Recently attached a key from AWS KMS to encrypt CloudWatch log groups for AWS Systems Manager Session Manager. Now I can't connect to any session.
What is this error and how to fix?
Your session has been terminated for the following reasons: ----------ERROR------- Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. status code: 400, request id:
The key definitely exists and worked fine when attaching to the log group. Session Manager was also working fine before trying to encrypt them. Are there extra permissions I need to add to a policy somewhere?
Based on the comments.
The issue was caused by incorrect permissions in the instance role used.
Changing policies in the role from AmazonSSMManagedInstanceCore to AmazonEC2RoleforSSM solved the issue.