Background:

AWS provides a construct called an Amazon Machine Image, or AMI, that you can use to instantiate compute resources. The AMI contains some metadata that references either an EBS snapshot or a root volume template, though it's not those literal bits themselves. That is, an AMI references, but does not contain, things like an operating system or important libraries — those are stored on either the snapshot or the volume.

You can use the AMI (and by extension the corresponding snapshot) to launch EC2 instances, which is AWS's term for discrete virtual computing resources of various sizes that can do work.

On public cloud infrastructure, the BOSH team publishes shared machine images that form the base for a given PCF installation. These are called "light stemcells". Those shared machine images mean that every person using a given stemcell in PCF is starting with the exact same bits. On AWS, the BOSH team publishes these machine images as AMIs, one for every region, since AWS AMIs are specific to each region.

Issue:

You can only encrypt the associated volume yourself if you're the owner of the AMI. Pivotal owns the source AMIs, but we let anyone copy them so that they can encrypt them themselves; BOSH takes care of these details for you which works well for Linux stemcells.

However, for Windows stemcells, AWS has a key limitation that prevents you from copying AMIs:

You can't copy an AMI with an associated billingProduct code that was shared with you from another account. This includes Windows AMIs and AMIs from the AWS Marketplace.

This ultimately means that encryption is effectively blocked (for all Windows AMIs, not just those that happen to be PCF-related).

Solution:

A workaround is to build your own stemcell yourself from scratch using an EC2 instance launched from the distributed stemcell, and then produce your own specially encrypted flavor which you then keep in your AWS account. (And since it's now in your own account, this bypasses the billingProduct copying limitations.)

You would also need to repeat this procedure for every single stemcell release to keep up to date. Pivotal doesn't currently provide or support any tooling to automate this.

Please contact Support to provide the steps and assist with creating the new stemcell.