Bobcares

Can’t Launch EC2 Instances from copied AMI – How to fix this?

by | Aug 28, 2021

Can’t Launch EC2 Instances from copied AMI? We can help you.

Recently, one of our customers copied his Amazon Machine Image (AMI) to a different account or Region.

However, he could not launch theAmazon EC2 instances from the copied AMI.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how to fix this.

 

Can’t Launch EC2 Instances from copied AMI

We may fail to launch instances from a copied AMI with an encrypted Amazon EBS due to the following reasons:

  • The AWS Key Management Service (KMS) CMK key policy is missing the proper principles to allow access.
  • The AWS IAM entity in the requesting account doesn’t have the necessary KMS permissions for the volume’s cross-account CMK.

 

Set permissions for EC2 instances to access the KMS key

1. Initially, we open the AWS KMS console.

2. Then we select Customer managed keys, and then the appropriate key.

3. Under Key policy, we scroll down to Key users. Here, we make sure that the section lists all internal and external accounts and users that need access to the key.

4. Suppose there is a missing account or user, then we select the Policy view.

5. Verify that the Allow use of the key statement in the key policy is correct.

For example, here is the Allow use of the key statement in the default key policy.

{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root",
"arn:aws:iam::111122223333:user/UserA"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root",
"arn:aws:iam::111122223333:user/UserA"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

To create and assign the IAM policy, in case we don’t have it, our Support Techs recommend the below section.

 

Create the IAM policy and attach it to the IAM user or group

1. First, we sign in to the IAM console with the user that has administrator permissions.

2. Then we select Policies > Create policy.

4. After that, we go to the JSON tab. We copy the following sample JSON policy and paste it into the JSON text box.

Here, we need to use our own ARN of the CMK.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"
]
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": [
"arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}

5. Eventually, we select the Review policy.

6. Here, we enter KmsKeyUsagePolicy for the policy name.

We can review the policy Summary to see the permissions granted, and then select the Create policy option to save it.

It will appear in the list of managed policies and is ready to attach to the IAM user or group.

7. Later, we select Policies in the navigation pane of the IAM console.

8. At the top of the policy list, we type KmsKeyUsagePolicy until we see the policy. Then we check the box next to it in the list.

9. Next we select Policy actions > Attach.

10. For Filter, we select Users.

11. In the search box, we type the username. Then we check the box next to that user in the list.

12. Finally, we select Attach Policy.

[Need help with the resolution? We are here for you]

 

Conclusion

In short, we saw how our Support Techs fix the launch issue with EC2 instances.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.