IAM policies for Amazon EC2 - Amazon Elastic Compute Cloud

IAM policies for Amazon EC2

By default, users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API, Amazon EC2 console, or CLI. To allow users to create or modify resources and perform tasks, you must create IAM policies that grant users permission to use the specific resources and API actions they'll need, and then attach those policies to the users, groups, or IAM roles that require those permissions.

When you attach a policy to a user, group of users, or role it allows or denies the users permission to perform the specified tasks on the specified resources. For more general information about IAM policies, see Policies and permissions in IAM in the IAM User Guide. For more information about managing and creating custom IAM policies, see Managing IAM policies.

Getting Started

An IAM policy must grant or deny permissions to use one or more Amazon EC2 actions. It must also specify the resources that can be used with the action, which can be all resources, or in some cases, specific resources. The policy can also include conditions that you apply to the resource.

Amazon EC2 partially supports resource-level permissions. This means that for some EC2 API actions, you cannot specify which resource a user is allowed to work with for that action. Instead, you have to allow users to work with all resources for that action.

Task Topic
Understand the basic structure of a policy Policy syntax
Define actions in your policy Actions for Amazon EC2
Define specific resources in your policy Amazon Resource Names (ARNs) for Amazon EC2
Apply conditions to the use of the resources Condition keys for Amazon EC2
Work with the available resource-level permissions for Amazon EC2 Actions, resources, and condition keys for Amazon EC2
Test your policy

Check that users have the required permissions

Generate an IAM policy

Generate policies based on access activity

Example policies for a CLI or SDK Example policies for working with the AWS CLI or an AWS SDK
Example policies for the Amazon EC2 console Example policies for working in the Amazon EC2 console

Grant permissions to users, groups, and roles

The following are examples of some AWS managed policies that are available to utilize if they meet your needs:

  • PowerUserAccess

  • ReadOnlyAccess

  • AmazonEC2FullAccess

  • AmazonEC2ReadOnlyAccess

For more information on the AWS managed policies available to work with Amazon EC2, see AWS managed policies for Amazon Elastic Compute Cloud.

To provide access, add permissions to your users, groups, or roles: