Enables the Account-level Elastic Block Storage (EBS) Default Encryption feature in a region.
Operation description
Note
The Account-level EBS Default Encryption feature is available only in specific regions and to specific users. To use Account-level EBS Default Encryption, submit a ticket.
-
Precautions
- Only Alibaba Cloud accounts can call this operation.
- Before you can enable the Account-level EBS Default Encryption feature in a region, you must activate Key Management Service (KMS) in the region.
- After you enable the Account-level EBS Default Encryption feature in a region, you can purchase only encrypted cloud disks in the region. For more information, see the Limits section of the "Encrypt cloud disks" topic.
-
Considerations
- After you enable the Account-level EBS Default Encryption feature in a region, new pay-as-you-go and subscription cloud disks in the region must be encrypted. You can use the KMS key configured for the Account-level EBS Default Encryption feature or specify other KMS keys to encrypt the cloud disks.
- The first time you enable the Account-level EBS Default Encryption feature in a region, the service key in the region is automatically used to encrypt EBS resources.
-
Suggestions
- You can call the DescribeDiskEncryptionByDefaultStatus operation to query whether the Account-level EBS Default Encryption feature is enabled in a region and the DescribeDiskDefaultKMSKeyId operation to query the ID of the KMS key used by the Account-level EBS Default Encryption feature in a region.
- You can call the ModifyDiskDefaultKMSKeyId or ResetDiskDefaultKMSKeyId operation to change or reset the KMS key used by the Account-level EBS Default Encryption feature in a region.
- You can call the DisableDiskEncryptionByDefault operation to disable the Account-level EBS Default Encryption feature in a region.
Debugging
Authorization information
There is currently no authorization information disclosed in the API.
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
RegionId | string | Yes | The region ID. You can call the DescribeRegions operation to query the most recent region list. | cn-hangzhou |
Response parameters
Examples
Sample success responses
JSON
format
{
"RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | InvalidParameter.KMSKeyId.CMKNotEnabled | The CMK needs to be enabled. | The customer master key (CMK) is not enabled when KMSKeyId is specified for an encrypted disk. You can call the DescribeKey operation of KMS to query information about the specified CMK. |
400 | InvalidParameter.Encrypted.KmsNotEnabled | KMS must be enabled for encrypted disks. | KMS is not activated. You must activate KMS before you can encrypt disks. |
403 | Abs.InvalidAction.RegionNotSupport | This region does not support this action. | The operation is not supported in the region. |
403 | InvalidOperation.DefaultEncryptionAlreadyEnabled | The specified region is already default encryption settings. | The region has enabled cloud disk encryption by default. |
403 | InvalidParameter.RegionIdNotExists | The specified region does not exists. | The region does not exist. |
403 | InvalidParameter.KMSKeyId.KMSUnauthorized | ECS service have no right to access your KMS. | ECS is not authorized to access your KMS resources. |
403 | InvalidParameter.KMSKeyId.CMKUnauthorized | The CMK needs to be added ECS tag. | - |
403 | InvalidOperation.KMSKeyIdNotFound | The specified KMSKeyId not found, %s. | The associated KMS encryption key cannot be found. Verify that the KMS encryption key is valid. |
403 | InvalidOperation.KMSServiceNotOpen | KMS service is currently not open. | The KMS service has not been enabled. |
403 | UserNotInTheWhiteList | The user is not in disk white list. | You are not authorized to manage the disk. Try again when you are authorized. |
For a list of error codes, visit the Service error codes.