Why do I receive the "did not stabilize" error when I use CloudFormation to launch an EC2 instance?

Short description

The following error occurs when CloudFormation successfully launches the EC2 instance, but the instance fails to reach a stable state:

"AWS::EC2::Instance with identifier 'i-abcxyz1234' did not stabilize"

The preceding error occurs for the following reasons:

• You used an AWS Key Management Service (AWS KMS) key in a different AWS account to encrypt the Amazon Machine Image (AMI) that you launched the EC2 instance from.
• You didn't specify the AWS KMS key in the CloudFormation template.

To resolve these issues, take the following actions:

• Update the AWS KMS key policy to allow AWS KMS actions for the account where you're launching your instance.
• Confirm that the AWS KMS key exists in the account, and you specified the AWS::KMS::Alias in the template.

Resolution

Prerequisite: To determine what caused the "did not stabilize" error, filter the AWS CloudTrail logs with kms.amazonaws.com in the Event source column. Choose Preferences to show the Error code column, and then turn on Error code. You can find the issue in the Event name column. For more information, see How do I view encryption information about my AMI or snapshot?

Update the key policy

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

When you try to access encrypted resources across AWS Regions or accounts, you might get the following error message in the CloudTrail logs:

"user/role xyz is not authorized to perform: kms:ReEncryptFrom..."

To get the AWS KMS key ID, complete the following steps:

1. Open the Amazon EC2 console in the account where the AMI is.
2. In the navigation pane, choose Images, and then choose AMIs.
3. Select the AMI.
4. Choose the Storage tab, and then note the KMS key ID.

To check whether the key policy grants AWS KMS permissions to the account where you're launching the instance from, see View key policies.

The following key policy includes the necessary AWS KMS permissions:

{
"Sid": "Allow destination account use of the customer managed key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::destination-account:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}

Note: Replace destination-account with the ID of the account where you're launching the instance.

If the key policy doesn't include the necessary AWS KMS permissions, then edit the policy to add them. Also, make sure to grant the same permissions to the Identity and Access Management (IAM) entity that performs the stack actions. To add permissions, you can use either the IAM console or the AWS CLI. To edit an existing IAM policy, see Edit IAM policies.

Specify the AWS KMS key in the CloudFormation template

If you use a BlockDeviceMapping property and you don't specify the AWS KMS key alias in the CloudFormation template, then you get the "NotFoundException" error message in the CloudTrail logs.

To resolve this issue, specify the AWS KMS key alias in the template. Make sure that the alias is in the same Region and account as the key that it's associated with.