Using managed policies for EC2 Image Builder - EC2 Image Builder

Using managed policies for EC2 Image Builder

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWSImageBuilderFullAccess policy

The AWSImageBuilderFullAccess policy grants full access to Image Builder resources for the role it's attached to, allowing the role to list, describe, create, update, and delete Image Builder resources. The policy also grants targeted permissions to related AWS services that are needed, for example, to verify resources, or to display current resources for the account in the AWS Management Console.

Permissions details

This policy includes the following permissions:

  • Image Builder – Administrative access is granted, so that the role can list, describe, create, update, and delete Image Builder resources.

  • Amazon EC2 – Access is granted for Amazon EC2 Describe actions that are needed to verify resource existence or get lists of resources belonging to the account.

  • IAM – Access is granted to get and use instance profiles whose name contains "imagebuilder", to verify the existence of the Image Builder service-linked role via the iam:GetRole API action, and to create the Image Builder service-linked role.

  • License Manager – Access is granted to list license configurations or licenses for a resource.

  • Amazon S3 – Access is granted to list buckets belonging to the account, and also Image Builder buckets with "imagebuilder" in their names.

  • Amazon SNS – Write permissions are granted to Amazon SNS to verify topic ownership for topics containing "imagebuilder".

Policy example

The following is an example of the AWSImageBuilderFullAccess policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "arn:aws:sns:*:*:*imagebuilder*" }, { "Effect": "Allow", "Action": [ "license-manager:ListLicenseConfigurations", "license-manager:ListLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" }, { "Effect": "Allow", "Action": [ "iam:GetInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*imagebuilder*" }, { "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:instance-profile/*imagebuilder*", "arn:aws:iam::*:role/*imagebuilder*" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3::*:*imagebuilder*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeVolumes", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplates" ], "Resource": "*" } ] }

AWSImageBuilderReadOnlyAccess policy

The AWSImageBuilderReadOnlyAccess policy provides read-only access to all Image Builder resources. Permissions are granted to verify that the Image Builder service-linked role exists via the iam:GetRole API action.

Permissions details

This policy includes the following permissions:

  • Image Builder – Access is granted for read-only access to Image Builder resources.

  • IAM – Access is granted to verify the existence of the Image Builder service-linked role via the iam:GetRole API action.

Policy example

The following is an example of the AWSImageBuilderReadOnlyAccess policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:Get*", "imagebuilder:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" } ] }

AWSServiceRoleForImageBuilder policy

The AWSServiceRoleForImageBuilder policy allows Image Builder to call AWS services on your behalf.

Permissions details

This policy is attached to the Image Builder service-linked role when the role is created through Systems Manager. The policy includes the following permissions:

  • CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with /aws/imagebuilder/.

  • Amazon EC2 – Access is granted for Image Builder to launch EC2 instances in your account, using related snapshots, volumes, network interfaces, security groups, and key pairs as required, as long as the instance and volumes that are being created or used are tagged with "Created By": "EC2 Image Builder".

    Image Builder can get information about Amazon EC2 images, instance attributes, instance status, the instance types that are available to your account, launch templates, subnets, and tags on your Amazon EC2 resources.

    Additionally, Image Builder can stop and terminate instances that are running in your account, share Amazon EBS snapshots, create and update images and launch templates, de-register existing images, add tags, and replicate images across accounts that you have granted permissions to via the Ec2ImageBuilderCrossAccountDistributionAccess policy. Image Builder tagging is required for all of these actions, as described previously.

    To review specific permissions that are granted, see the policy example in this section.

  • IAM – Access is granted for Image Builder to pass any role in your account to Amazon EC2.

  • AWS KMS – Access is granted for Amazon EBS to encrypt, decrypt or re-encrypt Amazon EBS volumes. This is crucial to ensure that encrypted volumes work when Image Builder builds an image.

  • License Manager – Access is granted for Image Builder to update License Manager specifications via license-manager:UpdateLicenseSpecificationsForResource.

  • Amazon SNS – Write permissions are granted for any Amazon SNS topic in the account.

  • Systems Manager – Access is granted for Image Builder to list Systems Manager commands and their invocations, instance information, inventory entries and automation execution statuses. Image Builder can also send automation signals, and stop automation exeuctions for any resource in your account.

    Image Builder is able to issue run command invocations to any instance that is tagged "Created By": "EC2 Image Builder" for the following script files: AWS-RunPowerShellScript, AWS-RunShellScript, or AWSEC2-RunSysprep. Image Builder is able to start an Systems Manager automation execution in your account for automation documents where the name starts with ImageBuilder.

    Image Builder is also able to create or delete State Manager associations for any instance in your account, as long as the association document is AWS-GatherSoftwareInventory, and to create the Systems Manager service-linked role in your account. For more information about the Image Builder service-linked role, see Using service-linked roles for EC2 Image Builder.

