Internal Error when Programmatically Starting ECS instance with Encrypted Volume
I recently ran into an issue with a python app I wrote to AutoStart EC2 instances each day based on a tag. If I started the instance manually from the console it would Strat fine. When I tried to start in from a lambda function it would go to a pending stated then stop with an Internal error. I also have an auto stop lambda function that is basically line for line the same except for the filter being used that works fine.
Turns out to execution policy that the lambda code is running most have a number of KMS Permissions in order to handle the decryption and encryption of the volume(s). Here is a basic policy json doc that includes the KMS permissions needed.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“kms:Decrypt”,
“kms:ReEncrypt*”,
“kms:Encrypt”,
“kms:GenerateDataKey*”,
“kms:DescribeKey”,
“kms:CreateGrant”
],
“Resource”: “arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab”
}
]
}
For finer grain control you can see the article for other options:
https://aws.amazon.com/premiumsupport/knowledge-center/encrypted-volumes-stops-immediately/