I am not able to launch EC2 instances with encrypted AMI or encrypted volumes using Amazon EC2 Auto Scaling

Last updated: 2021-03-31

Amazon EC2 Auto Scaling failed to launch instances using encrypted AMI or encrypted volumes. The AWS Identity and Access Management (IAM) identities (users, roles) used to create the Amazon EC2 Auto Scaling has administrator permissions.

Short description

Amazon EC2 Auto Scaling uses service-linked roles (SLR) for the required permissions to call other AWS services. The permissions for SLR are hardcoded by AWS and can't be changed. By default, permissions provided to Amazon EC2 Auto Scaling SLR don't include permissions to access customer master keys (CMKs).

You can use AWS managed CMKs or customer managed CMKs to encrypt Amazon Elastic Block Store (Amazon EBS) volumes or AMIs with Amazon EC2 Auto Scaling. Amazon EC2 Auto Scaling doesn't need additional permissions to use AWS managed CMKs. However, Amazon EC2 Auto Scaling SLR must have additional permissions with Customer managed CMKs.

Resolution

Follow these instructions depending on if Amazon EC2 Auto Scaling is using the Customer managed CMK present in the same or external AWS account.

Note:

Amazon EC2 Auto Scaling is using the Customer managed CMK present in the same AWS account

Follow the instructions for changing a key policy and add the following example statement:

Note: Replace 123456789012 with the account ID where the Amazon EC2 Auto Scaling group is deployed.

{
    "Sid": "Allow service-linked role use of the CMK",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKeyWithoutPlaintext"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
        ]
    },
    "Action": [
        "kms:CreateGrant"
    ],
    "Resource": "*",
    "Condition": {
        "Bool": {
            "kms:GrantIsForAWSResource": true
        }
    }
}

Amazon EC2 Auto Scaling is using the Customer managed CMK present in the external AWS account

1.    Follow the instructions for changing a key policy. Modify the key policy to grant permissions to the IAM entity present in the external AWS account for performing the CreateGrant API action:

{
   "Sid": "Allow external account 111122223333 use of the CMK",
   "Effect": "Allow",
   "Principal": {
       "AWS": [
           "arn:aws:iam::111122223333:root"
       ]
   },
   "Action": [
       "kms:Decrypt",
       "kms:GenerateDataKeyWithoutPlaintext"
   ],
   "Resource": "*"
},
{
   "Sid": "Allow attachment of persistent resources in external account 111122223333",
   "Effect": "Allow",
   "Principal": {
       "AWS": [
           "arn:aws:iam::111122223333:root"
       ]
   },
   "Action": [
       "kms:CreateGrant"
   ],
   "Resource": "*"
}

2.    Use the AWS CLI command create-grant with the credentials of an IAM entity present in the AWS account that owns the Amazon EC2 Auto Scaling group.

Note: Replace 444455556666 with the account ID where the CMK is present.

$ aws kms create-grant --key-id arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d --grantee-principal arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling --operations Decrypt GenerateDataKeyWithoutPlaintext ReEncryptFrom ReEncryptTo CreateGrant

Note: Be sure that the IAM entity has permissions to perform the CreateGrant API action. If CreateGrant permissions are missing, then add the following statement to the IAM entity's attached policy:

{
      "Sid": "AllowCreationOfGrantForTheCMKinExternalAccount444455556666",
      "Effect": "Allow",
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d"
}