IAM permissions required for Amazon EC2 launch templates - Amazon Elastic Compute Cloud

IAM permissions required for Amazon EC2 launch templates

You can use IAM permissions to control whether users can list, view, create, or delete launch templates or launch template versions.

Important

You can't use resource-level permissions to restrict the resources that users can specify in a launch template when they create a launch template or launch template version. Therefore, make sure that only trusted administrators are granted permission to create launch templates and launch template versions.

You must grant anyone that will use a launch template the permissions required to create and access the resources that are specified in the launch template. For example:

  • To launch an instance from a shared private Amazon Machine Image (AMI), the user must have launch permission for the AMI.

  • To create EBS volumes with tags from existing snapshots, the user must have read access to the snapshots, and permissions to create and tag volumes.

ec2:CreateLaunchTemplate

To create a launch template in the console or by using the APIs, the principal must have the ec2:CreateLaunchTemplate permission in an IAM policy. Whenever possible, use tags to help you control access to the launch templates in your account.

For example, the following IAM policy statement gives the principal permission to create launch templates only if the template uses the specified tag (purpose=testing).

{ "Sid": "IAMPolicyForCreatingTaggedLaunchTemplates", "Action": "ec2:CreateLaunchTemplate", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/purpose": "testing" } } }

Principals who create launch templates might need some related permissions, such as:

  • ec2:CreateTags – To add tags to the launch template during the CreateLaunchTemplate operation, the CreateLaunchTemplate caller must have the ec2:CreateTags permission in an IAM policy.

  • ec2:RunInstances – To launch EC2 instances from the launch template that they created, the principal must also have the ec2:RunInstances permission in an IAM policy.

For resource-creating actions that apply tags, users must have the ec2:CreateTags permission. The following IAM policy statement uses the ec2:CreateAction condition key to allow users to create tags only in the context of CreateLaunchTemplate. Users cannot tag existing launch templates or any other resources. For more information, see Grant permission to tag Amazon EC2 resources during creation.

{ "Sid": "IAMPolicyForTaggingLaunchTemplatesOnCreation", "Action": "ec2:CreateTags", "Effect": "Allow", "Resource": "arn:aws:ec2:region:account-id:launch-template/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateLaunchTemplate" } } }

The IAM user who creates a launch template doesn't automatically have permission to use the launch template that they created. Like any other principal, the launch template creator needs to get permission through an IAM policy. If an IAM user wants to launch an EC2 instance from a launch template, they must have the ec2:RunInstances permission. When granting these permissions, you can specify that users can only use launch templates with specific tags or specific IDs. You can also control the AMI and other resources that anyone using launch templates can reference and use when launching instances by specifying resource-level permissions for the RunInstances call. For example policies, see Launch templates.

ec2:DescribeLaunchTemplates

To list and view launch templates in the account, the principal must have the ec2:DescribeLaunchTemplates permission in an IAM policy. Because Describe actions do not support resource-level permissions, you must specify them without conditions and the value of the resource element in the policy must be "*".

For example, the following IAM policy statement gives the principal permission to list and view all launch templates in the account.

{ "Sid": "IAMPolicyForDescribingLaunchTemplates", "Action": "ec2:DescribeLaunchTemplates", "Effect": "Allow", "Resource": "*" }

ec2:DescribeLaunchTemplateVersions

Principals who list and view launch templates should also have the ec2:DescribeLaunchTemplateVersions permission to retrieve the entire set of attributes that make up the launch templates.

To list and view launch template versions in the account, the principal must have the ec2:DescribeLaunchTemplateVersions permission in an IAM policy. Because Describe actions do not support resource-level permissions, you must specify them without conditions and the value of the resource element in the policy must be "*".

For example, the following IAM policy statement gives the principal permission to list and view all launch template versions in the account.

{ "Sid": "IAMPolicyForDescribingLaunchTemplateVersions", "Effect": "Allow", "Action": "ec2:DescribeLaunchTemplateVersions", "Resource": "*" }

ec2:DeleteLaunchTemplate

Important

Use caution when giving principals permission to delete a resource. Deleting a launch template might cause a failure in an AWS resource that relies on the launch template.

To delete a launch template, the principal must have the ec2:DeleteLaunchTemplate permission in an IAM policy. Whenever possible, use tag-based condition keys to limit the permissions.

For example, the following IAM policy statement gives the principal permission to delete launch templates only if the template has the specified tag (purpose=testing).

