Can’t Launch EC2 Instances from copied AMI? We can help you.
Recently, one of our customers copied his Amazon Machine Image (AMI) to a different account or Region.
However, he could not launch theAmazon EC2 instances from the copied AMI.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us see how to fix this.
Can’t Launch EC2 Instances from copied AMI
We may fail to launch instances from a copied AMI with an encrypted Amazon EBS due to the following reasons:
- The AWS Key Management Service (KMS) CMK key policy is missing the proper principles to allow access.
- The AWS IAM entity in the requesting account doesn’t have the necessary KMS permissions for the volume’s cross-account CMK.
Set permissions for EC2 instances to access the KMS key
1. Initially, we open the AWS KMS console.
2. Then we select Customer managed keys, and then the appropriate key.
3. Under Key policy, we scroll down to Key users. Here, we make sure that the section lists all internal and external accounts and users that need access to the key.
4. Suppose there is a missing account or user, then we select the Policy view.
5. Verify that the Allow use of the key statement in the key policy is correct.
For example, here is the Allow use of the key statement in the default key policy.
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root",
"arn:aws:iam::111122223333:user/UserA"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root",
"arn:aws:iam::111122223333:user/UserA"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
To create and assign the IAM policy, in case we don’t have it, our Support Techs recommend the below section.
Create the IAM policy and attach it to the IAM user or group
1. First, we sign in to the IAM console with the user that has administrator permissions.
2. Then we select Policies > Create policy.
4. After that, we go to the JSON tab. We copy the following sample JSON policy and paste it into the JSON text box.
Here, we need to use our own ARN of the CMK.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"
]
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": [
"arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
5. Eventually, we select the Review policy.
6. Here, we enter KmsKeyUsagePolicy for the policy name.
We can review the policy Summary to see the permissions granted, and then select the Create policy option to save it.
It will appear in the list of managed policies and is ready to attach to the IAM user or group.
7. Later, we select Policies in the navigation pane of the IAM console.
8. At the top of the policy list, we type KmsKeyUsagePolicy until we see the policy. Then we check the box next to it in the list.
9. Next we select Policy actions > Attach.
10. For Filter, we select Users.
11. In the search box, we type the username. Then we check the box next to that user in the list.
12. Finally, we select Attach Policy.
[Need help with the resolution? We are here for you]
Conclusion
In short, we saw how our Support Techs fix the launch issue with EC2 instances.
0 Comments