I launched an Amazon Elastic Compute Cloud (Amazon EC2) instance that has encrypted volumes attached, but the instance won't start—the instance immediately goes from a pending state to a stopped state. How can I resolve this?

If you use AWS Key Management Service (AWS KMS) to protect your data in an integrated service, then be careful when specifying the IP address condition operators, or when specifying the aws:SourceIp condition key in the same access policy statement. Attaching an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance causes Amazon EC2 to send a request to AWS KMS to decrypt the volume's encrypted data key. This request comes from an IP address associated with the EC2 instance, not the user's IP address. This means that the decryption request is rejected if you have a SourceIp condition set, and the instance fails.

To check if this is the reason, run the describe-instances command for your instance. If you get the following error message, then it's likely you have a sourceIp condition set that's requesting decryption through AWS KMS:

"StateReason": {
  "Message": "Client.InternalError: Client error on launch", 
  "Code": "Client.InternalError"

Use the kms:ViaService condition key. AWS KMS allows interactions from that service on your behalf. Be sure the principals have permission to use the Customer Master Key (CMK) and integrated service. For more information, see kms:ViaService condition key limits.

Note: EC2 instances with logged-on users can't interact with this condition; only the service on your behalf can. This interaction is logged in AWS CloudTrail for your review.

"userIdentity": {
  "sessionContext": {
    "sessionIssuer": {
      "accountId": "450822418798",
      "principalId": "450822418798:aws:ec2-infrastructure",
      "userName": "aws:ec2-infrastructure",
      "arn": "arn:aws:iam::450822418798:role/aws:ec2-infrastructure",
      "type": "Role"
    "eventType": "AwsApiCall",
    "@log_group": "CloudTrail/AllRegionLogGroup",
    "awsRegion": "eu-west-1",
    "requestParameters": {
      "encryptionContext": {
        "aws:ebs:id": "vol-0ca158925aa9c1883"

In this example, the CloudTrail entry for an API call is made to AWS KMS. This is called on by aws:ec2-infrastructure, not from a specific IP address. When you add a policy to a user that allows AWS KMS to interact with EC2, then the API call can complete.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-07-03

Updated: 2019-02-01