If you’ve ever been scratching your head after attempting to create or copy an encrypted snapshot in AWS after being left with an unhelpful “Error” status and no other useful troubleshooting information, here’s one thing to check.
If you did it right, you’ll notice if you watch closely that it starts creating the snapshot (as seen momentarily with a status of “pending”), but then stops and leaves it with size 0 bytes and status of “error” with a red circle next to it in the console, and no other useful info. (If you didn’t even get this far then it’s probably a problem with the command you issued to create it.)
A number of people have asked me about this recently, so I thought it might be worth writing a quick blog about, since the solution isn’t immediately obvious from Internet searches. I have found that when this happens it is due to a permissions error. You need to make sure you have sufficient permissions to encrypt the snapshot. The easiest way to do this is to just add “kms:*” to the policy being used by the entity that is trying to create the encrypted snapshot. For troubleshooting you can set the Resource part of the policy to “*” but for better security you should restrict your policy more once you’ve gotten things working.
As is often the case, this solution is obvious once somebody tells you about it, but sometimes a brain just needs a little help. :) Hope this saved you some time!