Amazon Elastic Compute Cloud
User Guide (API Version 2014-02-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

IAM Policies for Amazon EC2

By default, IAM users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. (This means that they also can't do so using the Amazon EC2 console or CLI.) To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permission to use the specific resources and API actions they'll need, and then attach those policies to the IAM users or groups that require those permissions.

When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources. For more general information about IAM policies, see Permissions and Policies in the Using IAM guide.

Policy Syntax

An IAM policy is a JSON document that consists of one of more statements. Each statement is structured as follows:

{
  "Statement":[{
    "Effect":"effect",
    "Action":"action",
    "Resource":"arn",
    "Condition":{
      "condition":{
        "key":"value"
        }
      }
    }
  ]
}

There are various elements that make up a statement:

  • Effect: The effect can be Allow or Deny. By default, IAM users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows.

  • Action: The action is the specific API action for which you are granting or denying permission. To learn about specifying action, see Actions for Amazon EC2.

  • Resource: The resource that's affected by the action. Some Amazon EC2 API actions allow you to include specific resources in your policy that can be created or modified by the action. To specify a resource in the statement, you need to use its Amazon Resource Name (ARN). For more information about specifying the arn value, see Amazon Resource Names for Amazon EC2. For more information about which API actions support which ARNs, see Supported Resources and Conditions for Amazon EC2 API Actions. If the API action does not support ARNs, use the * wildcard to specify that all resources can be affected by the action.

  • Condition: Conditions are optional. They can be used to control when your policy will be in effect. For more information about specifying conditions for Amazon EC2, see Condition Keys for Amazon EC2.

For more information about example IAM policy statements for Amazon EC2, see Example Policy Statements for Amazon EC2.

Actions for Amazon EC2

In an IAM policy statement, you can specify any API action from any service that supports IAM. For Amazon EC2, use the following prefix with the name of the API action: ec2:. For example: ec2:RunInstances and ec2:CreateImage.

To specify multiple actions in a single statement, separate them with commas as follows:

"Action": ["ec2:action1", "ec2:action2"]

You can also specify multiple actions using wildcards. For example, you can specify all actions whose name begins with the word "Describe" as follows:

"Action": "ec2:Describe*"

To specify all Amazon EC2 API actions, use the * wildcard as follows:

"Action": "ec2:*"

For a list of Amazon EC2 actions, see Actions in the Amazon Elastic Compute Cloud API Reference.

Amazon Resource Names for Amazon EC2

Each IAM policy statement applies to the resources that you specify using their ARNs.

Important

Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later. For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions.

An ARN has the following general syntax:

arn:aws:[service]:[region]:[account]:resourceType/resourcePath

service

The service (for example, ec2).

region

The region for the resource (for example, us-east-1).

account

The AWS account ID, with no hyphens (for example, 123456789012).

resourceType

The type of resource (for example, instance).

resourcePath

A path that identifies the resource. You can use the * wildcard in your paths.

For example, you can indicate a specific instance (i-1a2b3c4d) in your statement using its ARN as follows:

"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1a2b3c4d"

You can also specify all instances that belong to a specific account by using the * wildcard as follows:

"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"

To specify all resources, or if a specific API action does not support ARNs, use the * wildcard in the Resource element as follows:

"Resource": "*"

The following table describes the ARNs for each type of resource used by the Amazon EC2 API actions.

Resource TypeARN

All Amazon EC2 resources

arn:aws:ec2:*

All Amazon EC2 resources owned by the specified account in the specified region

arn:aws:ec2:region:account:*

Customer gateway

arn:aws:ec2:region:account:customer-gateway/cgw-id

Where cgw-id is cgw-xxxxxxxx

DHCP options set

arn:aws:ec2:region:account:dhcp-options/dhcp-options-id

Where dhcp-options-id is dopt-xxxxxxxx

Image

arn:aws:ec2:region::image/image-id

Where image-id is the ID of the AMI, AKI, or ARI, and account isn't used

Instance

arn:aws:ec2:region:account:instance/instance-id

Where instance-id is i-xxxxxxxx

Instance profile

arn:aws:iam::account:instance-profile/instance-profile-name

Where instance-profile-name is the name of the instance profile, and region isn't used

