EBS - Known Issue - Instance immediately stops when I start it with encrypted volumes attached


After you launch an instance with encrypted volumes attached, the instance immediately goes from a pending state to a stopped state. This might be caused by a problem with Amazon EBS interacting with the AWS Key Management Service (AWS KMS) that is used to encrypt the volumes. If the IAM user who attaches the volumes has a condition for matching sourceIp, that can restrict access for EBS with KMS.

Running the describe-instances command for your instance might return an error similar to the following: 

"StateReason": {
  "Message": "Client.InternalError: Client error on launch", 
  "Code": "Client.InternalError"

If you are using KMS to protect your data in an integrated service, use caution when specifying the IP address condition operators, or the aws:SourceIp condition key in the same access policy statement. Attaching an encrypted EBS volume to an EC2 instance causes EC2 to send a request to KMS to decrypt the volume's encrypted data key. This request comes from an IP address associated with the EC2 instance, not the user's IP address. The request is rejected if you have a sourceIp condition set, and the instance fails.

Use the condition kms:ViaService. KMS allows interactions from that Service on your behalf.

Note: EC2 instances with logged on users won’t be able to interact with this condition; only the service on your behalf can. This will be logged in CloudTrail for your review.

"userIdentity": {
  "sessionContext": {
    "sessionIssuer": {
      "accountId": "450822418798",
      "principalId": "450822418798:aws:ec2-infrastructure",
      "userName": "aws:ec2-infrastructure",
      "arn": "arn:aws:iam::450822418798:role/aws:ec2-infrastructure",
      "type": "Role"
    "eventType": "AwsApiCall",
    "@log_group": "CloudTrail/AllRegionLogGroup",
    "awsRegion": "eu-west-1",
    "requestParameters": {
      "encryptionContext": {
        "aws:ebs:id": "vol-0ca158925aa9c1883"

In this example, the CloudTrail entry for an API call is made to KMS. This is called on by aws:ec2-infrastructure, and it is not from a specific IP address. When you add a policy to a user that allows KMS to interact with EC2, this should allow the call to complete. 


If you continue to experience difficulties, please open a case with the DLT Opscenter using the following contact information:



Was this article helpful?
1 out of 2 found this helpful
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk