Menu
Amazon Elastic Compute Cloud
User Guide for Windows Instances

Example Policies for Working With the AWS CLI or an AWS SDK

The following examples show policy statements that you could use to control the permissions that IAM users have to Amazon EC2. These policies are designed for requests that are made with the AWS CLI or an AWS SDK. For example policies for working in the Amazon EC2 console, see Example Policies for Working in the Amazon EC2 Console. For examples of IAM policies specific to Amazon VPC, see Controlling Access to Amazon VPC Resources.

1: Read-Only Access

The following policy grants users permission to use all Amazon EC2 API actions whose names begin with Describe. The Resource element uses a wildcard to indicate that users can specify all resources with these API actions. The * wildcard is also necessary in cases where the API action does not support resource-level permissions. For more information about which ARNs you can use with which Amazon EC2 API actions, see Supported Resource-Level Permissions for Amazon EC2 API Actions.

Users don't have permission to perform any actions on the resources (unless another statement grants them permission to do so) because they're denied permission to use API actions by default.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" } ] }

2: Restricting Access to a Specific Region

The following policy grants users permission to use all Amazon EC2 API actions in the EU (Frankfurt) region only. Users cannot view, create, modify, or delete resources in any other region.

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region": "eu-central-1" } } } ] }

3: Working with Instances

Describe, launch, stop, start, and terminate all instances

The following policy grants users permission to use the API actions specified in the Action element. The Resource element uses a * wildcard to indicate that users can specify all resources with these API actions. The * wildcard is also necessary in cases where the API action does not support resource-level permissions. For more information about which ARNs you can use with which Amazon EC2 API actions, see Supported Resource-Level Permissions for Amazon EC2 API Actions.

The users don't have permission to use any other API actions (unless another statement grants them permission to do so) because users are denied permission to use API actions by default.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeAvailabilityZones", "ec2:RunInstances", "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances" ], "Resource": "*" } ] }

Describe all instances, and stop, start, and terminate only particular instances

The following policy allows users to describe all instances, to start and stop only instances i-1234567890abcdef0 and i-0598c7d356eba48d7, and to terminate only instances in the US East (N. Virginia) Region (us-east-1) with the resource tag "purpose=test".

The first statement uses a * wildcard for the Resource element to indicate that users can specify all resources with the action; in this case, they can list all instances. The * wildcard is also necessary in cases where the API action does not support resource-level permissions (in this case, ec2:DescribeInstances). For more information about which ARNs you can use with which Amazon EC2 API actions, see Supported Resource-Level Permissions for Amazon EC2 API Actions.

The second statement uses resource-level permissions for the StopInstances and StartInstances actions. The specific instances are indicated by their ARNs in the Resource element.

The third statement allows users to terminate all instances in the US East (N. Virginia) Region (us-east-1) that belong to the specified AWS account, but only where the instance has the tag "purpose=test". The Condition element qualifies when the policy statement is in effect.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:StartInstances" ], "Resource": [ "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0", "arn:aws:ec2:us-east-1:123456789012:instance/i-0598c7d356eba48d7" ] }, { "Effect": "Allow", "Action": "ec2:TerminateInstances", "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/purpose": "test" } } } ] }

4. Working with Volumes

Attaching and detaching volumes

When an API action requires a caller to specify multiple resources, you must create a policy statement that allows users to access all required resources. If you need to use a Condition element with one or more of these resources, you must create multiple statements as shown in this example.

The following policy allows users to attach volumes with the tag "volume_user=iam-user-name" to instances with the tag "department=dev", and to detach those volumes from those instances. If you attach this policy to an IAM group, the aws:username policy variable gives each IAM user in the group permission to attach or detach volumes from the instances with a tag named volume_user that has his or her IAM user name as a value.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/department": "dev" } } }, { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*", "Condition": { "StringEquals": { "ec2:ResourceTag/volume_user": "${aws:username}" } } } ] }

Creating a volume

The following policy allows users to use the CreateVolume API action. The user is allowed to create a volume only if the volume is encrypted and only if the volume size is less than 20 GiB.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*", "Condition":{ "NumericLessThan": { "ec2:VolumeSize" : "20" }, "Bool":{ "ec2:Encrypted" : "true" } } } ] }

Creating a volume with tags

The following policy includes the aws:RequestTag condition key that requires users to tag any volumes they create with the tags costcenter=115 and stack=prod. The aws:TagKeys condition key uses the ForAllValues modifier to indicate that only the keys costcenter and stack are allowed in the request (no other tags can be specified). If users don't pass these specific tags, or if they don't specify tags at all, the request fails.

For resource-creating actions that apply tags, users must also have permission to use the CreateTags action. The second statement uses the ec2:CreateAction condition key to allow users to create tags only in the context of CreateVolume. Users cannot tag existing volumes or any other resources. For more information, see Resource-Level Permissions for Tagging.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreateTaggedVolumes", "Effect": "Allow", "Action": "ec2:CreateVolume", "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*", "Condition": { "StringEquals": { "aws:RequestTag/costcenter": "115", "aws:RequestTag/stack": "prod" }, "ForAllValues:StringEquals": { "aws:TagKeys": ["costcenter","stack"] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "CreateVolume" } } } ] }

The following policy allows users to create a volume without having to specify tags. The CreateTags action is only evaluated if tags are specified in the CreateVolume request. If users do specify tags, the tag must be purpose=test. No other tags are allowed in the request.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateVolume", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:us-east-1:1234567890:volume/*", "Condition": { "StringEquals": { "aws:RequestTag/purpose": "test", "ec2:CreateAction" : "CreateVolume" }, "ForAllValues:StringEquals": { "aws:TagKeys": "purpose" } } } ] }

5: Launching Instances (RunInstances)

The RunInstances API action launches one or more instances. RunInstances requires an AMI and creates an instance; and users can specify a key pair and security group in the request. Launching into EC2-VPC requires a subnet, and creates a network interface. Launching from an Amazon EBS-backed AMI creates a volume. Therefore, the user must have permission to use these Amazon EC2 resources. You can create a policy statement that requires users to specify an optional parameter on RunInstances, or restricts users to particular values for a parameter.

For more information about the resource-level permissions that are required to launch an instance, see Resource-Level Permissions for RunInstances.

By default, users don't have permission to describe, start, stop, or terminate the resulting instances. One way to grant the users permission to manage the resulting instances is to create a specific tag for each instance, and then create a statement that enables them to manage instances with that tag. For more information, see 3: Working with Instances.

AMI

The following policy allows users to launch instances using only the specified AMIs, ami-9e1670f7 and ami-45cf5c3c. The users can't launch an instance using other AMIs (unless another statement grants the users permission to do so).

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-9e1670f7", "arn:aws:ec2:region::image/ami-45cf5c3c", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:network-interface/*" ] } ] }

Alternatively, the following policy allows users to launch instances from all AMIs owned by Amazon. The Condition element of the first statement tests whether ec2:Owner is amazon. The users can't launch an instance using other AMIs (unless another statement grants the users permission to do so).

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*" ], "Condition": { "StringEquals": { "ec2:Owner": "amazon" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*" ] } ] }

[EC2-Classic only] The following policy allows users to launch instances using only the AMIs that have the specified tag, "department=dev", associated with them. The users can't launch instances using other AMIs because the Condition element of the first statement requires that users specify an AMI that has this tag. Users can only launch into EC2-Classic, as the policy does not grant permissions for the subnet and network interface resources. The second statement uses a wildcard to enable users to create instance resources, and requires users to specify the key pair project_keypair and the security group sg-1a2b3c4d. Users are still able to launch instances without a key pair.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/department": "dev" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:key-pair/project_keypair", "arn:aws:ec2:region:account:security-group/sg-1a2b3c4d" ] } ] }

Instance Type

The following policy allows users to launch instances using only the t2.micro or t2.small instance type, which you might do to control costs. The users can't launch larger instances because the Condition element of the first statement tests whether ec2:InstanceType is either t2.micro or t2.small.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*" ], "Condition": { "StringEquals": { "ec2:InstanceType": ["t2.micro", "t2.small"] } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*" ] } ] }