Internet gateway

arn:aws:ec2:region:account:internet-gateway/igw-id

Where igw-id is igw-xxxxxxxx

Key pair

arn:aws:ec2:region:account:key-pair/key-pair-name

Where key-pair-name is the key pair name (for example, gsg-keypair)

Network ACL

arn:aws:ec2:region:account:network-acl/nacl-id

Where nacl-id is acl-xxxxxxxx

Network interface

arn:aws:ec2:region:account:network-interface/eni-id

Where eni-id is eni-xxxxxxxx

Placement group

arn:aws:ec2:region:account:placement-group/placement-group-name

Where placement-group-name is the placement group name (for example, my-cluster)

Route table

arn:aws:ec2:region:account:route-table/route-table-id

Where route-table-id is rtb-xxxxxxxx

Security group

arn:aws:ec2:region:account:security-group/security-group-id

Where security-group-id is sg-xxxxxxxx

Snapshot

arn:aws:ec2:region::snapshot/snapshot-id

Where snapshot-id is snap-xxxxxxxx, and account isn't used

Subnet

arn:aws:ec2:region:account:subnet/subnet-id

Where subnet-id is subnet-xxxxxxxx

Volume

arn:aws:ec2:region:account:volume/volume-id

Where volume-id is vol-xxxxxxxx

VPC

arn:aws:ec2:region:account:vpc/vpc-id

Where vpc-id is vpc-xxxxxxxx

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

Where vpc-peering connection-id is pcx-xxxxxxxx

Many Amazon EC2 API actions involve multiple resources. For example, AttachVolume attaches an Amazon EBS volume to an instance, so an IAM user must have permission to use the volume and the instance. To specify multiple resources in a single statement, separate their ARNs with commas, as follows:

"Resource": ["arn1", "arn2"]

For more general information about ARNs, see Amazon Resource Names (ARN) and AWS Service Namespaces in the Amazon Web Services General Reference. For more information about the resources that are created or modified by the Amazon EC2 actions, and the ARNs that you can use in your IAM policy statements, see Granting IAM Users Required Permissions for Amazon EC2 Resources in the Amazon Elastic Compute Cloud API Reference.

Condition Keys for Amazon EC2

In a policy statement, you can optionally specify conditions that control when it is in effect. Each condition contains one or more key-value pairs. Condition keys are not case sensitive. We've defined AWS-wide condition keys, plus additional service-specific condition keys.

If you specify multiple conditions, or multiple keys in a single condition, we evaluate them using a logical AND operation. If you specify a single condition with multiple values for one key, we evaluate the condition using a logical OR operation. For permission to be granted, all conditions must be met.

You can also use placeholders when you specify conditions. For example, you can grant an IAM user permission to use resources with a tag that specifies his or her IAM user name. For more information, see Policy Variables in the Using IAM guide.

Amazon EC2 implements the AWS-wide condition keys (see Available Keys), plus the following service-specific condition keys. (We'll add support for additional service-specific condition keys for Amazon EC2 later.)

Condition KeyKey/Value PairEvaluation Types

ec2:AccepterVpc

"ec2:AccepterVpc":"vpc-arn"

Where vpc-arn is the VPC ARN for the peer VPC

ARN, Null

ec2:AvailabilityZone

"ec2:AvailabilityZone":"az-api-name"

Where az-api-name is the name of the Availability Zone (for example, us-west-2a)

To list your Availability Zones, use ec2-describe-availability-zones

String, Null

ec2:EbsOptimized

"ec2:EbsOptimized":"optimized-flag"

Where optimized-flag is true | false

Boolean, Null

ec2:ImageType

"ec2:ImageType":"image-type-api-name"

Where image-type-api-name is ami | aki | ari

String, Null

ec2:InstanceProfile

"ec2:InstanceProfile":"instance-profile-arn"

Where instance-profile-arn is the instance profile ARN

ARN, Null

ec2:InstanceType

"ec2:InstanceType":"instance-type-api-name"

Where instance-type-api-name is the name of the instance type ( m1.small | m1.medium | m1.large | m1.xlarge | m3.medium | m3.large | m3.xlarge | m3.2xlarge | c1.medium | c1.xlarge | c3.large | c3.xlarge | c3.2xlarge | c3.4xlarge | c3.8xlarge | cc2.8xlarge | m2.xlarge | m2.2xlarge | m2.4xlarge | r3.large | r3.xlarge | r3.2xlarge | r3.4xlarge | r3.8xlarge | cr1.8xlarge | hi1.4xlarge | hs1.8xlarge | i2.xlarge | i2.2xlarge | i2.4xlarge | i2.8xlarge | t1.micro | cg1.4xlarge | g2.2xlarge).

