Open in app

Sign in

Write

Sign in

AWS: Correct permission to start an EC2 instance with encrypted EBS

Bao Nguyen
2 min readDec 15, 2017

--

AWS has a very flexible permission system using IAM policies. But sometime it is also complicated to get the access control right. Yesterday, I worked on a IAM policy to allow an instance start / stop another instance.

It should be straightforward, and this is my initial policy.

{
    "Effect": "Allow",
    "Action": [
        "ec2:StopInstances",
        "ec2:StartInstances",
        "ec2:RebootInstances",
        "ec2:Describe*"
    ],
    "Resource": "*"
}

It worked well. But I quickly found out that it didn’t worked for all instances. It didn’t provide any information, the instance quickly entered pending state then stopped immediately with message Server.InternalError: Internal error on launch. If I started the instance from the console, the instance started up just fine.

After some investigation, the above policy would not work with the instance has an encrypted EBS. So I go ahead and updated the policy to allow KMS key usage, as described here.

{
    "Effect": "Allow",
    "Action": [
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:Encrypt",
        "kms:DescribeKey",
        "kms:Decrypt"
    ],
    "Resource": "{{KEY_ARN}}"
}

But it still didn’t work. If i change the permission action to kms:* then it worked. After a lot of trials, errors and documents, I found out that you would have to allow kms:CreateGrant permission as well. So basically, when you start the instance you are also delegating the encryption permission to the instance so that it can encrypt / decrypt the EBS, hence you will need the CreateGrant permission.

My final policy looks as follow, and it works for all the cases so far 😀

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StopInstances",
                "ec2:StartInstances",
                "ec2:RebootInstances",
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:RetireGrant",
                "kms:CreateGrant",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt"
            ],
            "Resource": "{{KEY_ARN}}"
        }
    ]
}

I hope this post will save someone time, because it takes me 2 hours to figure out the problem!

AWS
Kms
Iam

--

--

Bao Nguyen

Written by Bao Nguyen

367 Followers

I write, so I learn.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams