By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cannot select "do not enable" for KMS key, Region settings in EC2 ImageBuilder Distribution Settings

0

Hi all

When I create an EC2 ImageBuilder Distribution Settings, I cannot select "do not enable" for KMS key, Region settings. When I leave it blank, AMI copy to other accounts fail. The error message is AMI snapshot copy failed with error: Given key ID is not accessible.

What is wrong with this?

Thanks.

Topics
Compute
Tags
EC2 Image Builder
Language
English
profile picture
Sonic
asked a month ago32 views
1 Answer
0

The issue you're experiencing with EC2 Image Builder Distribution Settings and KMS key configuration is likely related to permissions and cross-account access. When distributing AMIs to other accounts, proper KMS key configuration is crucial for successful distribution.

Here are a few points to consider:

  1. KMS Key State: Ensure that the KMS key you're using is in the "Enabled" state. A disabled KMS key will cause distribution failures.

  2. KMS Key Policy: The KMS key policy needs to allow access from both the source account (where the Image Builder pipeline runs) and the target accounts (where the AMI is being distributed).

  3. Cross-Account Permissions: For cross-account AMI distribution, you need to set up the correct IAM roles and permissions in both the source and target accounts. This includes creating a role in the destination account that Image Builder can assume to create and manage AMIs.

  4. Region Settings: When configuring distribution settings, use the "Region settings-Target accounts" option to specify the accounts where you want to copy the AMI. This creates an actual copy of the AMI in the target accounts.

  5. Encryption: If you're using encryption, make sure the key policies are set up correctly to allow cross-account access.

To resolve the issue:

  1. Review and update your KMS key policy to ensure it grants the necessary permissions to both source and target accounts.

  2. Verify that the IAM roles in both source and target accounts have the required permissions for KMS operations and AMI management.

  3. Double-check that you've correctly set up cross-account distribution as per AWS documentation.

  4. If you're not using encryption, consider temporarily disabling it to isolate the issue.

If the problem persists after verifying these settings, you may need to contact AWS support for further assistance, as there could be an underlying issue with the Image Builder service or account configurations.
Sources
Difference between "Region settings-Target accounts" and "AMI sharing-AWS accounts" in ImageBuilder | AWS re:Post
When I launch an instance with AMI, I get an error: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state | AWS re:Post
Enable and disable keys - AWS Key Management Service

profile picture
re:Post Agent
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content