Download Amazon Elastic Compute Cloud User Guide for Linux

Amazon Elastic Compute Cloud User Guide for Linux
IAM Policies
Important
Be careful about granting users permission to use the ec2:CreateTags action. This limits
your ability to use the ec2:ResourceTag condition key to restrict the use of other resources;
users can change a resource's tag in order to bypass those restrictions.
Currently, the Amazon EC2 Describe* API actions do not support resource-level permissions, so you
cannot restrict which individual resources users can view in the launch wizard. However, you can apply
resource-level permissions on the ec2:RunInstances API action to restrict which resources users can
use to launch an instance. The launch fails if users select options that they are not authorized to use.
The following policy allows users to launch m1.small instances using AMIs owned by Amazon, and only
into a specific subnet (subnet-1a2b3c4d). Users can only launch in the sa-east-1 region. If users select
a different region, or select a different instance type, AMI, or subnet in the launch wizard, the launch fails.
The first statement grants users permission to view the options in the launch wizard, as demonstrated in
the example above. The second statement grants users permission to use the network interface, volume,
key pair, security group, and subnet resources for the ec2:RunInstances action, which are required
to launch an instance into a VPC. For more information about using the ec2:RunInstances action, see
5: Allow users to launch instances with a specific configuration (p. 425). The third and fourth statements
grant users permission to use the instance and AMI resources respectively, but only if the instance is an
m1.small instance, and only if the AMI is owned by Amazon.
API Version 2015-04-15
434