AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

When I launch an instance with AMI, I get an error: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

0

In the CDK code, I created a custom KMSKey, and then configured the Image Recipe of EC2 Image Builder to use the KMSKey as the encryption key of EBS, after successfully creating the AMI, I used the AMI to launch the instance, and the consistent message failed to start, the error is as follows: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state.

KMSKey's state is enabled, otherwise the AMI would not be successfully generated, so I don't understand why the state Incorrect is still prompted.

I looked up the answer on the Internet and saw a post saying that it was a permission issue, and then I associated a role with an EC2 instance with an inline policy like this::

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "kms:*",
			"Resource": "*"
		}
	]
}

But the startup failed with the same error.

Does anyone know why?

주제
컴퓨팅보안, 신원 및 규정 준수
태그
EC2 이미지 빌더아마존 EC2IAM 정책암호화
언어
English
tong_K
질문됨 2달 전2053회 조회
1개 답변
1
수락된 답변

Hello.

Does your KMS key policy allow access from your AWS account?
Is there a policy in place to use KMS keys for the IAM user trying to launch EC2?
https://github.com/hashicorp/packer/issues/12683#issuecomment-1889831463

How about using the following KMS key policy?

{
  "Version": "2012-10-17",
  "Id": "key-policy",
  "Statement": [
      {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::AWS Accout ID:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      },
      {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:DescribeKey",
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey",
              "kms:GenerateDataKeyWithoutPlaintext"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {
              "Bool": {
                  "kms:GrantIsForAWSResource": "true"
              }
          }
      }
  ]
}
profile picture
전문가
Riku_Kobayashi
답변함 2달 전
  • tong_K
    2달 전

    Thanks you.The permissions associated with KMS for the AWS user I use are like this: "kms:CreateAlias", "kms:CreateKey", "kms:DescribeKey", "kms:ListAliases", "kms:TagResource".

  • Riku_Kobayashi 전문가
    2달 전

    You may want to check the event from CloudTrail's event history as described in the documentation below. This will allow you to check which IAM policies are missing for IAM users. You probably need to add "kms:CreateGrant" to the IAM user's IAM policy. https://repost.aws/knowledge-center/kms-iam-ec2-permission

  • tong_K
    2달 전

    Thank you, issue solved.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