Question 18411 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

EC2 with Encrypted Root Volume Won't Start – Amazon Web Sevices

I’m trying to create an EC2 instance in the Las Vegas local zone. Local zones encrypt data by default. I’m trying to connect my EC2 instance to its root EBS volume, but the volume is stuck in the "attaching" state so the instance is stuck in pending.

My instance has a role assigned to it with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "KMS",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:Encrypt",
                "kms:GenerateDataKey*",
                "kms:DescribeKey",
                "kms:CreateGrant"
            ],
            "Resource": [
                "arn:aws:kms:us-west-2:213456789:key/abc123"
            ]
        }
    ]
}

That policy should give the instance access to the KMS key to encrypt and decrypt the volume, but it still isn’t attaching…Any ideas?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    It turns out it had nothing to do with the EBS configuration. Instead, I solved the problem by using the AWS Linux 2 AMI instead of the AWS Linux 2023 AMI.


  2. 0

    An IAM Role attached to an Amazon EC2 instance is used to provide credentials to the software running ‘in’ the instance. It does not provide any permissions to the instance itself.

    Once upon a time, it was not possible to boot from an encrypted EBS volume, but then the capability was added. That page says:

    "You can now create Amazon Machine Images (AMIs) that make use of encrypted EBS boot volumes and use the AMIs to launch EC2 instances."

    That wording is interesting, because it talks about encrypted AMIs being used to launch encrypted EBS boot volumes.

    In reference to your command about Local Zones, I found AWS Local Zones FAQs – Amazon Web Services that says:

    Except for Local Zones in Los Angeles, in all other Local Zones in the US, EBS volumes are encrypted by default using Amazon EBS Encryption for data at rest and data in transition between the Local Zone and its parent Region. By default, Amazon EBS encryption uses AWS Key Management Service (AWS KMS) and AWS managed keys.

    Therefore, I have a theory that if you are launching an instance from an AMI that is not encrypted, and there is a requirement for the EBS Volume to be encrypted, then perhaps EBS is encrypted the volume before you launch the instance.

    Normally, when an EBS Volume is created from an AMI, nothing is actually copied to the EBS Volume. Instead, whenever a block is read for the first time and that block is known to be non-empty, the block is copied from the AMI to the EBS volume and then accessed by the instance. This means that the instance doesn’t need to wait for the EBS volume to be ‘hydrated’ from the AMI.

    However, throw-in the need for the volume to be encrypted where the AMI is not encrypted, this might mean that the EBS volume needs to be fully loaded before the instance can start. However, I have not heard of such cases before, so this might be totally wrong.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search