AWS Security ChangesHomeSearch

AWS AWSEC2 documentation change

Service: AWSEC2 · 2025-04-11 · Documentation low

File: AWSEC2/latest/UserGuide/create-spot-fleet.md

Summary

Restructured documentation to remove detailed IAM role configuration steps and consolidate permissions guidance. Added references to external permissions documentation while simplifying console/CLI instructions.

Security assessment

While the changes remove detailed security configuration content (IAM roles, CMK grants, confused deputy prevention), they primarily represent documentation reorganization rather than addressing a specific vulnerability. The added reference to Spot Fleet permissions prerequisites suggests security documentation was moved elsewhere rather than being removed entirely.

Diff

diff --git a/AWSEC2/latest/UserGuide/create-spot-fleet.md b/AWSEC2/latest/UserGuide/create-spot-fleet.md
index d2492f50e..487638caf 100644
--- a//AWSEC2/latest/UserGuide/create-spot-fleet.md
+++ b//AWSEC2/latest/UserGuide/create-spot-fleet.md
@@ -5 +5 @@
-Spot Fleet permissionsQuickly create a Spot Fleet request (console)Create a Spot Fleet request using defined parameters (console)Create a Spot Fleet using the AWS CLICreate a Spot Fleet that replaces unhealthy Spot Instances
+Quickly create a Spot Fleet requestCreate a Spot Fleet request using defined parametersCreate a Spot Fleet that replaces unhealthy Spot Instances
@@ -9 +9 @@ Spot Fleet permissionsQuickly create a Spot Fleet request (console)Create a Spot
-Using the AWS Management Console, quickly create a Spot Fleet request by choosing only an AMI and your desired total target capacity. Amazon EC2 will configure a fleet that best meets your needs and follows Spot best practice. For more information, see Quickly create a Spot Fleet request (console). Otherwise, you can modify any of the default settings. For more information, see Create a Spot Fleet request using defined parameters (console) and Create a Spot Fleet using the AWS CLI.
+Using the AWS Management Console, you can quickly create a Spot Fleet request by choosing only an AMI and your desired total target capacity. Amazon EC2 will configure a fleet that best meets your needs and follows Spot best practices. Alternatively, you can modify any of the default settings.
@@ -11 +11 @@ Using the AWS Management Console, quickly create a Spot Fleet request by choosin
-If you want to include On-Demand Instances in your fleet, you need to specify a launch template in your request and specify you desired On-Demand capacity.
+If you want to include On-Demand Instances in your fleet, you must specify a launch template in your request and specify you desired On-Demand capacity.
@@ -17 +17 @@ If your fleet includes Spot Instances and is of type `maintain`, Amazon EC2 will
-###### Topics
+###### Required permissions
@@ -19 +19 @@ If your fleet includes Spot Instances and is of type `maintain`, Amazon EC2 will
-  * Spot Fleet permissions
+For more information, see [Spot Fleet permissions](./spot-fleet-prerequisites.html).
@@ -21 +21 @@ If your fleet includes Spot Instances and is of type `maintain`, Amazon EC2 will
-  * Quickly create a Spot Fleet request (console)
+###### Tasks
@@ -23 +23 @@ If your fleet includes Spot Instances and is of type `maintain`, Amazon EC2 will
-  * Create a Spot Fleet request using defined parameters (console)
+  * Quickly create a Spot Fleet request
@@ -25 +25 @@ If your fleet includes Spot Instances and is of type `maintain`, Amazon EC2 will
-  * Create a Spot Fleet using the AWS CLI
+  * Create a Spot Fleet request using defined parameters
@@ -32 +32 @@ If your fleet includes Spot Instances and is of type `maintain`, Amazon EC2 will
-## Spot Fleet permissions
+## Quickly create a Spot Fleet request
@@ -34 +34 @@ If your fleet includes Spot Instances and is of type `maintain`, Amazon EC2 will
-If your users will create or manage a Spot Fleet, you need to grant them the required permissions.
+Follow these steps to quickly create a Spot Fleet request using the Amazon EC2 console.
@@ -36,343 +36 @@ If your users will create or manage a Spot Fleet, you need to grant them the req
-If you use the Amazon EC2 console to create a Spot Fleet, it creates two service-linked roles named `AWSServiceRoleForEC2SpotFleet` and `AWSServiceRoleForEC2Spot`, and a role named `aws-ec2-spot-fleet-tagging-role` that grant the Spot Fleet the permissions to request, launch, terminate, and tag resources on your behalf. If you use the AWS CLI or an API, you must ensure that these roles exist.
-
-Use the following instructions to grant the required permissions and create the roles.
-
-###### Permissions and roles
-
-  * Grant permission to users for Spot Fleet
-
-  * Service-linked role for Spot Fleet
-
-  * Service-linked role for Spot Instances
-
-  * IAM role for tagging a Spot Fleet
-
-
-
-
-### Grant permission to users for Spot Fleet
-
-If your users will create or manage a Spot Fleet, be sure to grant them the required permissions.
-
-###### To create a policy for Spot Fleet
-
-  1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
-
-  2. In the navigation pane, choose **Policies** , **Create policy**.
-
-  3. On the **Create policy** page, choose **JSON** , and replace the text with the following.
-    
-        {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ec2:RunInstances",
-                    "ec2:CreateTags",
-                    "ec2:RequestSpotFleet",
-                    "ec2:ModifySpotFleetRequest",
-                    "ec2:CancelSpotFleetRequests",
-                    "ec2:DescribeSpotFleetRequests",
-                    "ec2:DescribeSpotFleetInstances",
-                    "ec2:DescribeSpotFleetRequestHistory"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": "iam:PassRole",
-                "Resource": "arn:aws:iam::*:role/aws-ec2-spot-fleet-tagging-role"
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "iam:CreateServiceLinkedRole",
-                    "iam:ListRoles",
-                    "iam:ListInstanceProfiles"
-                ],
-                "Resource": "*"
-            }
-        ]
-    }
-
-The preceding example policy grants a user the permissions required for most Spot Fleet use cases. To limit the user to specific API actions, specify only those API actions instead.
-
-**Required EC2 and IAM APIs**
-
-The following APIs must be included in the policy:
-
-     * `ec2:RunInstances` – Required to launch instances in a Spot Fleet
-
-     * `ec2:CreateTags` – Required to tag the Spot Fleet request, instances, or volumes
-
-     * `iam:PassRole` – Required to specify the Spot Fleet role
-
-     * `iam:CreateServiceLinkedRole` – Required to create the service-linked role
-
-     * `iam:ListRoles` – Required to enumerate existing IAM roles
-
-     * `iam:ListInstanceProfiles` – Required to enumerate existing instance profiles
-
-###### Important
-
-If you specify a role for the IAM instance profile in the launch specification or launch template, you must grant the user the permission to pass the role to the service. To do this, in the IAM policy include `"arn:aws:iam::*:role/`IamInstanceProfile-role`"` as a resource for the `iam:PassRole` action. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the _IAM User Guide_.
-
-**Spot Fleet APIs**
-
-Add the following Spot Fleet API actions to your policy, as needed:
-
-     * `ec2:RequestSpotFleet`
-
-     * `ec2:ModifySpotFleetRequest`
-
-     * `ec2:CancelSpotFleetRequests`
-
-     * `ec2:DescribeSpotFleetRequests`
-
-     * `ec2:DescribeSpotFleetInstances`
-
-     * `ec2:DescribeSpotFleetRequestHistory`
-
-**Optional IAM APIs**
-
-(Optional) To enable a user to create roles or instance profiles using the IAM console, you must add the following actions to the policy:
-
-     * `iam:AddRoleToInstanceProfile`
-
-     * `iam:AttachRolePolicy`
-
-     * `iam:CreateInstanceProfile`
-
-     * `iam:CreateRole`
-
-     * `iam:GetRole`
-
-     * `iam:ListPolicies`
-
-  4. Choose **Review policy**.
-
-  5. On the **Review policy** page, enter a policy name and description, and choose **Create policy**.
-
-  6. To provide access, add permissions to your users, groups, or roles:
-
-     * Users and groups in AWS IAM Identity Center:
-
-Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html) in the _AWS IAM Identity Center User Guide_.
-
-     * Users managed in IAM through an identity provider:
-
-Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the _IAM User Guide_.
-
-     * IAM users:
-
-       * Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the _IAM User Guide_.
-
-       * (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the _IAM User Guide_.
-
-
-
-
-### Service-linked role for Spot Fleet
-
-Amazon EC2 uses service-linked roles for the permissions that it requires to call other AWS services on your behalf. A service-linked role is a unique type of IAM role that is linked directly to an AWS service. Service-linked roles provide a secure way to delegate permissions to AWS services because only the linked service can assume a service-linked role. For more information, see [Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html) in the _IAM User Guide_.
-
-Amazon EC2 uses the service-linked role named **AWSServiceRoleForEC2SpotFleet** to launch and manage instances on your behalf.
-
-###### Important
-
-If you specify an [encrypted AMI](./AMIEncryption.html) or an encrypted Amazon EBS snapshot in your Spot Fleet, you must grant the **AWSServiceRoleForEC2SpotFleet** role permission to use the CMK so that Amazon EC2 can launch instances on your behalf. For more information, see Grant access to CMKs for use with encrypted AMIs and EBS snapshots.
-
-#### Permissions granted by AWSServiceRoleForEC2SpotFleet
-
-The **AWSServiceRoleForEC2SpotFleet** role grants the Spot Fleet permission to request, launch, terminate, and tag instances on your behalf. Amazon EC2 uses this service-linked role to complete the following actions:
-
-  * `ec2:RequestSpotInstances` \- Request Spot Instances
-
-  * `ec2:RunInstances` \- Launch instances
-
-  * `ec2:TerminateInstances` \- Terminate instances
-
-  * `ec2:DescribeImages` \- Describe Amazon Machine Images (AMIs) for the instances
-
-  * `ec2:DescribeInstanceStatus` \- Describe the status of the instances
-
-  * `ec2:DescribeSubnets` \- Describe the subnets for the instances