I launched an instance with encrypted volumes attached, but it will not start. How can I resolve this?

After you launch an instance with encrypted volumes attached, the instance immediately goes from a pending state to a stopped state. This might be caused by a problem with Amazon EBS interacting with the AWS Key Management Service (AWS KMS) that is used to encrypt the volumes. If the IAM user who attaches the volumes has a condition for matching sourceIp, that can restrict access for EBS with KMS.

Running the describe-instances command for your instance might return an error similar to the following:

"StateReason": {
  "Message": "Client.InternalError: Client error on launch", 
  "Code": "Client.InternalError"
  },

If you are using KMS to protect your data in an integrated service, use caution when specifying the IP address condition operators, or the aws:SourceIp condition key in the same access policy statement. Attaching an encrypted EBS volume to an EC2 instance causes EC2 to send a request to KMS to decrypt the volume's encrypted data key. This request comes from an IP address associated with the EC2 instance, not the user's IP address. The request is rejected if you have a sourceIp condition set, and the instance fails.

Use the condition kms:ViaService. KMS allows interactions from that Service on your behalf.

Note: EC2 instances with logged on users won’t be able to interact with this condition; only the service on your behalf can. This will be logged in CloudTrail for your review.

"userIdentity": {
  "sessionContext": {
    "sessionIssuer": {
      "accountId": "450822418798",
      "principalId": "450822418798:aws:ec2-infrastructure",
      "userName": "aws:ec2-infrastructure",
      "arn": "arn:aws:iam::450822418798:role/aws:ec2-infrastructure",
      "type": "Role"
     },
…
    "eventType": "AwsApiCall",
    "@log_group": "CloudTrail/AllRegionLogGroup",
    "awsRegion": "eu-west-1",
    "requestParameters": {
      "encryptionContext": {
        "aws:ebs:id": "vol-0ca158925aa9c1883"
      }    
},

In this example, the CloudTrail entry for an API call is made to KMS. This is called on by aws:ec2-infrastructure, and it is not from a specific IP address. When you add a policy to a user that allows KMS to interact with EC2, this should allow the call to complete.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-07-03