[SOLVED] How can I create an ec2 instance which can be hibernated?

How can I create an ec2 instance which can be hibernated?

I'm stuck in the storage stage. It says: To use hibernation, encrypt the root volume.. But I cannot click the encrypt checkbox, nor did I find any way to encrypt the root volume.

Solution

Update 2020-03

A lot has changed since my post below and Hibernation is now a piece of cake. Encryption can be done in the normal ec2 creation flow in AWS console, Amazon Linux 2 is also supported.

All you need to be aware of:

not all instance types are supported, see here for an up to date list
RAM > 150GB is not supported
your disk space needs to be bigger than your RAM (as RAM will be written on disk when hibernating)

Original post:

In the end I was stuck at many stages, the official documentation is somehow lacking so I thought I'd document my findings:

In order to hibernate an instance it needs to be of type C3, C4, C5, M3, M4, M5, R3, R4 or R5. Plus it needs to be a Amazon Linux 1 AMI (this may be outdated, see here for an up to date list). I started with a Linux 2 AMI and didn't get any warning until it just didn't work in the end (only showing Suspend key pressed., Requested operation not supported, ignoring. in /var/log/messages), even their suggested steps to enable hibernation didn't work, as ec2-hibinit-agent is not an available packet on Amazon Linux 2.

Hibernation requires the boot volume to be encrypted. In order to achieve that, you need to encrypt the AWS Linux 1 AMI prior to starting the launch wizard:

create a KMS key using AWS console
find the ami id if AWS Linux 1 (not 2!) of your region e.g. using the ec2 launch wizard. In my case (eu-central-1) this was ami-0cfbf4f6db41068ac
create your own, encrypted ami (replace eu-central-1, the ami and the kms key with your own

aws ec2 copy-image --source-region eu-central-1 --source-image-id ami-0cfbf4f6db41068ac \
--region eu-central-1 --name "LinuxAMIEncrypted" --encrypted \
--kms-key-id arn:aws:kms:eu-central-1:123412341234:key/aaaaaaaa-1234-abce-abcd-1234abcdef01

Wait a few minutes until you see the new AMI showing up in EC2 -> AMIs

From AMIs (in EC2 AWS console) launch your new AMI
choose C3, C4, C5, M3, M4, M5, R3, R4 or R5
click Enable hibernation as an additional stop behavior

To test it:

run tail -f /var/log/messages on the ec2 instance to check for errors
run aws ec2 stop-instances --instance-ids "i-…" --hibernate to hibernate via terminal, or alternatively over aws console

Additionally I saw this error in /var/log/messages:

Agent hibernate - AccessDeniedException: User: arn:… is not authorized to perform: ssm:UpdateInstanceInformation on resource: ssm:UpdateInstanceInformation. I needed to attach AmazonEC2RoleforSSM and AmazonSSMAutomationRole to make these errors go away.