AWS Security ChangesHomeSearch

AWS AWSEC2 documentation change

Service: AWSEC2 · 2025-04-11 · Documentation low

File: AWSEC2/latest/UserGuide/create-ec2-fleet.md

Summary

Removed 'EC2 Fleet prerequisites' section containing service-linked role configuration, KMS key grants, and IAM permissions requirements

Security assessment

While the removed content included security-related configurations (IAM roles, KMS permissions), the deletion itself doesn't indicate a security fix. This appears to be documentation restructuring rather than addressing a specific vulnerability.

Diff

diff --git a/AWSEC2/latest/UserGuide/create-ec2-fleet.md b/AWSEC2/latest/UserGuide/create-ec2-fleet.md
index 3561a1507..6df6fa369 100644
--- a//AWSEC2/latest/UserGuide/create-ec2-fleet.md
+++ b//AWSEC2/latest/UserGuide/create-ec2-fleet.md
@@ -5 +5 @@
-EC2 Fleet limitationsEC2 Fleet prerequisitesCreate an EC2 FleetCreate an EC2 Fleet that replaces unhealthy Spot InstancesView all the EC2 Fleet configuration options
+EC2 Fleet limitationsCreate an EC2 FleetCreate an EC2 Fleet that replaces unhealthy Spot InstancesView all the EC2 Fleet configuration options
@@ -28,173 +27,0 @@ The following limitations apply to EC2 Fleet:
-## EC2 Fleet prerequisites
-
-###### To create an EC2 Fleet, the following prerequisites must be in place:
-
-  * Launch template
-
-  * Service-linked role for EC2 Fleet
-
-  * Grant access to customer managed keys for use with encrypted AMIs and EBS snapshots
-
-  * Permissions for EC2 Fleet users
-
-
-
-
-### Launch template
-
-A launch template specifies the configuration information about the instances to launch, such as the instance type and Availability Zone. For more information about launch templates, see [Store instance launch parameters in Amazon EC2 launch templates](./ec2-launch-templates.html).
-
-### Service-linked role for EC2 Fleet
-
-The `AWSServiceRoleForEC2Fleet` role grants the EC2 Fleet permission to request, launch, terminate, and tag instances on your behalf. Amazon EC2 uses this service-linked role to complete the following actions:
-
-  * `ec2:RunInstances` – Launch instances.
-
-  * `ec2:RequestSpotInstances` – Request Spot Instances.
-
-  * `ec2:TerminateInstances` – Terminate instances.
-
-  * `ec2:DescribeImages` – Describe Amazon Machine Images (AMIs) for the instances.
-
-  * `ec2:DescribeInstanceStatus` – Describe the status of the instances.
-
-  * `ec2:DescribeSubnets` – Describe the subnets for instances.
-
-  * `ec2:CreateTags` – Add tags to the EC2 Fleet, instances, and volumes.
-
-
-
-
-Ensure that this role exists before you use the AWS CLI or an API to create an EC2 Fleet.
-
-###### Note
-
-An `instant` EC2 Fleet does not require this role.
-
-To create the role, use the IAM console as follows.
-
-###### To create the AWSServiceRoleForEC2Fleet role for EC2 Fleet
-
-  1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
-
-  2. In the navigation pane, choose **Roles**.
-
-  3. Choose **Create role**.
-
-  4. On the **Select trusted entity** page, do the following:
-
-    1. For **Trusted entity type** , choose **AWS service**.
-
-    2. Under **Use case** , for **Service or use case** , choose **EC2 - Fleet**.
-
-###### Tip
-
-Be sure to choose **EC2 - Fleet**. If you choose **EC2** , the **EC2 - Fleet** use case does not appear in the **Use case** list. The **EC2 - Fleet** use case will automatically create a policy with the required IAM permissions and will suggest **AWSServiceRoleForEC2Fleet** as the role name.
-
-    3. Choose **Next**.
-
-  5. On the **Add permissions page** , choose **Next**.
-
-  6. On the **Name, review, and create** page, choose **Create role**.
-
-
-
-
-If you no longer need to use EC2 Fleet, we recommend that you delete the **AWSServiceRoleForEC2Fleet** role. After this role is deleted from your account, you can create the role again if you create another fleet.
-
-For more information, see [Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html) in the _IAM User Guide_.
-
-### Grant access to customer managed keys for use with encrypted AMIs and EBS snapshots
-
