By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

When I launch an instance with AMI, I get an error: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

0

In the CDK code, I created a custom KMSKey, and then configured the Image Recipe of EC2 Image Builder to use the KMSKey as the encryption key of EBS, after successfully creating the AMI, I used the AMI to launch the instance, and the consistent message failed to start, the error is as follows: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state.

KMSKey's state is enabled, otherwise the AMI would not be successfully generated, so I don't understand why the state Incorrect is still prompted.

I looked up the answer on the Internet and saw a post saying that it was a permission issue, and then I associated a role with an EC2 instance with an inline policy like this::

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "kms:*",
			"Resource": "*"
		}
	]
}

But the startup failed with the same error.

Does anyone know why?

Topics
ComputeSecurity, Identity, & Compliance
Tags
EC2 Image BuilderAmazon EC2IAM PoliciesEncryption
Language
English
tong_K
asked a month ago905 views
1 Answer
1
Accepted Answer

Hello.

Does your KMS key policy allow access from your AWS account?
Is there a policy in place to use KMS keys for the IAM user trying to launch EC2?
https://github.com/hashicorp/packer/issues/12683#issuecomment-1889831463

How about using the following KMS key policy?

{
  "Version": "2012-10-17",
  "Id": "key-policy",
  "Statement": [
      {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::AWS Accout ID:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      },
      {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:DescribeKey",
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey",
              "kms:GenerateDataKeyWithoutPlaintext"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {
              "Bool": {
                  "kms:GrantIsForAWSResource": "true"
              }
          }
      }
  ]
}
profile picture
EXPERT
Riku_Kobayashi
answered a month ago
  • tong_K
    a month ago

    Thanks you.The permissions associated with KMS for the AWS user I use are like this: "kms:CreateAlias", "kms:CreateKey", "kms:DescribeKey", "kms:ListAliases", "kms:TagResource".

  • Riku_Kobayashi EXPERT
    a month ago

    You may want to check the event from CloudTrail's event history as described in the documentation below. This will allow you to check which IAM policies are missing for IAM users. You probably need to add "kms:CreateGrant" to the IAM user's IAM policy. https://repost.aws/knowledge-center/kms-iam-ec2-permission

  • tong_K
    a month ago

    Thank you, issue solved.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content