• Donate Now

    • Internal Error when Programmatically Starting ECS instance with Encrypted Volume

    August 2, 2022 NormanP
    0 Comment
    AWS

    I recently ran into an issue with a python app I wrote to AutoStart EC2 instances each day based on a tag. If I started the instance manually from the console it would Strat fine.  When I tried to start in from a lambda function it would go to a pending stated then stop with an Internal error. I also have an auto stop lambda function that is basically line for line the same except for the filter being used that works fine. 

     

    Turns out to execution policy that the lambda code is running most have a number of KMS Permissions in order to handle the decryption and encryption of the volume(s). Here is a basic policy json doc that includes the KMS permissions needed.

     

    {
    “Version”: “2012-10-17”,
    “Statement”: [
    {
    “Sid”: “VisualEditor0”,
    “Effect”: “Allow”,
    “Action”: [
    “kms:Decrypt”,
    “kms:ReEncrypt*”,
    “kms:Encrypt”,
    “kms:GenerateDataKey*”,
    “kms:DescribeKey”,
    “kms:CreateGrant”
    ],
    “Resource”: “arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab”
    }
    ]
    }

     

    For finer grain  control you can see the article for other options:

    https://aws.amazon.com/premiumsupport/knowledge-center/encrypted-volumes-stops-immediately/

    AWS

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Translate »