-If you specify an [encrypted AMI](./AMIEncryption.html) or an encrypted Amazon EBS snapshot in your EC2 Fleet and you use an AWS KMS key for encryption, you must grant the **AWSServiceRoleForEC2Fleet** role permission to use the customer managed key so that Amazon EC2 can launch instances on your behalf. To do this, you must add a grant to the customer managed key, as shown in the following procedure.
-
-When providing permissions, grants are an alternative to key policies. For more information, see [Using grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) and [Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the _AWS Key Management Service Developer Guide_.
-
-###### To grant the AWSServiceRoleForEC2Fleet role permissions to use the customer managed key
-
-  * Use the [create-grant](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-grant.html) command to add a grant to the customer managed key and to specify the principal (the **AWSServiceRoleForEC2Fleet** service-linked role) that is given permission to perform the operations that the grant permits. The customer managed key is specified by the `key-id` parameter and the ARN of the customer managed key. The principal is specified by the `grantee-principal` parameter and the ARN of the **AWSServiceRoleForEC2Fleet** service-linked role.
-    
-        aws kms create-grant \
-        --region us-east-1 \
-        --key-id arn:aws:kms:us-east-1:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab \
-        --grantee-principal arn:aws:iam::111122223333:role/AWSServiceRoleForEC2Fleet \
-        --operations "Decrypt" "Encrypt" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "CreateGrant" "DescribeKey" "ReEncryptFrom" "ReEncryptTo"
-
-
-
-
-### Permissions for EC2 Fleet users
-
-If your users will create or manage an EC2 Fleet, be sure to grant them the required permissions.
-
-###### To create a policy for EC2 Fleet
-
-  1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
-
-  2. In the navigation pane, choose **Policies**.
-
-  3. Choose **Create policy**.
-
-  4. On the **Create policy** page, choose the **JSON** tab, replace the text with the following, and choose **Review policy**.
-    
-        {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ec2:*"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                  "iam:ListRoles",
-                  "iam:PassRole",
-                  "iam:ListInstanceProfiles"
-                ],
-                "Resource":"arn:aws:iam::123456789012:role/DevTeam*"
-            }
-        ]
-    }
-
-The `ec2:*` grants a user permission to call all Amazon EC2 API actions. To limit the user to specific Amazon EC2 API actions, specify those actions instead.
-
-The user must have permission to call the `iam:ListRoles` action to enumerate existing IAM roles, the `iam:PassRole` action to specify the EC2 Fleet role, and the `iam:ListInstanceProfiles` action to enumerate existing instance profiles.
-
-(Optional) To enable a user to create roles or instance profiles using the IAM console, you must also add the following actions to the policy:
-
-     * `iam:AddRoleToInstanceProfile`
-
-     * `iam:AttachRolePolicy`
-
-     * `iam:CreateInstanceProfile`
-
-     * `iam:CreateRole`
-
-     * `iam:GetRole`
-
-     * `iam:ListPolicies`
-
-  5. On the **Review policy** page, enter a policy name and description, and choose **Create policy**.
-
-  6. To provide access, add permissions to your users, groups, or roles:
-
-     * Users and groups in AWS IAM Identity Center:
-
-Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html) in the _AWS IAM Identity Center User Guide_.
-
-     * Users managed in IAM through an identity provider:
-
-Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the _IAM User Guide_.
-
-     * IAM users:
-
-       * Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the _IAM User Guide_.
-
-       * (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the _IAM User Guide_.
-
-
-
-
@@ -563 +390 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-EC2 Fleet request states
+EC2 Fleet prerequisites