EC2 AccessDenied / Auth Failure Diagnostic Troubleshooter (Part 2)
Use the interactive troubleshooter below to identify your EC2 AccessDenied or auth failure symptom, review the raw evidence, understand the root cause, and apply the recommended fix.
🚨 Step 1: What specific error symptom are you experiencing?
Please click the most accurate description:
Quick Reference Table
| # | Scenario | Key Error Signal | Root Cause | The Fix |
|---|---|---|---|---|
| 5 | unauthorized — UnauthorizedOperation deleting EC2 Fleet | UnauthorizedOperation / You are not authorized to perform this operation. Encoded authorization failure message: VvuncIxj7Z... | The IAM principal attempting to delete the EC2 Fleet lacks the necessary permissions to terminate the associated fleet instances. | Add the ec2:TerminateInstances action to the IAM policy associated with the user/role. |
| 6 | AssumeRole / AccessDenied — Role attempting to assume itself | If your workload uses a role to assume itself, you must create a trust policy that explicitly allows that role to assume itself. If you do not create the trust policy, you get the AccessDenied error. | A workload running on an EC2 instance is attempting to use sts:AssumeRole to assume the exact same IAM role it is already using, without having an explicit trust policy to do so. | Create a trust policy that explicitly allows the role to assume itself, or rely natively on the session credentials from the instance metadata. |
| 7 | unauthorized — RunInstances blocked by IMDSv2 condition key | If you do not specify that the instance requires IMDSv2, you get an UnauthorizedOperation error when you call the RunInstances API. | An IAM policy containing the "ec2:MetadataHttpTokens": "required" condition blocked the RunInstances call because the instance configuration did not explicitly enforce IMDSv2. | Opt the instance in to require IMDSv2 within the RunInstances API call (set HttpTokens attribute to required). |