Why can't I launch EC2 instances from my copied AMI?

4 minute read
0

I copied my Amazon Machine Image (AMI) to a different AWS account or AWS Region. However, I can't launch Amazon Elastic Compute Cloud (Amazon EC2) instances from the copied AMI.

Short description

If you don't have the following permissions, then you can't launch instances from a copied AMI with an encrypted Amazon Elastic Block Store (Amazon EBS):

  • The AWS Key Management Service (AWS KMS) customer managed key policy is missing the correct principals that allow the requesting account to access the AMI.
  • The AWS Identity and Access Management (IAM) entity in the requesting account doesn't have the necessary AWS KMS permissions for the volume's cross-account AWS KMS key.

Resolution

Turn on cross-account access to existing AWS KMS custom keys on the copied AMI

For detailed instructions, see Share custom encryption keys more securely between accounts by using AWS Key Management Service.

Set permissions for EC2 instances to access the AWS KMS key

1.    Open the AWS KMS console.
Note: Make sure you're in the correct Region.

2.    Choose Customer managed keys, and then select the appropriate key.

3.    Under Key policy, scroll to Key users. Verify that the Key users section lists all internal and external accounts and users that require access to the key.

4.    If any accounts or users are missing from the Key users section, then under Key Policy, choose Switch to policy view.
Note: If you manually edited the AWS KMS key policy at any point, then the key policy is available only in policy (JSON) view.

5.    Verify that the Allow use of the key statement in the key policy is correct. The statement must include the ARN of all accounts and users who require access to the key.

The following is an example snippet of the Allow use of the key statement in the default key policy. The example includes the following ARNs:

  • The external AWS account that contains the copied AMI.
  • The parent account of the AMI.
  • A user within the external account.

For an overview and example of the entire default key policy, see Default key policy.

{
	"Sid": "Allow use of the key",
	"Effect": "Allow",
	"Principal": {
		"AWS": [
			"arn:aws:iam::111122223333:root",
			"arn:aws:iam::444455556666:root",
			"arn:aws:iam::111122223333:user/UserA"
		]
	},
	"Action": [
		"kms:Encrypt",
		"kms:Decrypt",
		"kms:ReEncrypt*",
		"kms:GenerateDataKey*",
		"kms:DescribeKey"
	],
	"Resource": "*"
},   
{
	"Sid": "Allow attachment of persistent resources",
	"Effect": "Allow",
	"Principal": {
		"AWS": [
			"arn:aws:iam::111122223333:root",
			"arn:aws:iam::444455556666:root",
			"arn:aws:iam::111122223333:user/UserA"
		]
	},
	"Action": [
		"kms:CreateGrant",
		"kms:ListGrants",
		"kms:RevokeGrant"
	],
	"Resource": "*",
	"Condition": {
		"Bool": {
			"kms:GrantIsForAWSResource": "true"
		}
	}
}]
}

6.    Create and assign an IAM policy.

Create the IAM policy and attach it to your IAM user or group

To create an IAM policy and attach it to your IAM user or group, complete the following steps:

Note: If you already created an IAM policy, then proceed to step 7 to attach the policy. 

1.    Open to the IAM console with your user that has administrator permissions.

2.    Choose Policies.

3.    Choose Create policy.

4.    Choose the JSON tab. Copy the following example JSON policy, and then enter it into the JSON text box. Replace arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE with the ARN of your AWS KMS key.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AllowUseOfTheKey",
		"Effect": "Allow",
		"Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"],
		"Resource": ["arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"]
	}, {
		"Sid": "AllowAttachmentOfPersistentResources",
		"Effect": "Allow",
		"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
		"Resource": ["arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"],
		"Condition": {
			"Bool": {
				"kms:GrantIsForAWSResource": true
			}
		}
	}]
}

5.    Choose Review policy. The Policy Validator reports any syntax errors.

6.    On the Review page, enter KmsKeyUsagePolicy for the policy name. Review the policy summary to see the permissions that your policy grants, and then choose Create policy to save the policy. The new policy appears in the list of managed policies and is ready to attach to your IAM user or group.

7.    In the navigation pane of the IAM console, choose Policies.

8.    In the search box, enter KmsKeyUsagePolicy. Then, check the box that's next to KmsKeyUsagePolicy.

9.    Choose Policy actions, and then choose Attach.

10.   For Filter, choose Users.

11.    In the search box, enter your username. Then, check the box that's next to your username.

12.    Choose Attach Policy.

Related information

Copy an AMI

Editing keys

Tutorial: Create and attach your first customer managed policy

Validating IAM policies

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago