When multiple AMI builders were used in the same stack, the custom resource used to clean up AMIs on delete only had access to delete AMIs for one of the builders.
The error looked like:
Received response status [FAILED] from custom resource. Message returned: You are not authorized to perform this operation. User: arn:aws:sts::0123456789:assumed-role/github-runners-test-deleteamidcc036c8876b451ea2c15-0123456789/github-runners-test-deleteamidcc036c8876b451ea2c15-0123456789 is not authorized to perform: ec2:DeregisterImage on resource: arn:aws:ec2:us-east-1::image/ami-079195c0509e4a902 because no identity-based policy allows the ec2:DeregisterImage action.
When multiple AMI builders were used in the same stack, the custom resource used to clean up AMIs on delete only had access to delete AMIs for one of the builders.
The error looked like: