Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ASG KMS customer managed key

0

1.Im having a customer managed kms key for encrypting all ebs by default 2.When i try to create instance with auto scaling group using a launch template it fails Enter image description here 3.I tried to solve it - since instance is launched by an AWS service (e.g., EC2 Auto Scaling)

  • Add a similar policy statement for the service-linked role of that AWS service So here 1.what is the principal, where can i find that 2.Is this correct if adding policy to kms key to allow kms action to service linked role will it solve
Topics
Compute
Tags
Amazon EC2
Language
English
asked 19 days ago27 views
1 Answer
0
Accepted Answer

When you have enabled EBS volume automatic encryption using a customer managed KMS key, you need to ensure that the Auto Scaling service has permission to use this key. The error "Client.InvalidKMSKey.InvalidState" typically occurs because the service-linked role used by Auto Scaling doesn't have the necessary permissions to use your customer managed KMS key.

To solve this issue, you need to update your KMS key policy to include permissions for the Auto Scaling service-linked role. Here's what you need to do:

  1. For the principal, you need to use the service-linked role for Auto Scaling, which is typically: arn:aws:iam::<your-account-id>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling

  2. Add the following policy statement to your KMS key policy:

{
"Sid": "Allow service-linked role use of the customer managed key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your-account-id>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
  1. You also need to add another policy statement to allow the service-linked role to create grants:
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your-account-id>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}

Adding these policy statements to your KMS key policy will grant the necessary permissions to the Auto Scaling service-linked role to use your customer managed key for encrypting and decrypting EBS volumes, which should resolve the error you're experiencing.
Sources
Troubleshoot Amazon EC2 Auto Scaling: EC2 instance launch failures - Amazon EC2 Auto Scaling
Required AWS KMS key policy for use with encrypted volumes - Amazon EC2 Auto Scaling
Use a shared encrypted AMI in an Auto Scaling group | AWS re:Post
How to resolve “Client.InvalidKMSKey.InvalidState” error when creating an ElasticBeanstalk environment ? | AWS re:Post

answered 19 days ago
AWS
EXPERT
reviewed 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content