When you attach the encrypted volume to an instance, Amazon EC2 sends a CreateGrant request to AWS KMS so that it can decrypt the data key.
You are invoking "StartInstances" API with your IAM user or Role which has enough privileges on KMS which is the reason EC2 instance is starting all the time with encrypted volumes. If your user ID or Role does not have access to KMS then Ec2 instance will not launch and Ec2 running status will change from Pending to Stopped state every time after starting instance.
Noob question about KMS and EC2asked 22 days ago
EC2 stops after Start Instance is initiatedasked a year ago
How does an EC2 instance assume an IAM Role?Accepted Answerasked 8 months ago
Should i enable an SSL connection between my loadbalancer and my EC2 instance?Accepted Answerasked 5 months ago
What IAM Role permissions required to restore CMK encrypted EC2 instances ?asked 3 years ago
Type of disk attached to an instanceAccepted Answerasked a year ago
EC2 instance starting status check fails after a volume attachment and dettachment exercise to my linux instance root volumeasked 6 months ago
What are the minimum permission needed to start an EC2 instanceasked 5 months ago
How do you find the EBS Volume IDS for a Volume that was created and attached at EC2 Instance Launch Time ?asked 7 months ago
How to attach EBS volume from original EC2 instance to a new EC2 instance?asked 7 months ago