String, Null

ec2:Owner

"ec2:Owner":"account-id"

Where account-id is amazon | aws-account-id

String, Null

ec2:ParentSnapshot

"ec2:ParentSnapshot":"snapshot-arn"

Where snapshot-arn is the snapshot ARN

ARN, Null

ec2:ParentVolume

"ec2:ParentVolume":"volume-arn"

Where volume-arn is the volume ARN

ARN, Null

ec2:PlacementGroup

"ec2:PlacementGroup":"placement-group-arn"

Where placement-group-arn is the placement group ARN

ARN, Null

ec2:PlacementGroupStrategy

"ec2:PlacementGroupStrategy":"placement-group-strategy"

Where placement-group-strategy is cluster

String, Null

ec2:Public

"ec2:Public":"public-flag"

Where public-flag is true | false

Boolean, Null

ec2:Region

"ec2:Region":"region-name"

Where region-name is the name of the region (for example, us-west-2). To list your regions, use ec2-describe-regions.

String, Null

ec2:RequesterVpc

"ec2:RequesterVpc":"vpc-arn"

Where vpc-arn is the VPC ARN for the requester's VPC

ARN, Null

ec2:ResourceTag/tag-key

"ec2:ResourceTag/tag-key":"tag-value"

Where tag-key and tag-value are the tag-key pair

String, Null

ec2:RootDeviceType

"ec2:RootDeviceType":"root-device-type-name"

Where root-device-type-name is ebs | instance-store

String, Null

ec2:Subnet

"ec2:Subnet":"subnet-arn"

Where subnet-arn is the subnet ARN

ARN, Null

ec2:Tenancy

"ec2:Tenancy":"tenancy-attribute"

Where tenancy-attribute is default | dedicated

String, Null

ec2:VolumeIops

"ec2:VolumeIops":"volume-iops"

Where volume-iops is the input/output operations per second (IOPS); the range is 100 to 4000

Numeric, Null

ec2:VolumeSize

"ec2:VolumeSize":"volume-size"

Where volume-size is the size of the volume, in GiB

Numeric, Null

ec2:VolumeType

"ec2:VolumeType":"volume-type-name"

Where volume-type-name is standard for standard Amazon EBS volumes or io1 for Provisioned IOPS volumes.

String, Null

ec2:Vpc

"ec2:Vpc":"vpc-arn"

Where vpc-arn is the VPC ARN

ARN, Null

For information about which condition keys you can use with which Amazon EC2 resources, on an action-by-action basis, see Supported Resources and Conditions for Amazon EC2 API Actions. For example policy statements for Amazon EC2, see Example Policy Statements for Amazon EC2.

Supported Resources and Conditions for Amazon EC2 API Actions

The following table describes the Amazon EC2 API actions that currently support resource-level permissions, as well as the supported resources (and their ARNs) and condition keys for each action. (We'll add support for additional actions, ARNs, and condition keys later.)

API ActionResourcesCondition Keys
AcceptVpcPeeringConnection

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

VPC

arn:aws:ec2:region:account:vpc/vpc-id

Where vpc-id is a VPC owned by the accepter.

ec2:ResourceTag/tag-key

ec2:Region

ec2:Tenancy

AttachVolume

Instance

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Volume

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

AuthorizeSecurityGroupEgress

Security group

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

AuthorizeSecurityGroupIngress

Security group

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

CreateVpcPeeringConnection

VPC

arn:aws:ec2:region:account:vpc/vpc-id

Where vpc-id is a requester VPC.

