I recently enabled default ebs encryption as mentioned here: https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/. Afterwards, when attempting to launch a beanstalk instance, I get a generic 'ClientError' and the instance immediately terminates. If I disabled default encryption it works fine.
Does anyone know what changes are required to get beanstalk to work with a customer managed encryption key? I suspected it was a permissions issue so I temporarily gave the beanstalk roles full admin access but that did not solve the issue. Is there something else I am missing?
I saw this related question but it was before default EBS encryption was released and I was hoping to avoid having to copy and encrypt the AMI manually...
If you are using a custom CMK, you have to update the key policy and assign permissions explicitly. For EBS encryption, a principal usually requires the following permissions:
kms:CreateGrant
kms:Encrypt
kms:Decrypt
kms:ReEncrypt*
kms:GenerateDataKey*
kms:DescribeKey
The best way to troubleshoot key permission issues is to check the Cloudtrail event history. Filter the events by event source and check if there is any "access denied" error.
Filter: Event source: kms.amazonaws.com
You can see which action is denied here and adjust the key policy accordingly. "User name" field in the event gives you a hint to determine the ARN of the principal to use in the policy.
In your case, it is very likely that one of the service-linked roles requires permissions to access the KMS key. There is a good explanation for key permissions here for auto-scaling service-linked role.
Related
I am trying to copy and restore a DB snapshot from one account to the other, but it seems as though I'm running into permission issues. Here's my process:
In AccountA, I am restoring an automated, encrypted snapshot to a "manual" snapshot.
In AccountA, I am sharing this "manual" snapshot to AccountB.
In AccountA, I am also sharing the KMS Key that was used to create this snapshot with AccountB.
In AccountB, I have a user set up with API access and an attempting to run copy-db-snapshot.
In step 4 (from AccountB), I am providing the KMS Key ID that belongs to AccountA. I am getting the following error when trying to run copy-db-snapshot:
An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target KMS key [arn:aws:kms:us-east-1::key/<my_key_id>] does not exist, is not enabled or you do not have permissions to access it.
After reviewing the KMS Key in AccountA, I noticed that, while I have shared permission to AccountB, it appears as though it is only the "root" account and I am unable to change that for some strange reason.
Is it not possible to restore a shared RDS snapshot from AccountA to a user account in AccountB other than the root account, or am I doing something incorrectly?
GlueJobRunnerSession is not authorized to perform: glue:GetJob on resource
It is difficult to determine the issue without having more details about your specific scenario. Either not all permissions are correctly set, or there is another policy in place that overrides the permissions.
In order to troubleshoot this yourself, you can use the AWS IAM Policy Simulator to test and find out if the permissions are set and if there are conflicting policies interfering.
I am attempting to create an autoscaling group for my EC2 instances. These instances are encrypted by custom key, so I need to be able to inject a policy that allows the read of said key to the autoscaling group.
I decided to utilize the ServiceLinkedRoleARN: property of the AutoScalingGroup and create new autoscale role that would have all the necessary permissions.
Unfortunatelly, the properties of IAM::ServiceLinkedRole (SLR) do not offer policy inputs (unlike standard roles):
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: String
CustomSuffix: String
Description: String
and so far I was unable to find a solution for this. If there is no way to modify the policies of SLR, I even fail to see a reason for allowing to create our own SLR so I imagine there has to be a reason for that.
Can you please help with how to resolve my problem? My company mandates that I use CloudFormation for that so no console adjustments are possible, but using the custom SLR is not necessary, it just felt like the cleanest solution for me.
You can't modify service-linked role for Auto Scaling:
With the AWSServiceRoleForAutoScalingPlans_EC2AutoScaling role created by AWS Auto Scaling, you can edit only its description and not its permissions.
However, the KMS permissions should be added to your instance role, not service-linked role for Auto Scaling. So you have to change the role associated with your AWS::IAM::InstanceProfile.
I found that the AWS managed policy ReadOnlyAccess has ec2:Get* permission, but AmazonEC2ReadOnlyAccess does not.
Why?
I wouldn't be too worried about it.
The only ec2:Get* permissions are:
GetConsoleOutput
GetConsoleScreenshot
GetHostReservationPurchasePreview
GetLaunchTemplateData
GetPasswordData
GetReservedInstancesExchangeQuote
See: Actions, Resources, and Condition Keys for Amazon EC2 - AWS Identity and Access Management
The comment on AmazonEC2ReadOnlyAccess says: "Provides read only access to Amazon EC2 via the AWS Management Console."
I guess they were the only permissions needed for console access, or it could be an omission.
I have created a few environments before so I know how the Amazon EBS works however lately I have been having the following issue while creating an environment:
The instance profile aws-elasticbeanstalk-ec2-role associated with the environment has no role. Please attach a role to the instance profile.
I follow the steps to create a new environment. When it gets to the Permissions page, I create a new role as there are no existing ones. Then I follow the rest of the steps and eventually it starts to launch. After a couple minutes, I get the error above. Any help towards this will be helpful.
To solve this issue, I created a new role from the IAM Manager console. I selected Amazon EC2 as my Service Role Type. I attached the AWSElasticBeanstalkFullAccess policy. Then when creating a new environment, I chose the new role I created.
Though I am bit late in answering this issue, posting here if someone faces this error now.
In case your user has all the required permission to create role and BS has already created the "The instance profile aws-elasticbeanstalk-ec2-role".
The reason of this error is due to roles only and when we try to launch EC2 from aws BS, it creates a role naming "aws-elasticbeanstalk-ec2-role" with required permissions.
But, if there is already a role with Trusted entities "AWS service: ec2" so BS will check permission in that already existing older role.
So go to Roles > Search ec2 related roles and select the role which is active.
And just add AWSElasticBeanstalkFullAccess permission to that ec2 role, and this issue will be resolved.