I’m trying to create an EC2 instance in the Las Vegas local zone. Local zones encrypt data by default. I’m trying to connect my EC2 instance to its root EBS volume, but the volume is stuck in the "attaching" state so the instance is stuck in pending.
My instance has a role assigned to it with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMS",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": [
"arn:aws:kms:us-west-2:213456789:key/abc123"
]
}
]
}
That policy should give the instance access to the KMS key to encrypt and decrypt the volume, but it still isn’t attaching…Any ideas?
2
Answers
It turns out it had nothing to do with the EBS configuration. Instead, I solved the problem by using the AWS Linux 2 AMI instead of the AWS Linux 2023 AMI.
An IAM Role attached to an Amazon EC2 instance is used to provide credentials to the software running ‘in’ the instance. It does not provide any permissions to the instance itself.
Once upon a time, it was not possible to boot from an encrypted EBS volume, but then the capability was added. That page says:
That wording is interesting, because it talks about encrypted AMIs being used to launch encrypted EBS boot volumes.
In reference to your command about Local Zones, I found AWS Local Zones FAQs – Amazon Web Services that says:
Therefore, I have a theory that if you are launching an instance from an AMI that is not encrypted, and there is a requirement for the EBS Volume to be encrypted, then perhaps EBS is encrypted the volume before you launch the instance.
Normally, when an EBS Volume is created from an AMI, nothing is actually copied to the EBS Volume. Instead, whenever a block is read for the first time and that block is known to be non-empty, the block is copied from the AMI to the EBS volume and then accessed by the instance. This means that the instance doesn’t need to wait for the EBS volume to be ‘hydrated’ from the AMI.
However, throw-in the need for the volume to be encrypted where the AMI is not encrypted, this might mean that the EBS volume needs to be fully loaded before the instance can start. However, I have not heard of such cases before, so this might be totally wrong.