefaultEBSEncryptionRoleName
CONTROL_TOWER_REGIONS_ONLY: !Ref pControlTowerRegionsOnly
ENABLED_REGIONS: !Ref pEnabledRegions
EXCLUDE_ACCOUNT_TAGS: !Ref pExcludeEC2DefaultEBSEncryptionTags
ROLE_SESSION_NAME: sra-ec2-default-ebs-encryption
SNS_TOPIC_ARN: !Ref rEC2DefaultEBSEncryptionTopic
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
rEC2DefaultEBSEncryptionLambdaCustomResource:
Type: Custom::LambdaCustomResource
Version: '1.0'
Properties:
ServiceToken: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
CONFIGURATION_ROLE_NAME: !Ref pEC2DefaultEBSEncryptionRoleName
CONTROL_TOWER_REGIONS_ONLY: !Ref pControlTowerRegionsOnly
ENABLED_REGIONS: !Ref pEnabledRegions
EXCLUDE_ACCOUNT_TAGS: !Ref pExcludeEC2DefaultEBSEncryptionTags
ROLE_SESSION_NAME: sra-ec2-default-ebs-encryption
SNS_TOPIC_ARN: !Ref rEC2DefaultEBSEncryptionTopic
rEC2DefaultEBSEncryptionTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: !Sub ${pSRASolutionName}-configuration
KmsMasterKeyId: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/sns
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
rEC2DefaultEBSEncryptionTopicLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Principal: sns.amazonaws.com
SourceArn: !Ref rEC2DefaultEBSEncryptionTopic
rEC2DefaultEBSEncryptionTopicSubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Protocol: lambda
TopicArn: !Ref rEC2DefaultEBSEncryptionTopic
rOrganizationsRule:
Type: AWS::Events::Rule
Properties:
Name: !Sub ${pControlTowerLifeCycleRuleName}-org-update
Description: SRA EC2 Default EBS Encryption Trigger on Organizations update
EventPattern:
source:
- aws.organizations
detail-type:
- AWS API Call via CloudTrail
detail:
eventSource:
- organizations.amazonaws.com
eventName:
- AcceptHandshake
- CreateAccountResult
- TagResource
State: ENABLED
Targets:
- Arn: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Id: !Ref pEC2DefaultEBSEncryptionLambdaFunctionName
rControlTowerLifeCycleRule:
Type: AWS::Events::Rule
Properties:
Name: !Ref pControlTowerLifeCycleRuleName
Description: SRA EC2 Default EBS Encryption Control Tower Life Cycle Trigger (triggers on new Control Tower vended accounts)
EventPattern:
source:
- aws.controltower
detail-type:
- AWS Service Event via CloudTrail
detail:
eventName:
- CreateManagedAccount
- UpdateManagedAccount
State: ENABLED
Targets:
- Arn: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Id: !Ref pEC2DefaultEBSEncryptionLambdaFunctionName
rPermissionForControlTowerRuleToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Action: lambda:InvokeFunction
Principal: events.amazonaws.com
SourceArn: !GetAtt rControlTowerLifeCycleRule.Arn
rPermissionForOrganizationsRuleToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Action: lambda:InvokeFunction
Principal: events.amazonaws.com
SourceArn: !GetAtt rOrganizationsRule.Arn
rPermissionForScheduledComplianceRuleToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Action: lambda:InvokeFunction
Principal: events.amazonaws.com
SourceArn: !GetAtt rScheduledComplianceRule.Arn
rScheduledComplianceRule:
Type: AWS::Events::Rule
Properties:
Name: !Sub ${pControlTowerLifeCycleRuleName}-org-compliance
Description: SRA EC2 Default EBS Encryption Trigger for scheduled organization compliance
ScheduleExpression: !If
- cComplianceFrequencySingleDay
- !Sub rate(${pComplianceFrequency} day)
- !Sub rate(${pComplianceFrequency} days)
State: ENABLED
Targets:
- Arn: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
Id: !Ref pEC2DefaultEBSEncryptionLambdaFunctionName
rCrossRegionEventRuleRole:
Type: AWS::IAM::Role
Condition: cNotGlobalRegionUsEast1
Metadata:
cfn_nag:
rules_to_suppress:
- id: W28
reason: Specific role name provided
Properties:
RoleName: !Ref pEventRuleRoleName
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- events.amazonaws.com
Policies:
- PolicyName: sra-ec2-default-ebs-encryption-policy-events
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: events:PutEvents
Resource: !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/default
Outputs:
oControlTowerLifeCycleRule:
Description: SRA Control Tower Life Cycle Rule ARN
Value: !GetAtt rControlTowerLifeCycleRule.Arn
oEC2DefaultEBSEncryptionLambdaFunctionArn:
Description: SRA EC2 Default EBS Encryption Lambda Function ARN
Value: !GetAtt rEC2DefaultEBSEncryptionLambdaFunction.Arn
oEC2DefaultEBSEncryptionLambdaLogGroupArn:
Condition: cCreateLambdaLogGroup
Description: SRA EC2 Default EBS Encryption Lambda Log Group ARN
Value: !GetAtt rEC2DefaultEBSEncryptionLambdaLogGroup.Arn
oEC2DefaultEBSEncryptionLambdaRoleArn:
Description: SRA EC2 Default EBS Encryption Lambda Role ARN
Value: !GetAtt rEC2DefaultEBSEncryptionLambdaRole.Arn