error while connecting to EC2 via Session Manager

0

Hi team,

I have a bastion host in my private VPC, I used to connect to it via session manager (second tab => Session Manager => click Connect button)

now I have this error when I click on the Connect button :

Your session has been terminated for the following reasons:  ----------ERROR------- Encountered error while initiating handshake. Fetching data key failed:
 
Unable to retrieve data key, Error when decrypting data key AccessDeniedException: The ciphertext refers to a customer master key that does not exist, 

does not exist in this region, or you are not allowed to access. status code: 400, request id:xxxxxxxxxx

Not sure what happened to not being able to connect to the EC2 instance

this instance was created without key pair

I see my ec2 instance in the Fleet Manager on the running state

JessDL
asked a year ago513 views
1 Answer
0
Accepted Answer

Are the permissions to manipulate the KMS key set for EC2?
Make sure that the EC2 IAM role has an IAM policy that allows "kms:Decrypt".
Make sure that the IAM role is set to "AmazonSSMMManagedInstanceCore".
Also, if you are using a private subnet, check to see if there is a pathway to communicate with the KMS endpoints.
Is there a route set up, for example, a NAT Gateway?
If you do not use a NAT Gateway, you can also set up a VPC endpoint for communication to KMS.
https://repost.aws/knowledge-center/ssm-session-manager-failures

You probably have KMS encryption enabled in SSM in your environment.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-enable-encryption.html

profile picture
EXPERT
answered a year ago
profile picture
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions