EC2 IMDS & IAM Authorization Diagnostic Troubleshooter
Use the interactive troubleshooter below to identify your EC2 IMDS or IAM authorization error by symptom, review the raw error log, understand the root cause, and apply the recommended fix.
🚨 Step 1: What specific error symptom are you experiencing?
Please click the most accurate description:
Quick Reference Table
| # | Scenario | Key Error Signal | Root Cause | The Fix |
|---|---|---|---|---|
| 1 | Requests to retrieve instance metadata using an IMDSv2 token return a Forbidden error. | 403 - Forbidden | Issuing PUT requests to any version-specific path instead of the /latest/api/token path results in the metadata service rejecting the request. | curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" |
| 2 | A request to the instance metadata service fails due to token validation issues when token usage is required. | 401 - Unauthorized | The GET request to the instance metadata service uses an invalid or expired token. | N/A |
| 3 | Instance launch fails because the principal's IAM policy requires IMDSv2 but the request does not specify it. | UnauthorizedOperation | The IAM policy contains the condition "ec2:MetadataHttpTokens": "required", which denies the RunInstances API call if the instance is not explicitly opted in to require IMDSv2. | N/A |
| 4 | API calls made with EC2 Role credentials are automatically rejected across the account or organization. | UnauthorizedOperation | An IAM policy or SCP uses the ec2:RoleDelivery condition key with a value of 2.0, which blocks any API requests signed with EC2 role credentials retrieved via IMDSv1. | N/A |
| 5 | An Amazon Data Lifecycle Manager (DLM) lifecycle policy fails to execute its snapshot tasks and enters an error state. | "cause": "Role provided does not have sufficient permissions" | The IAM service role provided to Amazon Data Lifecycle Manager lacks sufficient permissions to perform the required actions on your behalf. | N/A |
| 6 | Attempting to delete an EC2 Fleet while specifying that instances must be terminated fails with an encoded authorization message. | UnauthorizedOperation | The IAM principal attempting to delete the fleet does not have the ec2:TerminateInstances permission included in their IAM policy. | N/A |
| 7 | Creating a Spot Instance request fails with an authentication error when non-compliant tags are provided in the RunInstances request. | Unauthenticated | The user specifies tags other than the explicitly allowed tags when the IAM policy strictly evaluates the spot-instances-request resource. | N/A |