I am not able to launch EC2 instances with encrypted AMIs or encrypted volumes using Amazon EC2 Auto Scaling

4 minute read

Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling failed to launch instances using encrypted Amazon Machine Image (AMI) or encrypted volumes. The AWS Identity and Access Management (IAM) identities (users, roles) used to create the Amazon EC2 Auto Scaling has administrator permissions.

Short description

Amazon EC2 Auto Scaling uses service-linked roles for the required permissions to call other AWS services. The permissions for SLR are hardcoded by AWS and can't be changed. By default, permissions provided to Amazon EC2 Auto Scaling SLR don't include permissions to access AWS KMS keys.

You can use AWS managed keys or customer managed keys to encrypt Amazon Elastic Block Store (Amazon EBS) volumes or AMIs with Amazon EC2 Auto Scaling. Amazon EC2 Auto Scaling doesn't need additional permissions to use AWS managed keys. However, Amazon EC2 Auto Scaling SLR must have additional permissions with customer managed keys.

Resolution

Follow these instructions depending on if Amazon EC2 Auto Scaling is using the customer managed key present in the same or external AWS account.

Note:

The following examples use the default Amazon EC2 Auto Scaling SLR AWSServiceRoleForAutoScaling, but you can also create a unique role name.
If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
AWS KMS grants must be created from the account that owns the Amazon EC2 Auto Scaling group, not the AWS KMS account. For more information, see Using grants.

Amazon EC2 Auto Scaling is using the customer managed key present in the same AWS account

Follow the instructions for changing a key policy and add the following example statement:

Note: Replace 123456789012 with the account ID where the Amazon EC2 Auto Scaling group is deployed.

{
    "Sid": "Allow service-linked role use of the KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
        ]
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
        ]
    },
    "Action": [
        "kms:CreateGrant"
    ],
    "Resource": "*",
    "Condition": {
        "Bool": {
            "kms:GrantIsForAWSResource": true
        }
    }
}

Amazon EC2 Auto Scaling is using the customer managed key present in the external AWS account

1. Follow the instructions for changing a key policy. Modify the key policy to grant permissions to the IAM entity present in the external AWS account for performing the CreateGrant API action:

{
    "Sid": "Allow external account 111122223333 use of the KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:root"
        ]
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources in external account 111122223333",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:root"
        ]
    },
    "Action": [
        "kms:CreateGrant"
    ],
    "Resource": "*"
}

2. Use the AWS CLI command create-grant with the credentials of an IAM entity present in the AWS account that owns the Amazon EC2 Auto Scaling group.

Note: Replace 444455556666 with the account ID where the KMS key is present.

$ aws kms create-grant --key-id arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d --grantee-principal arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling --operations Decrypt GenerateDataKeyWithoutPlaintext ReEncryptFrom ReEncryptTo CreateGrant

Note: Be sure that the IAM entity has permissions to perform the CreateGrant API action. If CreateGrant permissions are missing, then add the following statement to the IAM entity's attached policy:

{
      "Sid": "AllowCreationOfGrantForTheKMSinExternalAccount444455556666",
      "Effect": "Allow",
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d"
}

Related information

Service-linked roles for Amazon EC2 Auto Scaling

Required KMS key policy for use with encrypted volumes

Topics

Security, Identity, & Compliance

Relevant content

Auto Scaling Groups, Launch Template and EC2 instance with multiple ENIs with different configurations.
adi
asked 9 months ago
EC2 Auto Scaling
DBWS
asked a year ago
Cloud watch EC2 Metrics for Auto Scaling Environment
imtiaza
asked 4 months ago
EC2 image builder creating AMIs with encrypted volumes
Accepted Answer
aditya_kothari
asked 5 months ago
How are EBS volumes in an unhealthy instance handled when a new instance is created by Auto Scaling?
Accepted Answer
sandeepv
asked 3 years ago
Why can’t I launch an EC2 instance using a launch template?
AWS OFFICIALUpdated 10 days ago
Why did Amazon EC2 Auto Scaling terminate an instance?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot scaling issues with my Amazon EC2 Auto Scaling group?
AWS OFFICIALUpdated 2 years ago
How do I verify that EC2 Auto Scaling lifecycle actions complete when using AWS CodeDeploy?
AWS OFFICIALUpdated 9 months ago
Introducing Amazon EC2 I4g storage-optimized instances
EXPERT
Markus Adhiwiyogo
published 24 days ago