Why am I unable to create or attach an encrypted EBS volume using a custom AWS KMS key?

Short description

You might not be able to create or attach an encrypted EBS volume from an encrypted snapshot if your snapshot and the custom KMS key used to encrypt the snapshot are in the same account and are missing permissions from the key policy. Be sure that you allow the AWS Identity and Access Management (IAM) user or role in the KMS key policy.

Resolution

Identify the missing permissions from the policy using AWS CloudTrail Event history

1.    Open the CloudTrail console.

2.    Choose Event history, and for Time range, enter a 15-minute window around when the AttachVolume or CreateVolume API calls were made.

3.    Choose Filter, select Event source, and then enter kms.amazonaws.com.

4.    After the results load, select the download button in the upper-right corner of the console, and then select Download CSV.

5.    Open the file that you just downloaded, and then filter the Error code column for AccessDenied. All Event names with the AccessDenied error code are usually the missing permissions.

Note: CloudTrail events take up to 15 minutes to appear on the Events history tab. Checking Events history immediately after receiving the CreateVolume or AttachVolume failed status might not show any events.

After identifying the missing permissions, use the following solution to fix the issue:

Verify that the KMS key policy includes the IAM user or role that is attempting to attach or create the volume

From the AWS KMS console default view:

1.    Open the AWS KMS console.

2.    Choose Customer managed keys, and then select the appropriate key.

3.    Under Key policy, scroll down to Key users. Verify that the Key users section lists the IAM user or role that you’re using to create the volume.

4.    If the Key users section doesn't list the user or role, choose Add, select the user or role, and then choose Add.

From the AWS KMS console policy view:

If you've ever edited the AWS KMS key policy manually before, the key policy is only available in policy (JSON) view. Be sure that you list the ARN of the IAM user or role as Principal in the statement allowing required AWS KMS permissions.

Example: Key policy The following is an example of a KMS key policy allowing UserA access to Key1:

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            ...
        },
        {
            "Sid": "Allow access for Key Administrators",
            ...
        },
        {
            "Sid": "Allow use of the keys",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/UserA"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/UserA"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}