Why can't I launch EC2 instances from my copied AMI?

Last updated: 2020-09-10

I copied my Amazon Machine Image (AMI) to a different account or Region. I'm not able to launch Amazon Elastic Compute Cloud (Amazon EC2) instances from the copied AMI. How do I fix this?

Short description

You might not be able to launch instances from a copied AMI with an encrypted Amazon Elastic Block Store (Amazon EBS) for the following reasons:

  • The AWS Key Management Service (KMS) customer managed key's (CMK) key policy is missing the proper principals to allow the requesting account's access.
  • The AWS Identity and Access Management (IAM) entity in the requesting account doesn't have the necessary KMS permissions for the volume's cross-account CMK.

Resolution

Enable cross-account access to existing KMS custom keys on the copied AMI

For detailed instructions, see How to enable cross-account access to existing custom keys in Share custom encryption keys more securely between accounts by using AWS Key Management Service.

Set permissions for EC2 instances to access the KMS key

1.    Open the AWS KMS console.

Note: Make sure you're in the correct Region.

2.    Choose Customer managed keys, and then select the appropriate key.

3.    Under Key policy, scroll down to Key users. Verify that the Key users section lists all internal and external accounts and users that need access to the key.

4.    If any accounts or users are missing from the Key users section, select Policy view.

Note: If you've ever edited the AWS KMS CMK key policy manually, the key policy is only available in policy (JSON) view.

5.    Verify that the Allow use of the key statement in the key policy is correct. The statement must include the ARN of all accounts and users who need access to the key.

The following is an example of the Allow use of the key statement in the default key policy. The Allow use of the key statement in the following example includes the following ARNs:

  • The external AWS account containing the copied AMI.
  • The parent account of the AMI.
  • A user within the external account.

For an overview and example of the entire default key policy, see Using key policies in AWS KMS - Default key policy.

{
             "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:root",
                    "arn:aws:iam::444455556666:root",
                    "arn:aws:iam::111122223333:user/UserA"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:root",
                    "arn:aws:iam::444455556666:root",
                    "arn:aws:iam::111122223333:user/UserA"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
   

6.    If you haven't already created the IAM policy, proceed to the next section to create and assign the policy.

Create the IAM policy and attach it to your IAM user or group

1.    Sign in to the IAM console with your user that has administrator permissions.

2.    Choose Policies.

3.    Choose Create policy.

4.    Choose the JSON tab. Copy the following sample JSON policy, and then paste it into the JSON text box. Replace arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE with the ARN of your CMK.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfTheKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"
            ]
        },
        {
            "Sid": "AllowAttachmentOfPersistentResources",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": [
                "arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE"
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}

5.    Choose Review policy. The Policy Validator reports any syntax errors.

6.    On the Review page, enter KmsKeyUsagePolicy for the policy name. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy to save the policy. The new policy appears in the list of managed policies and is ready to attach to your IAM user or group.

7.    In the navigation pane of the IAM console, choose Policies.

8.    At the top of the policy list, in the search box, start typing KmsKeyUsagePolicy until you see your policy. Then check the box next to KmsKeyUsagePolicy in the list.

9.    Choose Policy actions, and then choose Attach.

10.    For Filter, choose Users.

11.    In the search box, start typing username until your user is visible on the list. Then check the box next to that user in the list.

12.    Choose Attach Policy.