diff --git a/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
index da622522a880..b7217b4c9b2a 100644
--- a/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
+++ b/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -11,7 +11,7 @@ Resources:
       InstanceProfileName: !Sub "KarpenterNodeInstanceProfile-${ClusterName}"
       Path: "/"
       Roles:
-        - Ref: "KarpenterNodeRole"
+        - !Ref "KarpenterNodeRole"
   KarpenterNodeRole:
     Type: "AWS::IAM::Role"
     Properties:
@@ -45,9 +45,6 @@ Resources:
               - ec2:CreateFleet
               - ec2:CreateLaunchTemplate
               - ec2:CreateTags
-              - ec2:DeleteLaunchTemplate
-              - ec2:RunInstances
-              - ec2:TerminateInstances
               # Read Operations
               - ec2:DescribeAvailabilityZones
               - ec2:DescribeImages
@@ -59,7 +56,32 @@ Resources:
               - ec2:DescribeSpotPriceHistory
               - ec2:DescribeSubnets
               - pricing:GetProducts
-              - ssm:GetParameter
+          - Effect: Allow
+            Resource: "arn:${AWS::Partition}:ssm:::parameter/aws/service/*"
+            Action: ssm:GetParameter
+          - Effect: Allow
+            Resource: !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:instance/*"
+            Action: ec2:TerminateInstances
+            Condition:
+              StringEquals:
+                "aws:ResourceTag/karpenter.sh/managed-by": !Sub "${ClusterName}"
+          - Effect: Allow
+            Resource: !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:launch-template/*"
+            Action: ec2:DeleteLaunchTemplate
+            Condition:
+              StringEquals:
+                "aws:ResourceTag/karpenter.k8s.aws/cluster": !Sub "${ClusterName}"
+          - Effect: Allow
+            Resource:
+              - !Sub "arn:${AWS::Partition}:ec2:*::image/*"
+              - !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:instance/*"
+              - !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:spot-instances-request/*"
+              - !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:security-group/*"
+              - !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:volume/*"
+              - !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:network-interface/*"
+              - !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:subnet/*"
+              - !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:launch-template/*"
+            Action: ec2:RunInstances
           - Effect: Allow
             Action:
               # Write Operations