困っていること
別アカウントから共有された AMI を利用して EC2 インスタンスを起動しました。しかしながら起動できず失敗しました。(インスタンスの状態が強制的に終了済みになります)
起動に失敗する原因と対処法を教えてください。
どう対応すればいいの?
原因
カスタマーマネージドキーで共有元の EBS が暗号化されている場合、暗号化に使用したカスタマーマネージドキーに共有先アカウントのユーザー/ロールへアクセス権限を設定する必要があります。
共有先のアカウントへアクセス権が付与されているかご確認ください。
対処法
対象 AMI を確認
1. EC2 ⇒ AMI ⇒ 対象 AMI ID
2. ストレージを選択 ⇒ KMS キー ID
カスタマーマネージドキーを修正
3. KMS ⇒ カスタマー管理型のキー ⇒ 対象 AMI 記載のキー ID: xxxxxx
4. キーポリシーを選択
5. 編集を選択
キーポリシーの編集画面で、ドキュメント 記載のサンプルキーポリシーを参考に修正してください。
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KeyUser",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
}
※ 記載のカスタマーマネージドキーは削除しています
補足
起動失敗時の状況を調査するため、CloudTrail のイベント履歴を確認しましたが error 及び エラーコードなどの記録はされないことに注意してください。
※ 一部マスクして記載しています
イベントレコード
{
"eventVersion": "1.09",
"userIdentity": {
"type": "Root",
"principalId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"accountId": "123456789012",
"accessKeyId": "ASIAUE7G2xxxxxxxxxxx",
"sessionContext": {
"attributes": {
"creationDate": "2024-06-11T03:32:00Z",
"mfaAuthenticated": "true"
}
}
},
"eventTime": "2024-06-11T07:55:57Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "ap-northeast-1",
"sourceIPAddress": "124.144.87.120",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
"requestParameters": {
"instancesSet": {
"items": [
{
"imageId": "ami-00f85c7d97b8a7461",
"minCount": 1,
"maxCount": 1,
"keyName": "key-test-xxxx"
}
]
},
"instanceType": "t3.micro",
"blockDeviceMapping": {},
"monitoring": {
"enabled": false
},
"disableApiTermination": false,
"disableApiStop": false,
"clientToken": "324523cf-aaaa-4567-b48f-zzzzzzzzzzzz",
"networkInterfaceSet": {
"items": [
{
"deviceIndex": 0,
"subnetId": "subnet-03de1d43ec0c4f95d",
"associatePublicIpAddress": true,
"groupSet": {
"items": [
{
"groupId": "sg-08901c6669fc3e022"
}
]
}
}
]
},
"ebsOptimized": true,
"tagSpecificationSet": {
"items": [
{
"resourceType": "instance",
"tags": [
{
"key": "Name",
"value": "Sub"
}
]
}
]
},
"privateDnsNameOptions": {
"hostnameType": "ip-name",
"enableResourceNameDnsARecord": false,
"enableResourceNameDnsAAAARecord": false
}
},
"responseElements": {
"requestId": "098765cf-aaaa-4567-bbbb-zzzzzzzzzzzz",
"reservationId": "r-00512345678909876",
"ownerId": "098765432112",
"groupSet": {},
"instancesSet": {
"items": [
{
"instanceId": "i-09cdb31113560b3f7",
"imageId": "ami-00f85c7d97b8a7461",
"currentInstanceBootMode": "legacy-bios",
"instanceState": {
"code": 0,
"name": "pending"
},
"privateDnsName": "ip-10-0-6-55.ap-northeast-1.compute.internal",
"keyName": "key-test-xxxx",
"amiLaunchIndex": 0,
"productCodes": {},
"instanceType": "t3.micro",
"launchTime": 1718092557000,
"placement": {
"availabilityZone": "ap-northeast-1a",
"tenancy": "default"
},
"monitoring": {
"state": "disabled"
},
"subnetId": "subnet-03de1d43ec0c4f95d",
"vpcId": "vpc-0c7ce41bf33dde609",
"privateIpAddress": "10.0.6.55",
"stateReason": {
"code": "pending",
"message": "pending"
},
"architecture": "x86_64",
"rootDeviceType": "ebs",
"rootDeviceName": "/dev/xvda",
"blockDeviceMapping": {},
"virtualizationType": "hvm",
"hypervisor": "xen",
"tagSet": {
"items": [
{
"key": "Name",
"value": "Sub"
}
]
},
"clientToken": "324523cf-0f61-4356-b48f-9e3b1fe9c320",
"groupSet": {
"items": [
{
"groupId": "sg-08901c6669fc3e022",
"groupName": "default"
}
]
},
"sourceDestCheck": true,
"networkInterfaceSet": {
"items": [
{
"networkInterfaceId": "eni-0267336395024f73e",
"subnetId": "subnet-03de1d43ec0c4f95d",
"vpcId": "vpc-0c7ce41bf33dde609",
"ownerId": "098765432112",
"status": "in-use",
"macAddress": "06:c1:11:33:22:b9",
"privateIpAddress": "10.0.6.55",
"privateDnsName": "ip-10-0-6-55.ap-northeast-1.compute.internal",
"sourceDestCheck": true,
"interfaceType": "interface",
"groupSet": {
"items": [
{
"groupId": "sg-08901c6669fc3e022",
"groupName": "default"
}
]
},
"attachment": {
"attachmentId": "eni-attach-0579f22c5912a0dbe",
"deviceIndex": 0,
"networkCardIndex": 0,
"status": "attaching",
"attachTime": 1718092557000,
"deleteOnTermination": true
},
"privateIpAddressesSet": {
"item": [
{
"privateIpAddress": "10.0.6.55",
"privateDnsName": "ip-10-0-6-55.ap-northeast-1.compute.internal",
"primary": true
}
]
},
"ipv6AddressesSet": {},
"tagSet": {}
}
]
},
"ebsOptimized": true,
"enaSupport": true,
"cpuOptions": {
"coreCount": 1,
"threadsPerCore": 2
},
"capacityReservationSpecification": {
"capacityReservationPreference": "open"
},
"enclaveOptions": {
"enabled": false
},
"metadataOptions": {
"state": "pending",
"httpTokens": "optional",
"httpPutResponseHopLimit": 1,
"httpEndpoint": "enabled",
"httpProtocolIpv4": "enabled",
"httpProtocolIpv6": "disabled",
"instanceMetadataTags": "disabled"
},
"maintenanceOptions": {
"autoRecovery": "default"
},
"privateDnsNameOptions": {
"hostnameType": "ip-name",
"enableResourceNameDnsARecord": false,
"enableResourceNameDnsAAAARecord": false
}
}
]
}
},
"requestID": "2acc1898-xxxx-4444-abcd-aaaaaaaaaaaa",
"eventID": "062cb944-bbbb-4444-abcd-xxxxxxxxxxxx",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "098765432112",
"sharedEventID": "dbkkkkkk-1234-4df5-9c09-cccccccccccc",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.ap-northeast-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}