I am not able to launch EC2 instances with encrypted AMIs or encrypted volumes using Amazon EC2 Auto Scaling

Last updated: 2021-10-12

Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling failed to launch instances using encrypted Amazon Machine Image (AMI) or encrypted volumes. The AWS Identity and Access Management (IAM) identities (users, roles) used to create the Amazon EC2 Auto Scaling has administrator permissions.

Short description

Amazon EC2 Auto Scaling uses service-linked roles for the required permissions to call other AWS services. The permissions for SLR are hardcoded by AWS and can't be changed. By default, permissions provided to Amazon EC2 Auto Scaling SLR don't include permissions to access AWS KMS keys.

You can use AWS managed keys or customer managed keys to encrypt Amazon Elastic Block Store (Amazon EBS) volumes or AMIs with Amazon EC2 Auto Scaling. Amazon EC2 Auto Scaling doesn't need additional permissions to use AWS managed keys. However, Amazon EC2 Auto Scaling SLR must have additional permissions with customer managed keys.

Resolution

Follow these instructions depending on if Amazon EC2 Auto Scaling is using the customer managed key present in the same or external AWS account.

Note:

Amazon EC2 Auto Scaling is using the customer managed key present in the same AWS account

Follow the instructions for changing a key policy and add the following example statement:

Note: Replace 123456789012 with the account ID where the Amazon EC2 Auto Scaling group is deployed.

{
    "Sid": "Allow service-linked role use of the KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
        ]
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
        ]
    },
    "Action": [
        "kms:CreateGrant"
    ],
    "Resource": "*",
    "Condition": {
        "Bool": {
            "kms:GrantIsForAWSResource": true
        }
    }
}

Amazon EC2 Auto Scaling is using the customer managed key present in the external AWS account

1.    Follow the instructions for changing a key policy. Modify the key policy to grant permissions to the IAM entity present in the external AWS account for performing the CreateGrant API action:

{
    "Sid": "Allow external account 111122223333 use of the KMS",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:root"
        ]
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources in external account 111122223333",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:root"
        ]
    },
    "Action": [
        "kms:CreateGrant"
    ],
    "Resource": "*"
}

2.    Use the AWS CLI command create-grant with the credentials of an IAM entity present in the AWS account that owns the Amazon EC2 Auto Scaling group.

Note: Replace 444455556666 with the account ID where the KMS key is present.

$ aws kms create-grant --key-id arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d --grantee-principal arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling --operations Decrypt GenerateDataKeyWithoutPlaintext ReEncryptFrom ReEncryptTo CreateGrant

Note: Be sure that the IAM entity has permissions to perform the CreateGrant API action. If CreateGrant permissions are missing, then add the following statement to the IAM entity's attached policy:

{
      "Sid": "AllowCreationOfGrantForTheKMSinExternalAccount444455556666",
      "Effect": "Allow",
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d"
}