Use AWS managed policies for EC2 Image Builder - EC2 Image Builder

Use AWS managed policies for EC2 Image Builder

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWSImageBuilderFullAccess policy

The AWSImageBuilderFullAccess policy grants full access to Image Builder resources for the role it's attached to, allowing the role to list, describe, create, update, and delete Image Builder resources. The policy also grants targeted permissions to related AWS services that are needed, for example, to verify resources, or to display current resources for the account in the AWS Management Console.

Permissions details

This policy includes the following permissions:

  • Image Builder – Administrative access is granted, so that the role can list, describe, create, update, and delete Image Builder resources.

  • Amazon EC2 – Access is granted for Amazon EC2 Describe actions that are needed to verify resource existence or get lists of resources belonging to the account.

  • IAM – Access is granted to get and use instance profiles whose name contains "imagebuilder", to verify the existence of the Image Builder service-linked role via the iam:GetRole API action, and to create the Image Builder service-linked role.

  • License Manager – Access is granted to list license configurations or licenses for a resource.

  • Amazon S3 – Access is granted to list buckets belonging to the account, and also Image Builder buckets with "imagebuilder" in their names.

  • Amazon SNS – Write permissions are granted to Amazon SNS to verify topic ownership for topics containing "imagebuilder".

Policy example

The following is an example of the AWSImageBuilderFullAccess policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "arn:aws:sns:*:*:*imagebuilder*" }, { "Effect": "Allow", "Action": [ "license-manager:ListLicenseConfigurations", "license-manager:ListLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" }, { "Effect": "Allow", "Action": [ "iam:GetInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*imagebuilder*" }, { "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:instance-profile/*imagebuilder*", "arn:aws:iam::*:role/*imagebuilder*" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3::*:*imagebuilder*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeVolumes", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplates" ], "Resource": "*" } ] }

AWSImageBuilderReadOnlyAccess policy

The AWSImageBuilderReadOnlyAccess policy provides read-only access to all Image Builder resources. Permissions are granted to verify that the Image Builder service-linked role exists via the iam:GetRole API action.

Permissions details

This policy includes the following permissions:

  • Image Builder – Access is granted for read-only access to Image Builder resources.

  • IAM – Access is granted to verify the existence of the Image Builder service-linked role via the iam:GetRole API action.

Policy example

The following is an example of the AWSImageBuilderReadOnlyAccess policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:Get*", "imagebuilder:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" } ] }

AWSServiceRoleForImageBuilder policy

The AWSServiceRoleForImageBuilder policy allows Image Builder to call AWS services on your behalf.

Permissions details

This policy is attached to the Image Builder service-linked role when the role is created through Systems Manager. For more information about the Image Builder service-linked role, see Use IAM service-linked roles for Image Builder.

The policy includes the following permissions:

  • CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with /aws/imagebuilder/.

  • Amazon EC2 – Access is granted for Image Builder to create images and launch EC2 instances in your account, using related snapshots, volumes, network interfaces, subnets, security groups, license configuration and key pairs as required, as long as the image, instance, and volumes that are being created or used are tagged with CreatedBy: EC2 Image Builder or CreatedBy: EC2 Fast Launch.

    Image Builder can get information about Amazon EC2 images, instance attributes, instance status, the instance types that are available to your account, launch templates, subnets, hosts, and tags on your Amazon EC2 resources.

    Image Builder can update image settings to enable or disable faster launching of Windows instances in your account, where the image is tagged with CreatedBy: EC2 Image Builder.

    Additionally, Image Builder can start, stop, and terminate instances that are running in your account, share Amazon EBS snapshots, create and update images and launch templates, de-register existing images, add tags, and replicate images across accounts that you have granted permissions to via the Ec2ImageBuilderCrossAccountDistributionAccess policy. Image Builder tagging is required for all of these actions, as described previously.

  • Amazon ECR – Access is granted for Image Builder to create a repository if needed for container image vulnerability scans, and tag the resources it creates to limit the scope of its operations. Access is also granted for Image Builder to delete the container images that it created for the scans after it takes snapshots of the vulnerabilities.

  • EventBridge – Access is granted for Image Builder to create and manage EventBridge rules.

  • IAM – Access is granted for Image Builder to pass any role in your account to Amazon EC2, and to VM Import/Export.