ec2:ResourceTag/tag-key

ec2:Region

ec2:Tenancy

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

DeleteCustomerGateway

Customer gateway

arn:aws:ec2:region:account:customer-gateway/cgw-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteDhcpOptions

DHCP options set

arn:aws:ec2:region:account:dhcp-options/dhcp-options-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteInternetGateway

Internet gateway

arn:aws:ec2:region:account:internet-gateway/igw-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteNetworkAcl

Network ACL

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteNetworkAclEntry

Network ACL

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteRoute

Route table

arn:aws:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteRouteTable

Route table

arn:aws:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteSecurityGroup

Security group

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteVolume

Volume

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DeleteVpcPeeringConnection

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

DetachVolume

Instance

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Volume

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

RebootInstances

Instance

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RejectVpcPeeringConnection

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

RevokeSecurityGroupEgress

Security group

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RevokeSecurityGroupIngress

Security group

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RunInstances

Image

arn:aws:ec2:region::image/image-id

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

Instance

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

Key pair

arn:aws:ec2:region:account:key-pair/key-pair-name

ec2:Region

Network interface

arn:aws:ec2:region:account:network-interface/*

arn:aws:ec2:region:account:network-interface/eni-id

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

Placement group

arn:aws:ec2:region:account:placement-group/placement-group-name

ec2:Region

ec2:PlacementGroupStrategy

Security group

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Snapshot

arn:aws:ec2:region::snapshot/snapshot-id

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:SnapshotTime

ec2:ResourceTag/tag-key

ec2:VolumeSize

Subnet

arn:aws:ec2:region:account:subnet/subnet-id

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Volume

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

StartInstances

Instance

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

StopInstances

Instance

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

TerminateInstances

Instance

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Example Policy Statements for Amazon EC2

The following examples show policy statements that you could use to control the permissions that IAM users have to Amazon EC2. For more examples of IAM policies specific to Amazon VPC, see Controlling Access to Amazon VPC Resources

Example 1: Allow users to list the Amazon EC2 resources that belong to the AWS account

The following policy grants users permission to use all Amazon EC2 API actions whose names begin with Describe. The Resource element uses a wildcard to indicate that users can specify all resources with these API actions. The * wildcard is also necessary in cases where the API action does not support resource-level permissions. For more information about which ARNs you can use with which Amazon EC2 API actions, see Supported Resources and Conditions for Amazon EC2 API Actions.

The users don't have permission to use any other API actions (unless another statement grants them permission to do so) because users are denied permission to use API actions by default.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    }
   ]
}

Example 2: Allow users to describe, launch, stop, start, and terminate all instances

The following policy grants users permission to use the API actions specified in the Action element. The Resource element uses a * wildcard to indicate that users can specify all resources with these API actions. The * wildcard is also necessary in cases where the API action does not support resource-level permissions. For more information about which ARNs you can use with which Amazon EC2 API actions, see Supported Resources and Conditions for Amazon EC2 API Actions.

The users don't have permission to use any other API actions (unless another statement grants them permission to do so) because users are denied permission to use API actions by default.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances", "ec2:DescribeImages",
        "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups",
        "ec2:DescribeAvailabilityZones",
        "ec2:RunInstances", "ec2:TerminateInstances",
        "ec2:StopInstances", "ec2:StartInstances"
      ],
      "Resource": "*"
    }
   ]
}

Example 3: Allow users to describe all instances, and stop, start, and terminate only particular instances

The following policy allows users to describe all instances, to start and stop only instances i-123abc12 and i-4c3b2a1, and to terminate only instances in the US East (Northern Virginia) Region (us-east-1) with the resource tag "purpose=test".

The first part of the statement uses a * wildcard for the Resource element to indicate that users can specify all resources with the action; in this case, they can list all instances. The * wildcard is also necessary in cases where the API action does not support resource-level permissions (in this case, ec2:DescribeInstances). For more information about which ARNs you can use with which Amazon EC2 API actions, see Supported Resources and Conditions for Amazon EC2 API Actions.

The second part of the statement uses resource-level permissions for the StopInstances and StartInstances actions. The specific instances are indicated by their ARNs in the Resource element.

The third part of this statement allows users to terminate all instances in the US East (Northern Virginia) Region (us-east-1) that belong to the specified AWS account, but only where the instance has the tag "purpose=test". The Condition element qualifies when the policy statement is in effect.

{
   "Version": "2012-10-17",
   "Statement": [
   {
   "Effect": "Allow",
      "Action": "ec2:DescribeInstances",
      "Resource": "*"
   },
   {
      "Effect": "Allow",
      "Action": [
        "ec2:StopInstances", 
        "ec2:StartInstances"
      ],
      "Resource": [
      "arn:aws:ec2:us-east-1:123456789012:instance/i-123abc12",
      "arn:aws:ec2:us-east-1:123456789012:instance/i-4c3b2a1"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "ec2:TerminateInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
         "StringEquals": {
            "ec2:ResourceTag/purpose": "test"
         }
      }
   }

   ]
}

Example 4. Allow users to manage particular volumes for particular instances

When an API action requires a caller to specify multiple resources, you must create a policy statement that allows users to access all required resources. If you need to use a Condition element with one or more of these resources, you must create multiple statements as shown in this example.

The following policy allows users to attach volumes with the tag "volume_user=iam-user-name" to instances with the tag "department=dev", and to detach those volumes from those instances. If you attach this policy to an IAM group, the aws:username policy variable gives each IAM user in the group permission to attach or detach volumes from the instances with a tag named volume_user that has his or her IAM user name as a value.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:DetachVolume"
      ],
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/department": "dev"
        }
      }
   },
   {
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:DetachVolume"
      ],
      "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/volume_user": "${aws:username}"
        }
      }
   }
  ]
}

Example 5: Allow users to launch instances with a specific configuration

The RunInstances API action launches one or more instances. RunInstances requires an AMI and creates an instance; and users can specify a key pair and security group in the request. Launching into EC2-VPC requires a subnet, and creates a network interface. Launching from an Amazon EBS-backed AMI creates a volume. Therefore, the user must have permission to use these Amazon EC2 resources. The caller can also configure the instance using optional parameters to RunInstances, such as the instance type and a subnet. You can create a policy statement that requires users to specify an optional parameter, or restricts users to particular values for a parameter. The examples in this section demonstrate some of the many possible ways that you can control the configuration of an instance that a user can launch.

Note that by default, users don't have permission to describe, start, stop, or terminate the resulting instances. One way to grant the users permission to manage the resulting instances is to create a specific tag for each instance, and then create a statement that enables them to manage instances with that tag. For more information, see Example 3: Allow users to stop and start only particular instances.

a. AMI

The following policy allows users to launch instances using only the AMIs that have the specified tag, "department=dev", associated with them. The users can't launch instances using other AMIs because the Condition element of the first statement requires that users specify an AMI that has this tag. The users also can't launch into a subnet, as the policy does not grant permissions for the subnet and network interface resources. They can, however, launch into EC2-Classic. The second statement uses a wildcard to enable users to create instance resources, and requires users to specify the key pair project_keypair and the security group sg-1a2b3c4d. Users are still able to launch instances without a key pair.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
         "arn:aws:ec2:region::image/ami-*"
      ],
      "Condition": {
         "StringEquals": {
            "ec2:ResourceTag/department": "dev"
         }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
          "arn:aws:ec2:region:account:instance/*",
          "arn:aws:ec2:region:account:volume/*",
          "arn:aws:ec2:region:account:key-pair/project_keypair",
          "arn:aws:ec2:region:account:security-group/sg-1a2b3c4d"
         ]
      }
   ]
}

Alternatively, the following policy allows users to launch instances using only the specified AMIs, ami-9e1670f7 and ami-45cf5c3c. The users can't launch an instance using other AMIs (unless another statement grants the users permission to do so), and the users can't launch an instance into a subnet.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:region::image/ami-9e1670f7",
        "arn:aws:ec2:region::image/ami-45cf5c3c",
        "arn:aws:ec2:region:account:instance/*",
        "arn:aws:ec2:region:account:volume/*",
        "arn:aws:ec2:region:account:key-pair/*",
        "arn:aws:ec2:region:account:security-group/*"
      ]
    }
   ]
}

