Question posted in 
We are trying to set up autoscaling on my EC2 instance. I have followed this document. When I edit and then try to save the key policy for my webserver CMK I’m getting this error "Policy contains statement with one or more invalid principals. AWS Autoscaling". We are trying to edit the key policy from the root account.
This is the key policy file:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM ACCOUNT Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::ACCOUNTID:ACCOUNT/IAMUSER", "UNIQIDFORACCOUNT"]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::ACCOUNTID:ACCOUNT/IAMUSER", "UNIQIDFORACCOUNT"]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::ACCOUNTID:ACCOUNT/IAMUSER", "UNIQIDFORACCOUNT"]
},
"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow service-linked role use of the customer managed key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": ["kms:CreateGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
We looked for typos, tried different combinations, checked every step before to verify it is all correctly set up. Any help is appreciated.
2
Answers
according to the json you provided, you forgot a double quote with true:
in case you don’t know, you can use AWS policy generator website, it helps and saves time.
The role
AWSServiceRoleForAutoScalingis not created by default. If it does not exist in the AWS account, then you have to create it first before referring it by ARN in the KMS policy.Create a service linked role for autoscaling via CLI: