EC2 Permission Denial Chain Diagnostic Troubleshooter (Part 1)
Use the interactive troubleshooter below to identify your EC2 permission denial symptom, review the raw evidence, understand the root cause, and apply the recommended fix.
🚨 Step 1: What specific error symptom are you experiencing?
Please click the most accurate description:
Quick Reference Table
| # | Scenario | Key Error Signal | Root Cause | The Fix |
|---|---|---|---|---|
| 1 | AssumeRole Trust Policy Breakage | "If your workload uses a role to assume itself, you must create a trust policy that explicitly allows that role to assume itself. If you do not create the trust policy, you get the AccessDenied error." | The IAM role lacks a trust policy document that explicitly lists itself as a trusted principal allowed to assume the role. | Modify the role trust policy to explicitly allow the role to assume itself, or retrieve session credentials directly from IMDS without calling sts:AssumeRole. |
| 2 | Confused Deputy Service Assumption | "Principal": { "Service": "dlm.amazonaws.com" } ... "We recommend that you use the aws:SourceAccount and aws:SourceArn condition keys to protect yourself against the confused deputy problem." | The trust policy fails to restrict role assumption to the specific AWS account or policy ARN initiating the lifecycle backup. | "Condition": { "StringEquals": { "aws:SourceAccount": "account_id" }, "ArnLike": { "aws:SourceArn": "arn:partition:dlm:region:account_id:policy/policy_id" } } |
| 3 | EC2 Fleet Tagging Resource-Level Denial | { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:CreateFleet" ], "Resource": "arn:aws:ec2:us-east-1:111122223333:create-fleet/*" } ... "If you specify create-fleet as a resource, you will get an unauthorized exception when you try to tag the fleet." | Amazon EC2 does not support resource-level permissions for the create-fleet resource when evaluating tagging operations. | Change the Resource element in the IAM policy statement to "*" to allow tagging across the fleet. |