EC2 Launch, SSH & Service Diagnostic Troubleshooter
Use the interactive troubleshooter below to identify your EC2 launch, SSH, or service error by symptom, review the raw error log, understand the root cause, and apply the recommended fix.
🚨 Step 1: What specific error symptom are you experiencing?
Please click the most accurate description:
Quick Reference Table
| # | Scenario | Key Error Signal | Root Cause | The Fix |
|---|---|---|---|---|
| 1 | Instance terminates immediately from the pending state after launch due to cryptographic permission failure. | Client.InternalError: Client error on launch | The root EBS volume or block device mapping snapshot is encrypted and the user lacks IAM permissions to access the AWS KMS key for decryption. | N/A |
| 2 | SSH connection silently drops or is denied due to an overly permissive private key file. | WARNING: UNPROTECTED PRIVATE KEY FILE! | The private key file is not protected from read and write operations by other users, causing SSH to ignore the key entirely. | chmod 0400 .ssh/my_private_key.pem |
| 3 | Third-party key generation fails SSH decryption with a specific formatting error string. | Private key must begin with "-----BEGIN RSA PRIVATE KEY-----" | The RSA key pair was generated in the OpenSSH format instead of the strictly required PEM format, preventing password decryption. | ssh-keygen -m PEM |
| 4 | EC2 Instance Connect browser-based client fails to connect after the instance host keys are rotated. | Host key validation failed for EC2 Instance Connect | New instance host keys are not automatically uploaded to the AWS trusted host keys database, causing an SSH handshake validation failure. | ./eic_harvest_hostkeys |
| 5 | Web server fails to automatically start services because the private server key is encrypted via AES-128. | My Apache webserver doesn't start unless I enter a password | The TLS/SSL private key is password-protected, which requires manual user input to start the Apache daemon and decrypt the key. | sudo openssl rsa -in custom.key -passin pass:abcde12345 -out custom.key.nocrypt |
| 6 | Spot Fleet API fulfillment halted due to missing service-linked role permissions. | "sub-type": "iamFleetRoleInvalid" | The Spot Fleet IAM role does not have the required permissions to launch, terminate, or authorize the instance lifecycle. | N/A |
| 7 | Instance fails status checks and panics during the boot cycle due to an invalid SELinux policy configuration. | Unable to load SELinux Policy | SELinux was enabled in error on an incompatible kernel or the required fallback kernel does not exist. | N/A |