Is there a way to create a Launch Configuration using an Encrypted AMI?

Question

I need to create an autoscaling group but the launch configuration keeps on failing as I'm using an encrypted AMI for security reasons, but it crashes after the timer and giving this error:

Error: "autoscaling group": Waiting up to 5m0s: Need at least 1 healthy instances in ASG, have 0. Most recent activity: {

  ActivityId: "35c5cb87-fc76-a0bc-e547-xxxxxx",

  AutoScalingGroupName: "autoscaling group",

  Cause: "At 2020-06-23T16:24:50Z an instance was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 1.",

  Description: "Launching a new EC2 instance: i-xxxxx.  Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch",

  Details: "{\"Subnet ID\":\"subnet-xxxxxxx\",\"Availability Zone\":\"us-east-2b\"}",

  EndTime: 2020-06-23 16:25:23 +0000 UTC,

  Progress: 100,

  StartTime: 2020-06-23 16:24:52.392 +0000 UTC,

  StatusCode: "Cancelled",

  StatusMessage: "Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch"

}

Here is my policy,

resource "aws_iam_policy" "kms_policy" {

  name        = "KMS_grant"

  path        = "/"

  description = "A policy to allow the autoscaling group to use KMS"

  policy = <<EOF

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": [

        "kms:Encrypt",

        "kms:Decrypt",

        "kms:ReEncrypt*",

        "kms:GenerateDataKey*",

        "kms:CreateGrant",

        "kms:ListGrants",

        "kms:DescribeKey"

      ],

      "Effect": "Allow",

      "Resource": "*"

      "Condition": {

        "StringEquals": {

          "kms:ViaService": [

            "ec2.us-west-2.amazonaws.com",

            "rds.us-west-2.amazonaws.com"

          ]

        }

      }

    }

  ]

}

EOF

}

{

    "Images": [

        {

            "Architecture": "x86_64",

            "CreationDate": "2020-06-15T19:01:08.000Z",

            "ImageId": "ami-xxxxxxx",

            "ImageLocation": "8xxxxxxx/amazon-linux-ami-2-x",

            "ImageType": "machine",

            "Public": false,

            "OwnerId": "8xxxxxxx",

            "PlatformDetails": "Linux/UNIX",

            "UsageOperation": "RunInstances",

            "State": "available",

            "BlockDeviceMappings": [

                {

                    "DeviceName": "/dev/xvda",

                    "Ebs": {

                        "DeleteOnTermination": true,

                        "SnapshotId": "snap-xxxxxx",

                        "VolumeSize": 8,

                        "VolumeType": "gp2",

                        "Encrypted": true

                    }

                }

            ],

            "EnaSupport": true,

            "Hypervisor": "xen",

            "Name": "amazon-linux-ami-2-x",

            "RootDeviceName": "/dev/xvda",

            "RootDe

module "asg" {

  source  = "terraform-aws-modules/autoscaling/aws"

  version = "~> 3.0"

  name = "service"

  # Launch configuration

  lc_name = "launch-config"

  image_id                    = "ami-xxxx"

  instance_type               = "t2.micro"

  associate_public_ip_address = true

  recreate_asg_when_lc_changes = true

  iam_instance_profile        = "${aws_iam_instance_profile.kms_instance.name}"

  security_groups             = [module.network.autoscale_security_group]

  ebs_block_device = [

    {

      device_name           = "/dev/xvdz"

      volume_type           = "gp2"

      volume_size           = "50"

      delete_on_termination = true

    },

  ]

  root_block_device = [

    {

      volume_size = "50"

      volume_type = "gp2"

      delete_on_termination = true

    },

  ]

  # Auto scaling group

  asg_name                  = "asg_name"

  vpc_zone_identifier       = ["subnet-xxxxx", "subnet-xxxx"]

  health_check_type         = "EC2"

  min_size                  = 1

  max_size                  = 1

  desired_capacity          = 1

  wait_for_capacity_timeout = "5m"

  force_delete              = true

  tags = ommitted

}

Any help would be appreciated!!

Answer 1

Here, you have EC2 and RDS access, for launch configuration you need to grant the Autoscaling service access to KMS CMK used to encrypt the volume.

Below you can find the example:

{

   "Sid": "Allow service-linked role use of the CMK",

   "Effect": "Allow",

   "Principal": {

       "AWS": [

           "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"

       ]

   },

   "Action": [

       "kms:Encrypt",

       "kms:Decrypt",

       "kms:ReEncrypt*",

       "kms:GenerateDataKey*",

       "kms:DescribeKey"

   ],

   "Resource": "*"

}

{

   "Sid": "Allow attachment of persistent resources",

   "Effect": "Allow",

   "Principal": {

       "AWS": [

           "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"

       ]

   },

   "Action": [

       "kms:CreateGrant"

   ],

   "Resource": "*",

   "Condition": {

       "Bool": {

           "kms:GrantIsForAWSResource": true

       }

    }

}

 Want to become AWS Expert? Come & join AWS Certification.