Alternatively, the following policy allows users to launch instances from all AMIs owned by Amazon. The Condition element of the first statement tests whether ec2:Owner is amazon. The users can't launch an instance using other AMIs (unless another statement grants the users permission to do so). The users are able to launch an instance into a subnet.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
         "arn:aws:ec2:region::image/ami-*"
      ],
      "Condition": {
         "StringEquals": {
            "ec2:Owner": "amazon"
            }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
         "arn:aws:ec2:region:account:instance/*",
         "arn:aws:ec2:region:account:subnet/*",
         "arn:aws:ec2:region:account:volume/*",
         "arn:aws:ec2:region:account:network-interface/*",
         "arn:aws:ec2:region:account:key-pair/*",
         "arn:aws:ec2:region:account:security-group/*"
         ]
      }
   ]
}

b. Instance type

The following policy allows the users to launch instances using only the t1.micro or m1.small instance type, which you might do to control costs. The users can't launch larger instances because the Condition element of the first statement tests whether ec2:InstanceType is either t1.micro or m1.small.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:region:account:instance/*"
      ],
      "Condition": {
         "StringEquals": {
            "ec2:InstanceType": ["t1.micro", "m1.small"]
         }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:region::image/ami-*",
         "arn:aws:ec2:region:account:subnet/*",
         "arn:aws:ec2:region:account:network-interface/*",
         "arn:aws:ec2:region:account:volume/*",
         "arn:aws:ec2:region:account:key-pair/*",
         "arn:aws:ec2:region:account:security-group/*"
         ]
      }
   ]
}

c. Subnet

The following policy allows the users to launch instances using only the specified subnet, subnet-12345678. The group can't launch instances into any another subnet (unless another statement grants the users permission to do so). Users are still able to launch instances into EC2-Classic.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:region:account:subnet/subnet-12345678",
        "arn:aws:ec2:region:account:network-interface/*",
        "arn:aws:ec2:region:account:instance/*",
        "arn:aws:ec2:region:account:volume/*",
        "arn:aws:ec2:region::image/ami-*",
        "arn:aws:ec2:region:account:key-pair/*",
        "arn:aws:ec2:region:account:security-group/*"
      ]
    }
   ]
}

Alternatively, you could create a policy that denies users permission to launch an instance into any other subnet. The statement does this by denying permission to create a network interface, except where subnet subnet-12345678 is specified. This denial overrides any other policies that are created to allow launching instances into other subnets. Users are still able to launch instances into EC2-Classic.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:region:account:network-interface/*"
      ],
      "Condition": {
         "ArnNotEquals": {
            "ec2:Subnet": "arn:aws:ec2:region:account:subnet/subnet-12345678"
            }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:region::image/ami-*",
         "arn:aws:ec2:region:account:network-interface/*",
         "arn:aws:ec2:region:account:instance/*",
         "arn:aws:ec2:region:account:subnet/*",
         "arn:aws:ec2:region:account:volume/*",
         "arn:aws:ec2:region:account:key-pair/*",
         "arn:aws:ec2:region:account:security-group/*"
         ]
      }
   ]
}

Checking that Users Have the Required Permissions

After you've created an IAM policy, we recommend that you check whether it grants users the permissions to use the particular API actions and resources they need before you put the policy into production.

First, create an IAM user for testing purposes, and then attach the IAM policy that you created to the test user. Then, make a request as the test user.

If the action that you are testing creates or modifies a resource, you should make the request using the DryRun parameter (or run the CLI command with the --auth-dry-run option). In this case, the call completes the authorization check, but does not complete the operation. For example, you can check whether the user can terminate a particular instance without actually terminating it. If the test user has the required permissions, the request returns DryRunOperation; otherwise, it returns UnauthorizedOperation.

If the policy doesn't grant the user the permissions that you expected, or is overly permissive, you can adjust the policy as needed and retest until you get the desired results.

Important

It can take several minutes for policy changes to propagate before they take effect. Therefore, we recommend that you allow five minutes to pass before you test your policy updates.

If an authorization check fails, the request returns an encoded message with diagnostic information. You can decode the message using the DecodeAuthorizationMessage action. For more information, see DecodeAuthorizationMessage in the AWS Security Token Service API Reference.