AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I troubleshoot Amazon EC2 instance launch failures caused by AMI issues?

4 minute read

I want to troubleshoot my Amazon Machine Image (AMI) that fails to launch an Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

When you launch an EC2 instance from an AMI, you might receive one of the following error messages:

"Error launching AMI: In order to use the AWS Marketplace product you need to accept the terms and subscribe."
"Error: The instance configuration for this AWS Marketplace product is not supported."
"This version has been removed and is no longer available to new customers."

Or, your instance might immediately stop after you launch it. This issue typically occurs when you encrypt the instance's Amazon Elastic Block Store (Amazon EBS) volumes.

Resolution

Troubleshoot the "you need to accept the terms and subscribe" error

You can create new AMIs or launch instances from the instances that you created with an AWS Marketplace AMI. AWS accounts that you share these instances with must subscribe to the AWS Marketplace AMI. If the shared account doesn't subscribe to the original AWS Marketplace AMI, then you can't launch an instance from the new AMI. You also can't attach an Amazon EBS volume that you created from a snapshot of the AMI.

To resolve this issue, open the link in the error message to subscribe the account to the AMI. Then, accept the terms of the AMI. Or, use the AWS Marketplace console to subscribe to the AMI.

Troubleshoot the "configuration for this AWS Marketplace product is not supported" error

Vendors can restrict AWS Marketplace AMIs to allow only specific instance configurations. If you try to launch an unsupported instance type, then you receive the "configuration for this AWS Marketplace product is not supported" error message.

Check the AWS Marketplace page for the AMI for information about supported instance types. Make sure that you use a supported instance type.

Troubleshoot the "version has been removed" error

The "version has been removed" error typically occurs when the vendor deprecated the AMI. It's a best practice to migrate your instance to the latest version of the AMI.

For additional product information, contact the vendor's support team through the AWS Marketplace, or email their support address.

Troubleshoot encrypted EBS volume issues

The AWS Identity and Access Management (IAM) user must have access to the AWS Key Management Service (AWS KMS) encryption key to launch the instance. If you don't grant the required permissions, then the instance launch fails.

To resolve this issue, confirm that you correctly shared the AMI with the destination account. To share an AMI, the source account's IAM user or role must have ModifyImageAttribute permissions for the AMI.

Example IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:ModifyImageAttribute"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1::image/12345678"
      ]
    }
  ]
}

Note: Replace arn:aws:ec2:us-east-1::image/12345678 with the Amazon Resource Name (ARN) of the AMI.

In the source account, complete the following steps to share the AWS KMS key with the destination account:

Open the AWS KMS console.
In the navigation pane, choose Customer managed keys, and then choose your AWS KMS key.
Under Other AWS accounts, choose Add other AWS accounts, and then choose Add another AWS account.
For arn:aws:iam::, enter the ID of your destination account.
Choose Save changes.

In the destination account, confirm that the IAM user or role has the required encryption permissions.

Example IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:DescribeKey",
        "kms:ReEncrypt*",
        "kms:Decrypt",
        "kms:GenerateDataKeyWithoutPlainText"
      ],
      "Resource": [
        "arn:aws:kms:us-east-1:Source-Account:key/key-id"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "kms:CreateGrant",
      "Resource": [
        "arn:aws:kms:us-east-1:Source-Account:key/key-id"
      ],
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

Note: Replace us-east-1 with your AWS Region, Source-Account with the source account ID, and key-id with the AWS KMS key ID.

To test your configuration, launch your instance with the encrypted AMI. When you use a shared encrypted AMI, you can use your own AWS KMS key or the source AWS KMS key for volume encryption. It's a best practice to use an AWS KMS key from the destination account to reencrypt volumes. This protects against source key compromise or permission revocation issues.

For more information, see How to share encrypted AMIs across accounts to launch encrypted EC2 instances.

Topics: Compute
Tags: Amazon EC2 Linux Windows
Language: English

AWS OFFICIALUpdated a month ago

No comments

Relevant content

Kernel panic during EC2 launch
AWS-User-9140404
asked 4 years ago
AWS AMI Fast Launch HELP
COL_JamieB
asked 2 years ago
On a windows server ec2 instance launched from an ami, steamvr runs into critical error when started after autologon.
anishkumar
asked 3 years ago
Can't launch instance - Server.InternalError: Internal error on launch
yosefkd
asked 7 years ago
Instances Launched from modified RHEL 9 AMIs Created from Red Hat Enterprise Linux 9 (HVM) are unreachable
Accepted Answer
Lord-Kinbote
asked 3 years ago
How do I create, launch an instance from, or troubleshoot a custom AMI?
AWS OFFICIALUpdated 3 years ago
How do I launch an EC2 instance from a custom AMI?
AWS OFFICIALUpdated 8 months ago
Why are some instance types unavailable when I try to launch an Amazon EC2 instance from an AMI?
AWS OFFICIALUpdated 10 months ago
How do I troubleshoot Windows EC2 launch issues with a Dedicated Host?
AWS OFFICIALUpdated 2 years ago
How do I allow EKS Auto Mode, ECS Managed Instances, and Lambda to launch EC2 instances when using Service Control Policies (SCPs) ?
EXPERT
Marouen Ouenzerfi
published 2 days ago