I launched an EC2 instance that has encrypted volumes attached, but the instance won't start—the instance immediately goes from a pending state to a stopped state. How can I resolve this?

If you're using AWS Key Management Service (AWS KMS) to protect your data in an integrated service, use caution when specifying the IP address condition operators, or when specifying the aws:SourceIp condition key in the same access policy statement. Attaching an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon Elastic Compute Cloud (Amazon EC2) instance causes Amazon EC2 to send a request to AWS KMS to decrypt the volume's encrypted data key. This request comes from an IP address associated with the EC2 instance, not the user's IP address. The decryption request is rejected if you have a SourceIp condition set, and the instance fails.

To check if this is the reason, run the describe-instances command for your instance. If you get the following error message, then it's likely you have a sourceIp condition set that's requesting decryption through AWS KMS:

"StateReason": {
  "Message": "Client.InternalError: Client error on launch", 
  "Code": "Client.InternalError"
  },

If you're using AWS KMS to protect your data in an integrated service, use caution when specifying the IP address condition operators, or when specifying the aws:SourceIp condition key in the same access policy statement. Attaching an encrypted EBS volume to an EC2 instance causes Amazon EC2 to send a request to AWS KMS to decrypt the volume's encrypted data key. This request comes from an IP address associated with the EC2 instance, not the user's IP address. The request is rejected if you have a sourceIp condition set, and the instance fails.

Use the condition kms:ViaService. AWS KMS allows interactions from that service on your behalf.

Note: EC2 instances with logged-on users can't interact with this condition; only the service on your behalf can. This interaction is logged in AWS CloudTrail for your review.

"userIdentity": {
  "sessionContext": {
    "sessionIssuer": {
      "accountId": "450822418798",
      "principalId": "450822418798:aws:ec2-infrastructure",
      "userName": "aws:ec2-infrastructure",
      "arn": "arn:aws:iam::450822418798:role/aws:ec2-infrastructure",
      "type": "Role"
     },
…
    "eventType": "AwsApiCall",
    "@log_group": "CloudTrail/AllRegionLogGroup",
    "awsRegion": "eu-west-1",
    "requestParameters": {
      "encryptionContext": {
        "aws:ebs:id": "vol-0ca158925aa9c1883"
      }    
},

In this example, the CloudTrail entry for an API call is made to AWS KMS. This is called on by aws:ec2-infrastructure, not from a specific IP address. When you add a policy to a user that allows AWS KMS to interact with EC2, the API call can complete.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-07-03

Updated: 2018-07-18