1 Answer
- Newest
- Most votes
- Most comments
0
Are the permissions to manipulate the KMS key set for EC2?
Make sure that the EC2 IAM role has an IAM policy that allows "kms:Decrypt".
Make sure that the IAM role is set to "AmazonSSMMManagedInstanceCore".
Also, if you are using a private subnet, check to see if there is a pathway to communicate with the KMS endpoints.
Is there a route set up, for example, a NAT Gateway?
If you do not use a NAT Gateway, you can also set up a VPC endpoint for communication to KMS.
https://repost.aws/knowledge-center/ssm-session-manager-failures
You probably have KMS encryption enabled in SSM in your environment.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-enable-encryption.html
Relevant content
- asked 3 years ago
- asked 2 months ago
- Accepted Answer
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
Thank you for your answer, I added KMS permission and it works now, but not sure why now it requires KMS permission? working before without KMS permission
I believe someone may have enabled KMS encryption in Session Manager. If this is enabled, it will be necessary to attach a policy to the EC2 that allows KMS operations. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-enable-encryption.html