CreateMacSystemIntegrityProtectionModificationTask API returns HTTP 500 InternalError on EC2 Mac instances

Question

I am trying to disable SIP on EC2 Mac dedicated hosts (mac2.metal and mac2-m2pro.metal) using the CreateMacSystemIntegrityProtectionModificationTask API. The API consistently returns HTTP 500 InternalError.

Setup:
- Instance types tested: mac2.metal, mac2-m2pro.metal
- Regions tested: us-east-2, ap-southeast-1, ap-southeast-2
- macOS version: 15.7.3 (Sequoia)
- Instances are in stopped state (as required by documentation)
- Dedicated hosts are in "available" state
- Using root account credentials
- ec2-user password set and secure token enabled via dscl/sysadminctl

Steps to reproduce:
1. Allocate a mac2.metal or mac2-m2pro.metal dedicated host
2. 2. Launch an instance, SSH in, set ec2-user password, enable secure token
3. 3. Stop the instance, wait for dedicated host to return to "available"
4. 4. Create credentials.json with rootVolumeUsername/rootVolumePassword and internalDiskPassword
5. 5. Run: aws ec2 create-mac-system-integrity-protection-modification-task --instance-id  --mac-system-integrity-protection-status disabled --mac-credentials file://credentials.json
Expected: Task is created to disable SIP
Actual: HTTP 500 InternalError

Notes:
- The --dry-run flag succeeds (returns DryRunOperation), suggesting permissions are correct
- The CreateDelegateMacVolumeOwnershipTask API also returns the same 500 error
- Tested with all credential combinations (with and without internalDiskPassword)
- Reproduced consistently across 3 regions and 2 instance types
- This appears to be a service-side issue rather than a configuration problem

Has anyone successfully used this API? Is there a known issue or additional prerequisite not documented?

re:Post Agent · Answer

Based on the available documentation, there are several important prerequisites and considerations that may be causing the issue you're experiencing:

**Critical Prerequisites for Apple Silicon Mac Instances:**

Before calling the CreateMacSystemIntegrityProtectionModificationTask API on Apple silicon-based EC2 Mac instances (which includes mac2-m2pro.metal), you must:

1. Set the ec2-user password while the instance is running
2. Enable secure token for the ec2-user on macOS while the instance is running
3. The instance should be running (not stopped) when you perform these prerequisite steps

**Instance State Consideration:**

The documentation indicates that SIP configuration tasks can take 60-90 minutes to complete, and the instance becomes unreachable during this time. However, the documentation does not explicitly state that the instance must be in a stopped state before initiating the task. In fact, the workflow described suggests connecting to a running instance to set up prerequisites, then calling the API.

**Credentials Format:**

The credentials must be specified in JSON format with the following structure:
```
{
"internalDiskPassword": "internal-disk-admin_password",
"rootVolumeUsername": "root-volume-admin_username",
"rootVolumePassword": "root-volume-admin_password"
}
```

**Apple Silicon Specific Requirements:**

For Apple silicon Mac instances, there are additional constraints:
- Only one bootable volume is allowed
- Each attached volume can have only one additional admin user
- SIP settings are applied at the volume level (not instance level)

**Recommendation:**

Try initiating the SIP modification task while the instance is in a running state rather than stopped. Ensure the secure token is properly enabled for ec2-user before calling the API. If the issue persists across multiple regions and instance types as you've described, this may indeed warrant contacting AWS Support for investigation of a potential service-side issue.  
**Sources**  
[Configure System Integrity Protection (SIP) on Amazon EC2 Mac instances | AWS News Blog](https://aws.amazon.com/blogs/aws/configure-system-integrity-protection-sip-on-amazon-ec2-mac-instances/)  
[CreateMacSystemIntegrityProtectionModificationTask - Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateMacSystemIntegrityProtectionModificationTask.html)  
[create_mac_system_integrity_protection_modification_task - botocore 1.42.50 documentation](https://docs.aws.amazon.com/botocore/latest/reference/services/ec2/client/create_mac_system_integrity_protection_modification_task.html)  
[Configure System Integrity Protection for Amazon EC2 Mac instances - Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mac-sip-settings.html)

CreateMacSystemIntegrityProtectionModificationTask API returns HTTP 500 InternalError on EC2 Mac instances

Add your answer

Relevant content