Alternatively, you can create a policy that denies users permission to launch any instances except t2.micro and t2.small instance types.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*" ], "Condition": { "StringNotEquals": { "ec2:InstanceType": ["t2.micro", "t2.small"] } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*" ] } ] }

Subnet

The following policy allows users to launch instances using only the specified subnet, subnet-12345678. The group can't launch instances into any another subnet (unless another statement grants the users permission to do so). Users are still able to launch instances into EC2-Classic.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:subnet/subnet-12345678", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*" ] } ] }

Alternatively, you could create a policy that denies users permission to launch an instance into any other subnet. The statement does this by denying permission to create a network interface, except where subnet subnet-12345678 is specified. This denial overrides any other policies that are created to allow launching instances into other subnets. Users are still able to launch instances into EC2-Classic.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:network-interface/*" ], "Condition": { "ArnNotEquals": { "ec2:Subnet": "arn:aws:ec2:region:account:subnet/subnet-12345678" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*" ] } ] }

EBS Volumes

The following policy allows users to launch instances only if the EBS volumes for the instance are encrypted. The user must launch an instance from an AMI that was created with encrypted snapshots, to ensure that the root volume is encrypted. Any additional volume that the user attaches to the instance during launch must also be encrypted.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:volume/*" ], "Condition": { "Bool": { "ec2:Encrypted": "true" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/ami-*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:security-group/*" ] } ] }

Applying Tags

The following policy allows users to launch instances and tag the instances during creation. For resource-creating actions that apply tags, users must have permission to use the CreateTags action. The second statement uses the ec2:CreateAction condition key to allow users to create tags only in the context of RunInstances, and only for instances. Users cannot tag existing resources, and users cannot tag volumes using the RunInstances request.

For more information, see Resource-Level Permissions for Tagging.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

The following policy includes the aws:RequestTag condition key that requires users to tag any instances and volumes that are created by RunInstances with the tags environment=production and purpose=webserver. The aws:TagKeys condition key uses the ForAllValues modifier to indicate that only the keys environment and purpose are allowed in the request (no other tags can be specified). If no tags are specified in the request, the request fails.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:region::image/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:security-group/*", "arn:aws:ec2:region:account:key-pair/*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:instance/*" ], "Condition": { "StringEquals": { "aws:RequestTag/environment": "production" , "aws:RequestTag/purpose": "webserver" }, "ForAllValues:StringEquals": { "aws:TagKeys": ["environment","purpose"] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

The following policy uses the ForAnyValue modifier on the aws:TagKeys condition to indicate that at least one tag must be specified in the request, and it must contain the key environment or webserver. The tag must be applied to both instances and volumes. Any tag values can be specified in the request.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:region::image/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:security-group/*", "arn:aws:ec2:region:account:key-pair/*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:instance/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": ["environment","webserver"] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

In the following policy, users do not have to specify tags in the request, but if they do, the tag must be purpose=test. No other tags are allowed. Users can apply the tags to any taggable resource in the RunInstances request.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "aws:RequestTag/purpose": "test", "ec2:CreateAction" : "RunInstances" }, "ForAllValues:StringEquals": { "aws:TagKeys": "purpose" } } } ] }

Attaching an Elastic GPU

In the following policy, users can launch an instance and specify an elastic GPU to attach to the instance. Users can launch instances in any region, but they can only attach an elastic GPU during launch in the us-east-2 region.

The ec2:ElasticGpuType condition key uses the ForAnyValue modifier to indicate that only the elastic GPU types eg1.medium and eg1.large are allowed in the request.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:account:elastic-gpu/*" ], "Condition": { "StringEquals": { "ec2:Region": "us-east-2" }, "ForAnyValue:StringLike": { "ec2:ElasticGpuType": [ "eg1.medium", "eg1.large" ] } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/ami-*", "arn:aws:ec2:*:account:network-interface/*", "arn:aws:ec2:*:account:instance/*", "arn:aws:ec2:*:account:subnet/*", "arn:aws:ec2:*:account:volume/*", "arn:aws:ec2:*:account:key-pair/*", "arn:aws:ec2:*:account:security-group/*" ] } ] }

You can enable a VPC for ClassicLink and then link an EC2-Classic instance to the VPC. You can also view your ClassicLink-enabled VPCs, and all of your EC2-Classic instances that are linked to a VPC. You can create policies with resource-level permission for the ec2:EnableVpcClassicLink, ec2:DisableVpcClassicLink, ec2:AttachClassicLinkVpc, and ec2:DetachClassicLinkVpc actions to control how users are able to use those actions. Resource-level permissions are not supported for ec2:Describe* actions.

The following policy grants users permission to view ClassicLink-enabled VPCs and linked EC2-Classic instances, to enable and disable a VPC for ClassicLink, and to link and unlink instances from a ClassicLink-enabled VPC.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeClassicLinkInstances", "ec2:DescribeVpcClassicLink", "ec2:EnableVpcClassicLink", "ec2:DisableVpcClassicLink", "ec2:AttachClassicLinkVpc", "ec2:DetachClassicLinkVpc" ], "Resource": "*" } ] }

The following policy allows user to enable and disable VPCs for ClassicLink that have the specific tag 'purpose=classiclink'. Users cannot enable or disable any other VPCs for ClassicLink.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*VpcClassicLink", "Resource": "arn:aws:ec2:region:account:vpc/*", "Condition": { "StringEquals": { "ec2:ResourceTag/purpose":"classiclink" } } } ] }

The following policy grants users permission to link instances to a VPC only if the instance is an m3.large instance type. The second statement allows users to use the VPC and security group resources, which are required to link an instance to a VPC.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:AttachClassicLinkVpc", "Resource": "arn:aws:ec2:region:account:instance/*", "Condition": { "StringEquals": { "ec2:InstanceType":"m3.large" } } }, { "Effect": "Allow", "Action": "ec2:AttachClassicLinkVpc", "Resource": [ "arn:aws:ec2:region:account:vpc/*", "arn:aws:ec2:region:account:security-group/*" ] } ] }

The following policy grants users permission to link instances to a specific VPC (vpc-1a2b3c4d) only, and to associate only specific security groups from the VPC to the instance (sg-1122aabb and sg-aabb2233). Users cannot link an instance to any other VPC, and they cannot specify any other of the VPC security groups to associate with the instance in the request.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:AttachClassicLinkVpc", "Resource": [ "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:security-group/sg-1122aabb", "arn:aws:ec2:region:account:security-group/sg-aabb2233" ] } ] }

The following grants users permission to unlink any linked EC2-Classic instance from a VPC, but only if the instance has the tag "unlink=true". The second statement grants users permission to use the VPC resource, which is required to unlink an instance from a VPC.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:DetachClassicLinkVpc", "Resource": [ "arn:aws:ec2:region:account:instance/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/unlink":"true" } } }, { "Effect": "Allow", "Action": "ec2:DetachClassicLinkVpc", "Resource": [ "arn:aws:ec2:region:account:vpc/*" ] } ] }

7. Working with Reserved Instances

The following policy gives users permission to view, modify, and purchase Reserved Instances in your account.

It is not possible to set resource-level permissions for individual Reserved Instances. This policy means that users have access to all the Reserved Instances in the account.

The Resource element uses a * wildcard to indicate that users can specify all resources with the action; in this case, they can list and modify all Reserved Instances in the account. They can also purchase Reserved Instances using the account credentials. The * wildcard is also necessary in cases where the API action does not support resource-level permissions.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeReservedInstances", "ec2:ModifyReservedInstances", "ec2:PurchaseReservedInstancesOffering", "ec2:DescribeAvailabilityZones", "ec2:DescribeReservedInstancesOfferings" ], "Resource": "*" } ] }

To allow users to view and modify the Reserved Instances in your account, but not purchase new Reserved Instances.