  • AWS STS – Access is granted for Image Builder to assume roles named EC2ImageBuilderDistributionCrossAccountRole from your account to any account where the Trust policy on the role permits it. This is used for cross-account image distribution.

Policy example

The following is an example of the AWSServiceRoleForImageBuilder policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn" ] } } }, { "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:DeregisterImage", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:ModifyImageAttribute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "ForAnyValue:StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:RequestTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "license-manager:UpdateLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:AddTagsToResource", "ssm:DescribeInstanceInformation", "ssm:GetAutomationExecution", "ssm:StopAutomationExecution", "ssm:ListInventoryEntries", "ssm:SendAutomationSignal", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeAssociationExecutions" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ssm:*:*:document/AWS-RunPowerShellScript", "arn:aws:ssm:*:*:document/AWS-RunShellScript", "arn:aws:ssm:*:*:document/AWSEC2-RunSysprep", "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringEquals": { "ssm:resourceTag/CreatedBy": [ "EC2 Image Builder" ] } } }, { "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-definition/ImageBuilder*" }, { "Effect": "Allow", "Action": [ "ssm:CreateAssociation", "ssm:DeleteAssociation" ], "Resource": [ "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", "arn:aws:ssm:*:*:association/*", "arn:aws:ec2:*:*:instance/*" ] }, { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:EncryptionContextKeys": [ "aws:ebs:id" ] }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplates", "ec2:ModifyLaunchTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "ssm.amazonaws.com" } } } ] }

Ec2ImageBuilderCrossAccountDistributionAccess policy

The Ec2ImageBuilderCrossAccountDistributionAccess policy grants permissions for Image Builder to distribute images across accounts in target Regions. Additionally, Image Builder can describe, copy, and apply tags to any Amazon EC2 image in the account. The policy also grants the ability to modify AMI permissions via the ec2:ModifyImageAttribute API action.

Permissions details

This policy includes the following permissions:

  • Amazon EC2 – Access is granted for Amazon EC2 to describe, copy, and modify attributes for an image, and to create tags for any Amazon EC2 images in the account.

Policy example

The following is an example of the Ec2ImageBuilderCrossAccountDistributionAccess policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:CopyImage", "ec2:ModifyImageAttribute" ], "Resource": "*" } ] }

EC2InstanceProfileForImageBuilder policy

The EC2InstanceProfileForImageBuilder policy grants the minimum permissions required for an EC2 instance to work with Image Builder. This does not include permissions required to use the Systems Manager Agent.

Permissions details

This policy includes the following permissions:

  • CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with /aws/imagebuilder/.

  • Image Builder – Access is granted to get any Image Builder component.

  • AWS KMS – Access is granted to decrypt an Image Builder component, if it was encrypted via AWS KMS.

  • Amazon S3 – Access is granted to get objects stored in an Amazon S3 bucket whose name starts with ec2imagebuilder-.

Policy example

The following is an example of the EC2InstanceProfileForImageBuilder policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

EC2InstanceProfileForImageBuilderECRContainerBuilds policy

The EC2InstanceProfileForImageBuilderECRContainerBuilds policy grants the minimum permissions required for an EC2 instance when working with Image Builder to build Docker images and then register and store the images in an Amazon ECR container repository. This does not include permissions required to use the Systems Manager Agent.

Permissions details

This policy includes the following permissions:

  • CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with /aws/imagebuilder/.

  • Amazon ECR – Access is granted for Amazon ECR to get, register, and store a container image, and to get an authorization token.

  • Image Builder – Access is granted to get an Image Builder component or container recipe.

  • AWS KMS – Access is granted to decrypt an Image Builder component or container recipe, if it was encrypted via AWS KMS.

  • Amazon S3 – Access is granted to get objects stored in an Amazon S3 bucket whose name starts with ec2imagebuilder-.

Policy example

The following is an example of the EC2InstanceProfileForImageBuilderECRContainerBuilds policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:PutImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

Image Builder updates to AWS managed policies

This section provides information about updates to AWS managed policies for Image Builder since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Image Builder document history page.

Change Description Date

AWSServiceRoleForImageBuilder – Update to an existing policy

Image Builder added new permissions to fix issues where more than one inventory association causes the image build to get stuck.

August 11, 2021

AWSImageBuilderFullAccess – Update to an existing policy

Image Builder added permissions to allow ec2:DescribeInstanceTypeOffereings.

Added permissions to call ec2:DescribeInstanceTypeOffereings to enable the Image Builder console to accurately reflect the instance types that are available in the account.

April 13, 2021

Image Builder started tracking changes

Image Builder started tracking changes for its AWS managed policies.

April 02, 2021