diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go
index da57edde4..33b7c884e 100644
--- a/builtin/credential/aws-ec2/path_login.go
+++ b/builtin/credential/aws-ec2/path_login.go
@@ -406,10 +406,15 @@ func (b *backend) pathLoginUpdate(
 	}
 
 	// Cap the TTL value.
-	if shortestMaxTTL < roleEntry.TTL {
-		resp.AddWarning(fmt.Sprintf("Role ttl of %d exceeded the effective max_ttl of %d; ttl value is capped appropriately", roleEntry.TTL/time.Second, shortestMaxTTL/time.Second))
-		resp.Auth.TTL = shortestMaxTTL
+	shortestTTL := b.System().DefaultLeaseTTL()
+	if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {
+		shortestTTL = roleEntry.TTL
 	}
+	if shortestMaxTTL < shortestTTL {
+		resp.AddWarning(fmt.Sprintf("Effective ttl of %q exceeded the effective max_ttl of %q; ttl value is capped appropriately", (shortestTTL / time.Second).String(), (shortestMaxTTL / time.Second).String()))
+		shortestTTL = shortestMaxTTL
+	}
+	resp.Auth.TTL = shortestTTL
 
 	return resp, nil
 
@@ -549,6 +554,15 @@ func (b *backend) pathLoginRenew(
 		longestMaxTTL = rTagMaxTTL
 	}
 
+	// Cap the TTL value.
+	shortestTTL := b.System().DefaultLeaseTTL()
+	if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {
+		shortestTTL = roleEntry.TTL
+	}
+	if shortestMaxTTL < shortestTTL {
+		shortestTTL = shortestMaxTTL
+	}
+
 	// Only LastUpdatedTime and ExpirationTime change and all other fields remain the same.
 	currentTime := time.Now()
 	storedIdentity.LastUpdatedTime = currentTime
@@ -558,7 +572,7 @@ func (b *backend) pathLoginRenew(
 		return nil, err
 	}
 
-	return framework.LeaseExtend(req.Auth.TTL, shortestMaxTTL, b.System())(req, data)
+	return framework.LeaseExtend(shortestTTL, shortestMaxTTL, b.System())(req, data)
 }
 
 // Struct to represent items of interest from the EC2 instance identity document.