{ "Sid": "IAMPolicyForDeletingLaunchTemplates", "Action": "ec2:DeleteLaunchTemplate", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/purpose": "testing" } } }

Alternatively, you can use ARNs to identify the launch template that the IAM policy applies to.

A launch template has the following ARN.

"Resource": "arn:aws:ec2:region:account-id:launch-template/lt-09477bcd97b0d310e"

You can specify multiple ARNs by enclosing them in a list, or you can specify a Resource value of "*" without the Condition element to allow the principal to delete any launch template in the account.

Control versioning permissions

For trusted administrators, you can grant access for creating and deleting versions of a launch template, and for changing the default version of a launch template, by using IAM policies similar to the following examples.

Important

Be cautious when giving principals permission to create launch template versions or modify launch templates.

  • When you create a launch template version, you affect any AWS resources that allow Amazon EC2 to launch instances on your behalf with the Latest version.

  • When you modify a launch template, you can change which version is the Default and therefore affect any AWS resources that allow Amazon EC2 to launch instances on your behalf with this modified version.

You also need to be cautious in how you handle AWS resources that interact with the Latest or Default launch template version, such as EC2 Fleet and Spot Fleet. When a different launch template version is used for Latest or Default, Amazon EC2 does not re-check user permissions for actions to be completed when launching new instances to fulfil the fleet’s target capacity because there is no user interaction with the AWS resource. By granting a user permission to call the CreateLaunchTemplateVersion and ModifyLaunchTemplate APIs, the user is effectively also granted the iam:PassRole permission if they point the fleet to a different launch template version that contains an instance profile (a container for an IAM role). It means that a user can potentially update a launch template to pass an IAM role to an instance even if they don’t have the iam:PassRole permission. You can manage this risk by being careful when granting permissions to who can create and manage launch template versions.

ec2:CreateLaunchTemplateVersion

To create a new version of a launch template, the principal must have the ec2:CreateLaunchTemplateVersion permission for the launch template in an IAM policy.

For example, the following IAM policy statement gives the principal permission to create launch template versions only if the version uses the specified tag (environment=production). Alternatively, you can specify one or multiple launch template ARNs, or you can specify a Resource value of "*" without the Condition element to allow the principal to create versions of any launch template in the account.

{ "Sid": "IAMPolicyForCreatingLaunchTemplateVersions", "Action": "ec2:CreateLaunchTemplateVersion", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "production" } } }

ec2:DeleteLaunchTemplateVersion

Important

As always, you should exercise caution when giving principals permission to delete a resource. Deleting a launch template version might cause a failure in an AWS resource that relies on the launch template version.

To delete a launch template version, the principal must have the ec2:DeleteLaunchTemplateVersion permission for the launch template in an IAM policy.

For example, the following IAM policy statement gives the principal permission to delete launch template versions only if the version uses the specified tag (environment=production). Alternatively, you can specify one or multiple launch template ARNs, or you can specify a Resource value of "*" without the Condition element to allow the principal to delete versions of any launch template in the account.

{ "Sid": "IAMPolicyForDeletingLaunchTemplateVersions", "Action": "ec2:DeleteLaunchTemplateVersion", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "production" } } }

ec2:ModifyLaunchTemplate

To change the Default version that is associated with a launch template, the principal must have the ec2:ModifyLaunchTemplate permission for the launch template in an IAM policy.

For example, the following IAM policy statement gives the principal permission to modify launch templates only if the launch template uses the specified tag (environment=production). Alternatively, you can specify one or multiple launch template ARNs, or you can specify a Resource value of "*" without the Condition element to allow the principal to modify any launch template in the account.

{ "Sid": "IAMPolicyForModifyingLaunchTemplates", "Action": "ec2:ModifyLaunchTemplate", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "production" } } }

Control access to tags on launch templates

You can use condition keys to limit tagging permissions when the resource is a launch template. For example, the following IAM policy allows removing only the tag with the temporary key from launch templates in the specified account and Region.

{ "Sid": "IAMPolicyForDeletingTagsOnLaunchTemplates", "Action": "ec2:DeleteTags", "Effect": "Allow", "Resource": "arn:aws:ec2:region:account-id:launch-template/*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": ["temporary"] } } }

For more information about conditions keys that you can use to control the tag keys and values that can be applied to Amazon EC2 resources, see Control access to specific tags.