This issue usually occurs when there is a Lambda function or some other custom script that modifies the 'CreatedBy' tag which was initially added by ImageBuilder. That is, here's the sequence of events that I think may have occurred in your case:
- Image Builder launches the build instance i-xxxxxxxxxxxxxx with the tag "CreatedBy" set to the value "EC2 Image Builder".
- A custom Lambda function or some other script then replaces the value of the "CreatedBy" tag to the new value (imagebuilderabc-1234efghijk-567lmno-89pqrs).
- Following this, when Image Builder sends a SendCommand API targeting the build instance, the request fails with an AccessDenied error since the instance no longer has the tag "CreatedBy" set to the value "EC2 Image Builder".
To verify this, you can use the CloudTrail logs.
Go to CloudTrail console (eu-central-1 region) --> Event history --> Set the lookup attributes to Resource name = i-xxxxxxxxxxxxxx --> Select the required timeframe (when the AccessDenied error occurred).
Look for "CreateTags" events and check the event record to find more details. If you find that the "CreatedBy" tag was modified by a Lambda function, you will have to modify the Lambda function in question so that it adds a tag with a different key (instead of "CreatedBy").
Hope this helps! :)
- Accepted Answerasked a month ago
- AWS OFFICIALUpdated 8 months ago
- How do I automate the creation of AMIs based on my EBS-backed EC2 instance using Systems Manager Automation?AWS OFFICIALUpdated a year ago
- EXPERTpublished 10 days ago
- EXPERTpublished 8 days ago