#!/bin/bash
set -Eeuox pipefail

aws ec2 enable-ebs-encryption-by-default

aws ec2 get-ebs-default-kms-key-id

EBS_CMK_ARN=$(aws kms describe-key --key-id 'alias/EC2EncryptionAtRestCMKAlias' |jq --raw-output '.KeyMetadata.Arn')

aws ec2 modify-ebs-default-kms-key-id --kms-key-id "$EBS_CMK_ARN"

aws ec2 get-ebs-default-kms-key-id