I can't use Amazon EC2 Auto Scaling to launch EC2 instances with encrypted AMIs or encrypted volumes

3 minute read

Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling failed to launch instances with encrypted Amazon Machine Image (AMI) or encrypted volumes. The AWS Identity and Access Management (IAM) identity that created the Amazon EC2 Auto Scaling has administrator permissions.

Short description

Amazon EC2 Auto Scaling uses service-linked roles for the required permissions to call other AWS services. The permissions for SLR are hardcoded and therefore can't be changed. The default permissions that pass to Amazon EC2 Auto Scaling SLR don't include permissions to access AWS Key Management Service (AWS KMS) keys.

To encrypt Amazon Elastic Block Store (Amazon EBS) volumes or AMIs with Amazon EC2 Auto Scaling, use AWS managed keys or customer managed keys. Amazon EC2 Auto Scaling doesn't need additional permissions to use AWS managed keys. However, Amazon EC2 Auto Scaling SLR must have additional permissions with customer managed keys.

Resolution

The following examples use the default Amazon EC2 Auto Scaling SLR AWSServiceRoleForAutoScaling, but you can create a unique role name.

You must create AWS KMS grants from the account that owns the Amazon EC2 Auto Scaling group, not the AWS KMS account. For more information, see Grants in AWS KMS.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Amazon EC2 Auto Scaling uses a customer managed key that's in the same AWS account

Follow the instructions to change a key policy, and add the following example statement:

Note: Replace 123456789012 with the account ID where the Amazon EC2 Auto Scaling group is deployed.

{    "Sid": "Allow service-linked role use of the KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
        ]
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
        ]
    },
    "Action": [
        "kms:CreateGrant"
    ],
    "Resource": "*",
    "Condition": {
        "Bool": {
            "kms:GrantIsForAWSResource": true
        }
    }
}

Amazon EC2 Auto Scaling uses a customer managed key that's in an external AWS account

Follow the instructions to change a key policy. Modify the key policy so that the IAM entity that's in the external AWS account can perform the CreateGrant API action:

{    "Sid": "Allow external account 111122223333 use of the KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:root"
        ]
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources in external account 111122223333",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:root"
        ]
    },
    "Action": [
        "kms:CreateGrant"
    ],
    "Resource": "*"
}

Use the AWS CLI command create-grant with the credentials of an IAM entity in the AWS account that owns the Amazon EC2 Auto Scaling group:
Note: Replace 444455556666 with the account ID where the KMS key is present.

$ aws kms create-grant --key-id arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d --grantee-principal arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling --operations Decrypt GenerateDataKeyWithoutPlaintext ReEncryptFrom ReEncryptTo CreateGrant

Be sure that the IAM entity has permissions to perform the CreateGrant API action. If CreateGrant permissions are missing, then add the following statement to the IAM entity's attached policy:

{      "Sid": "AllowCreationOfGrantForTheKMSinExternalAccount444455556666",
      "Effect": "Allow",
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d"
}

Related information

Service-linked roles for Amazon EC2 Auto Scaling

Required KMS key policy for use with encrypted volumes

Topics

Security, Identity, & Compliance

Relevant content

EC2 Auto Scaling
DBWS
asked 2 years ago
Launching EC2 instance failed in Auto Scaling Group
Jon
asked a year ago
EC2 Auto scaling
Accepted Answer
hammad
asked 4 months ago
Auto scaling group in EKS with encrypted EBS volumes
Kalai
asked 6 months ago
Implementing EC2 Auto Scaling using CI/CD
Arjun Goel
asked 7 days ago
How do I resolve “InsufficientInstanceCapacity” or “UnfulfillableCapacity” launch errors in my Amazon EC2 Auto Scaling group?
AWS OFFICIALUpdated 6 months ago
How do I troubleshoot scaling issues with my Amazon EC2 Auto Scaling group?
AWS OFFICIALUpdated 4 months ago
Why did Amazon EC2 Auto Scaling terminate an instance?
AWS OFFICIALUpdated 9 months ago
Why did my Amazon EC2 Auto Scaling group scale in?
AWS OFFICIALUpdated 4 months ago
CloudFormation Auto Scaling Group sample template for mixed X86 (Intel, AMD) and AWS Graviton instances
EXPERT
MichaelFischer
published 7 months ago