Why can't I launch EC2 instances from my copied AMI?

Last updated: 2020-06-25

I copied my Amazon Machine Image (AMI) to a different account or Region, but I'm not able to launch Amazon Elastic Compute Cloud (Amazon EC2) instances from the copied AMI. How do I fix this?

Short description

The following are common reasons why you might be unable to launch EC2 instances from a copied AMI:

  • The destination account doesn't have access to the AWS Key Management Service (KMS) customer master key used to encrypt Amazon Elastic Block Store (Amazon EBS) volumes on the copied AMI.
  • You're using a customer managed key (CMK) to encrypt EBS volumes and haven't created AWS Identity and Access Management (IAM) policies granting access to EC2 instances or to IAM roles trying to launch instances.

Resolution

Enable cross-account access to existing KMS custom keys on the copied AMI

For detailed instructions, see Share custom encryption keys more securely between accounts by using AWS Key Management service and follow the instructions in the How to enable cross-account access to existing custom keys section.

Set permissions for EC2 instances to access the KMS key

1.    Open the AWS KMS console.

Note: Make sure you're in the correct Region.

2.    Choose Customer managed keys, and then select the appropriate key.

3.    Under Key policy, scroll down to Key users. Verify that the Key users section lists all internal and external accounts and users that need access to the key.

4.    If any accounts or users are missing from the Key users section, select Policy view.

Note: If you've ever edited the AWS KMS CMK key policy manually, the key policy is only available in policy (JSON) view.

5.    List the ARN of all accounts and users who need access to the key as Principal in the statement allowing AWS KMS permissions. In the following example policy, the three ARNs listed as principal represent an external account, the parent account, a user within the external account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/KMSAdminUser"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:root",
                    "arn:aws:iam::444455556666:root",
                    "arn:aws:iam::111122223333:user/UserA"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:root",
                    "arn:aws:iam::444455556666:root",
                    "arn:aws:iam::111122223333:user/UserA"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

6.    If you haven't already created the IAM policy, proceed to the next section to create and assign the policy.

Create the IAM policy and attach it to your IAM user or group

1.    Sign in to the IAM console with your user that has administrator permissions.

2.    Choose Policies.

3.    Choose Create policy.

4.    Choose the JSON tab. Copy the following sample JSON policy, and then paste it into the JSON text box. Replace arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE with the ARN of your CMK.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfTheKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"
            ]
        },
        {
            "Sid": "AllowAttachmentOfPersistentResources",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": [
                "arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}

5.    Choose Review policy. The Policy Validator reports any syntax errors.

6.    On the Review page, enter KmsKeyUsagePolicy for the policy name. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy to save the policy. The new policy appears in the list of managed policies and is ready to attach to your IAM user or group.

7.    In the navigation pane of the IAM console, choose Policies.

8.    At the top of the policy list, in the search box, start typing KmsKeyUsagePolicy until you see your policy. Then check the box next to KmsKeyUsagePolicy in the list.

9.    Choose Policy actions, and then choose Attach.

10.    For Filter, choose Users.

11.    In the search box, start typing username until your user is visible on the list. Then check the box next to that user in the list.

12.    Choose Attach Policy.