Failed to Launch and S3_MALFORMED_POLICY error when trying to create application on Beanstalk

Check the EC2 Instance Profile Role: You mentioned assigning a custom IAM role with policies like AWSElasticBeanstalkWebTier, WorkerTier, and MulticontainerDocker. That’s a good start, but Beanstalk environments expect the EC2 instance profile to also include AmazonEC2ContainerRegistryReadOnly or SSM-related permissions, depending on the platform and logs.

Try adding these managed policies to your EC2 instance profile role: AWSElasticBeanstalkWebTier AmazonEC2ContainerRegistryReadOnly AmazonSSMManagedInstanceCore (optional but useful for log access and session manager)

2. Double-check Trust Policy Your trust policy looks correct for EC2: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" } } ] } Just make sure that you attached this IAM role as the instance profile under Configuration > Security > EC2 instance profile in the Beanstalk console.

3. Check the Logs After the environment fails, go to Elastic Beanstalk > Your Environment > Logs > Request Logs > Last 100 Lines. Look for errors related to: a) Missing permissions b) Package install failures c) Node.js version issues

4. Use Default Roles Temporarily (for Testing) If nothing works, try deploying using AWS’s default EC2 instance profile role (aws-elasticbeanstalk-ec2-role). That helps isolate whether the issue is your custom IAM setup.

Let me know what you see in the logs ...

The issue you're experiencing with Elastic Beanstalk appears to be related to permissions and S3 bucket policies. Here are some steps you can take to troubleshoot and potentially resolve the problem:

1. IAM Role Permissions: While you've created a custom IAM role with several Elastic Beanstalk-related policies, it's possible that the role is missing some crucial S3 permissions. Ensure that your IAM role has, at minimum, permissions for s3:GetObject and s3:ListBucket.

2. S3 Bucket Policy: The S3_MALFORMED_POLICY error suggests there might be an issue with the S3 bucket policy. In most cases, Elastic Beanstalk doesn't require a specific bucket policy for the S3 buckets it creates and uses. However, if there is an existing bucket policy, it might be conflicting with the permissions Elastic Beanstalk needs.

3. Account-level S3 settings: Check your account-level S3 settings, particularly the Block Public Access settings. If these are too restrictive, they might interfere with Elastic Beanstalk's ability to configure the S3 bucket properly.

4. VPC Configuration: If you're using a custom VPC for your Elastic Beanstalk environment, ensure it's properly configured with the necessary components like internet gateway, security groups, and subnets to allow traffic between Elastic Beanstalk and S3.

5. Launch Template Settings: Recent changes in AWS Elastic Beanstalk have phased out launch configurations in favor of launch templates. To address this, try setting one of the following options in your environment configuration:

   • DisableIMDSv1
   • RootVolumeType (set to gp3, for example)
   • BlockDeviceMappings
   • EnableSpot

You can set these options through the Elastic Beanstalk console under the "Capacity" configuration section when creating or updating your environment.

If the issue persists after trying these steps, you may need to contact AWS Support for more specific guidance based on your account's configuration. They can provide more detailed information about the API calls being made and any specific permission issues you might be encountering.
Sources
When creating an elastic beanstalk environment it gets terminated throwing a S3_MALFORMED_POLICY error | AWS re:Post
Creating an Elastic Beanstalk without success | AWS re:Post

Check your S3 bucket policy and confirm if it is restricting Beanstalk from performing the deployment or if it refers to IAM user/roles that no longer exist. These issues can result in S3_MALFORMED_POLICY.