  • Amazon Inspector – Access is granted for Image Builder to determine when Amazon Inspector completes build instance scans, and to collect findings for images that are configured to allow it.

  • AWS KMS – Access is granted for Amazon EBS to encrypt, decrypt, or re-encrypt Amazon EBS volumes. This is crucial to ensure that encrypted volumes work when Image Builder builds an image.

  • License Manager – Access is granted for Image Builder to update License Manager specifications via license-manager:UpdateLicenseSpecificationsForResource.

  • Amazon SNS – Write permissions are granted for any Amazon SNS topic in your account.

  • Systems Manager – Access is granted for Image Builder to list Systems Manager commands and their invocations, inventory entries , describe instance information and automation execution statuses, describe hosts for instance placement support, and get command invocation details. Image Builder can also send automation signals, and stop automation executions for any resource in your account.

    Image Builder is able to issue run command invocations to any instance that is tagged "CreatedBy": "EC2 Image Builder" for the following script files: AWS-RunPowerShellScript, AWS-RunShellScript, or AWSEC2-RunSysprep. Image Builder is able to start an Systems Manager automation execution in your account for automation documents where the name starts with ImageBuilder.

    Image Builder is also able to create or delete State Manager associations for any instance in your account, as long as the association document is AWS-GatherSoftwareInventory, and to create the Systems Manager service-linked role in your account.

  • AWS STS – Access is granted for Image Builder to assume roles named EC2ImageBuilderDistributionCrossAccountRole from your account to any account where the Trust policy on the role permits it. This is used for cross-account image distribution.

To view the permissions for this policy, see AWSServiceRoleForImageBuilder in the AWS Managed Policy Reference.

Ec2ImageBuilderCrossAccountDistributionAccess policy

The Ec2ImageBuilderCrossAccountDistributionAccess policy grants permissions for Image Builder to distribute images across accounts in target Regions. Additionally, Image Builder can describe, copy, and apply tags to any Amazon EC2 image in the account. The policy also grants the ability to modify AMI permissions via the ec2:ModifyImageAttribute API action.

Permissions details

This policy includes the following permissions:

  • Amazon EC2 – Access is granted for Amazon EC2 to describe, copy, and modify attributes for an image, and to create tags for any Amazon EC2 images in the account.

Policy example

The following is an example of the Ec2ImageBuilderCrossAccountDistributionAccess policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:CopyImage", "ec2:ModifyImageAttribute" ], "Resource": "*" } ] }

EC2ImageBuilderLifecycleExecutionPolicy policy

The EC2ImageBuilderLifecycleExecutionPolicy policy grants permissions for Image Builder to perform actions such as deprecate, disable, or delete Image Builder image resources and their underlying resources (AMIs, snapshots) to support automated rules for image lifecycle management tasks.

Permissions details

This policy includes the following permissions:

  • Amazon EC2 – Access is granted for Amazon EC2 to perform the following actions for Amazon Machine Images (AMIs) in the account that are tagged with CreatedBy: EC2 Image Builder.

    • Enable and disable an AMI.

    • Enable and disable image deprecation.

    • Describe and deregister an AMI.

    • Describe and modify AMI image attributes.

    • Delete volume snapshots that are associated with the AMI.

    • Retrieve tags for a resource.

    • Add or remove tags from an AMI for deprecation.

  • Amazon ECR – Access is granted for Amazon ECR to perform the following batch actions on ECR repositories with the LifecycleExecutionAccess: EC2 Image Builder tag. Batch actions support automated container image lifecycle rules.

    • ecr:BatchGetImage

    • ecr:BatchDeleteImage

    Access is granted at the repository level for ECR repositories that are tagged with LifecycleExecutionAccess: EC2 Image Builder.

  • AWS Resource groups – Access is granted for Image Builder to get resources based on tags.

  • EC2 Image Builder – Access is granted for Image Builder to delete Image Builder image resources.

