error while connecting to EC2 via Session Manager

Question

Hi team,

I have a bastion host in my private VPC, I used to connect to it via session manager (second tab => Session Manager => click Connect button)

now I have this error when I click on the Connect button :

```
Your session has been terminated for the following reasons:  ----------ERROR------- Encountered error while initiating handshake. Fetching data key failed:
 
Unable to retrieve data key, Error when decrypting data key AccessDeniedException: The ciphertext refers to a customer master key that does not exist,

does not exist in this region, or you are not allowed to access. status code: 400, request id:xxxxxxxxxx
```

Not sure what happened to not being able to connect to the EC2 instance

this instance was created without key pair

I see my ec2 instance in the Fleet Manager on the running state

Accepted Answer

Are the permissions to manipulate the KMS key set for EC2?  
Make sure that the EC2 IAM role has an IAM policy that allows "kms:Decrypt".  
Make sure that the IAM role is set to "AmazonSSMMManagedInstanceCore".  
Also, if you are using a private subnet, check to see if there is a pathway to communicate with the KMS endpoints.  
Is there a route set up, for example, a NAT Gateway?  
If you do not use a NAT Gateway, you can also set up a VPC endpoint for communication to KMS.  
https://repost.aws/knowledge-center/ssm-session-manager-failures

You probably have KMS encryption enabled in SSM in your environment.  
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-enable-encryption.html

error while connecting to EC2 via Session Manager

Relevant content