EC2 Spot Permission Denial Chain Diagnostic Troubleshooter (Part 1)
Use the interactive troubleshooter below to identify your EC2 Spot permission denial symptom, review the raw evidence, understand the root cause, and apply the recommended fix.
🚨 Step 1: What specific error symptom are you experiencing?
Please click the most accurate description:
Quick Reference Table
| # | Scenario | Key Error Signal | Root Cause | The Fix |
|---|---|---|---|---|
| 1 | Cross-Service Confused Deputy Vulnerability (Spot Fleet) | "aws:SourceArn" and "aws:SourceAccount" global condition context keys missing from trust policy | The trust policy for the aws-ec2-spot-fleet-tagging-role lacks condition constraints, allowing any service principal to assume the role and coerce it into unauthorized actions. | "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:us-east-1:account_id:spot-fleet-request/sfr-*" }, "StringEquals": { "aws:SourceAccount": "account_id" } } |
| 2 | Spot Fleet Tagging Unauthorized Exception | "Resource": "arn:aws:ec2:us-east-1:111122223333:spot-fleet-request/*" | Amazon EC2 currently does not support resource-level permissions for the spot-fleet-request resource, causing an unauthorized exception if explicitly scoped. | Change the resource block to "Resource": "*" in the IAM policy for the ec2:CreateTags and ec2:RequestSpotFleet actions. |
| 3 | RunInstances API Authorization Failure during Spot Request Tagging | If you use RunInstances to create a Spot Instance request and intend to tag the Spot Instance request on create, you must include the spot-instances-request resource in the RunInstances allow statement, otherwise the call will fail. | The IAM policy evaluation chain dynamically requires the spot-instances-request resource to be explicitly permitted inside the RunInstances statement if tags are provided. | Add "arn:aws:ec2:us-east-1:*:spot-instances-request/*" to the Resource array for the ec2:RunInstances policy statement. |