I can’t create or attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume from a snapshot. The snapshot is encrypted with an AWS Key Management Service (AWS KMS) customer managed key.
Short description
You might not be able to create or attach an encrypted EBS volume from an encrypted snapshot. This occurs when your snapshot and the custom KMS key that's used to encrypt the snapshot are in the same account and are missing key policy permissions. To resolve this issue, allow the AWS Identity and Access Management (IAM) user or role in the AWS KMS key policy.
Resolution
Identify the missing permissions from the policy that uses the CloudTrail Event history
- Open the AWS CloudTrail console.
- Choose Event history. Then, for Time range, enter a 15-minute window when the AttachVolume or CreateVolume API calls occurred.
- Choose Filter, choose Event source, and then enter kms.amazonaws.com.
- After the results load, choose the download button, and then choose Download CSV.
- Open the .csv file, and then filter the Error code column for AccessDenied. The Event names with the AccessDenied error code are usually the missing permissions.
Note: CloudTrail events can take up to 15 minutes to appear on the Events history tab. Checking Events history immediately after you receive the CreateVolume or AttachVolume failed status might not show any events.
After you identify the missing permissions, complete the following steps to resolve the issue.
Verify that the KMS key policy includes the IAM user or role who's creating or attaching the volume
AWS KMS console default view
1. Open the AWS KMS console.
2. Choose Customer managed keys, and then select the appropriate key.
3. Under Key policy, scroll down to Key users. Verify that the Key users section lists the IAM user or role who's creating or attaching the volume.
4. If the Key users section doesn't list the user or role, then choose Add, select the user or role, and then choose Add.
AWS KMS console policy view
If you previously manually edited the AWS KMS key policy, then the key policy is available only in policy (JSON) view. To allow required AWS KMS permissions, list the ARN of the IAM user or role as Principal in the statement.
Example Key policy
The following is an example of an AWS KMS key policy that allows UserA access to Key1:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [{
"Sid": "Enable IAM User Permissions",
...
},
{
"Sid": "Allow access for Key Administrators",
...
},
{
"Sid": "Allow use of the keys",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/UserA"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/UserA"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}