Copy
{ ""Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeReservedInstances", "ec2:ModifyReservedInstances", "ec2:DescribeAvailabilityZones" ], "Resource": "*" } ] }

8. Tagging Resources

The following policy allows users to use the CreateTags action to apply tags to an instance only if the tag contains the key environment and the value production. The ForAllValues modifier is used with the aws:TagKeys condition key to indicate that only the key environment is allowed in the request (no other tags are allowed). The user cannot tag any other resource types.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:instance/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "production" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "environment" ] } } } ] }

The following policy allows users to tag any taggable resource that already has a tag with a key of owner and a value of the IAM username. In addition, users must specify a tag with a key of environment and a value of either test or prod in the request. Users can specify additional tags in the request.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": ["test","prod"], "ec2:ResourceTag/owner": "${aws:username}" } } } ] }

You can create an IAM policy that allows users to delete specific tags for a resource. For example, the following policy allows users to delete tags for a volume if the tag keys specified in the request are environment or cost-center. Any value can be specified for the tag but the tag key must match either of the specified keys.

Note

If you delete a resource, all tags associated with the resource are also deleted. Users do not need permission to use the ec2:DeleteTags action to delete a resource that has tags; they only need permission to perform the deleting action.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DeleteTags", "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": ["environment","cost-center"] } } } ] }

This policy allows users to delete only the environment=prod tag on any resource, and only if the resource is already tagged with a key of owner and a value of the IAM username. Users cannot delete any other tags for a resource.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "prod", "ec2:ResourceTag/owner": "${aws:username}" }, "ForAllValues:StringEquals": { "aws:TagKeys": ["environment"] } } } ] }

9: Working with IAM Roles

The following policy allows users to attach, replace, and detach an IAM role to instances that have the tag department=test. Replacing or detaching an IAM role requires an association ID, therefore the policy also grants users permission to use the ec2:DescribeIamInstanceProfileAssociations action.

IAM users must have permission to use the iam:PassRole action in order to pass the role to the instance.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AssociateIamInstanceProfile", "ec2:ReplaceIamInstanceProfileAssociation", "ec2:DisassociateIamInstanceProfile" ], "Resource": "arn:aws:ec2:region:account:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/department":"test" } } }, { "Effect": "Allow", "Action": "ec2:DescribeIamInstanceProfileAssociations", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*" } ] }

The following policy allows users to attach or replace an IAM role for any instance. Users can only attach or replace IAM roles with names that begin with TestRole-. For the iam:PassRole action, ensure that you specify the name of the IAM role and not the instance profile (if the names are different). For more information, see Instance Profiles.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AssociateIamInstanceProfile", "ec2:ReplaceIamInstanceProfileAssociation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:DescribeIamInstanceProfileAssociations", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::account:role/TestRole-*" } ] }

10: Working with Route Tables

The following policy allows users to add, remove, and replace routes for route tables that are associated with VPC vpc-ec43eb89 only. To specify a VPC for the ec2:Vpc condition key, you must specify the full ARN of the VPC.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteRoute", "ec2:CreateRoute", "ec2:ReplaceRoute" ], "Resource": [ "arn:aws:ec2:region:account:route-table/*" ], "Condition": { "StringEquals": { "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-ec43eb89" } } } ] }

11: Allowing a specific instance to view resources in other AWS services

The following is an example of a policy that you might attach to an IAM role. The policy allows an instance to view resources in various AWS services, and uses the ec2:SourceInstanceARN condition key to specify that the instance from which the request is made must be instance i-093452212644b0dd6. If the same IAM role is associated with another instance, the other instance cannot perform any of these actions.

The ec2:SourceInstanceARN key is an AWS-wide condition key, therefore it can be used for other service actions, not just Amazon EC2.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes", "s3:ListAllMyBuckets", "dynamodb:ListTables", "rds:DescribeDBInstances" ], "Resource": [ "*" ], "Condition": { "ArnEquals": { "ec2:SourceInstanceARN": "arn:aws:ec2:region:account:instance/i-093452212644b0dd6" } } } ] }