Policy example

The following is an example of the EC2ImageBuilderLifecycleExecutionPolicy policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Ec2ImagePermission", "Effect": "Allow", "Action": [ "ec2:EnableImage", "ec2:DeregisterImage", "ec2:EnableImageDeprecation", "ec2:DescribeImageAttribute", "ec2:DisableImage", "ec2:DisableImageDeprecation" ], "Resource": "arn:aws:ec2:*::image/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Sid": "EC2DeleteSnapshotPermission", "Effect": "Allow", "Action": "ec2:DeleteSnapshot", "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Sid": "EC2TagsPermission", "Effect": "Allow", "Action": [ "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*::image/*" ], "Condition": { "StringEquals": { "aws:RequestTag/DeprecatedBy": "EC2 Image Builder", "aws:ResourceTag/CreatedBy": "EC2 Image Builder" }, "ForAllValues:StringEquals": { "aws:TagKeys": "DeprecatedBy" } } }, { "Sid": "ECRImagePermission", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:BatchDeleteImage" ], "Resource": "arn:aws:ecr:*:*:repository/*", "Condition": { "StringEquals": { "ecr:ResourceTag/LifecycleExecutionAccess": "EC2 Image Builder" } } }, { "Sid": "ImageBuilderEC2TagServicePermission", "Effect": "Allow", "Action": [ "ec2:DescribeImages", "tag:GetResources", "imagebuilder:DeleteImage" ], "Resource": "*" } ] }

EC2InstanceProfileForImageBuilder policy

The EC2InstanceProfileForImageBuilder policy grants the minimum permissions required for an EC2 instance to work with Image Builder. This does not include permissions required to use the Systems Manager Agent.

Permissions details

This policy includes the following permissions:

  • CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with /aws/imagebuilder/.

  • Image Builder – Access is granted to get any Image Builder component.

  • AWS KMS – Access is granted to decrypt an Image Builder component, if it was encrypted via AWS KMS.

  • Amazon S3 – Access is granted to get objects stored in an Amazon S3 bucket whose name starts with ec2imagebuilder-.

Policy example

The following is an example of the EC2InstanceProfileForImageBuilder policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

EC2InstanceProfileForImageBuilderECRContainerBuilds policy

The EC2InstanceProfileForImageBuilderECRContainerBuilds policy grants the minimum permissions required for an EC2 instance when working with Image Builder to build Docker images and then register and store the images in an Amazon ECR container repository. This does not include permissions required to use the Systems Manager Agent.

Permissions details

This policy includes the following permissions:

  • CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with /aws/imagebuilder/.

  • Amazon ECR – Access is granted for Amazon ECR to get, register, and store a container image, and to get an authorization token.

  • Image Builder – Access is granted to get an Image Builder component or container recipe.

  • AWS KMS – Access is granted to decrypt an Image Builder component or container recipe, if it was encrypted via AWS KMS.

  • Amazon S3 – Access is granted to get objects stored in an Amazon S3 bucket whose name starts with ec2imagebuilder-.

Policy example

The following is an example of the EC2InstanceProfileForImageBuilderECRContainerBuilds policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:PutImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

Image Builder updates to AWS managed policies

This section provides information about updates to AWS managed policies for Image Builder since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Image Builder document history page.

Change Description Date

EC2ImageBuilderLifecycleExecutionPolicy – New policy

Image Builder added the new EC2ImageBuilderLifecycleExecutionPolicy policy that contains permissions for image lifecycle management.

November 17, 2023

AWSServiceRoleForImageBuilder – Update to an existing policy

Image Builder made the following changes to the service role to provide instance placement support.

  • Added ec2:DescribeHosts enable Image Builder to poll the hostId to determine when it's in a valid state to launch an instance.

  • Added ssm:GetCommandInvocation, API action to improve the method that Image Builder uses to get details of the command invocation.

October 19, 2023

AWSServiceRoleForImageBuilder – Update to an existing policy

Image Builder made the following changes to the service role to provide instance placement support.

  • Added ec2:DescribeHosts enable Image Builder to poll the hostId to determine when it's in a valid state to launch an instance.

  • Added ssm:GetCommandInvocation, API action to improve the method that Image Builder uses to get details of the command invocation.

September 28, 2023

AWSServiceRoleForImageBuilder – Update to an existing policy

Image Builder made the following changes to the service role to allow Image Builder workflows to collect vulnerability findings for both AMI and ECR container image builds. The new permissions support the CVE detection and reporting feature.

  • Added inspector2:ListCoverage and inspector2:ListFindings to allow Image Builder to determine when Amazon Inspector completes test instance scans, and to collect findings for images that are configured to allow it.

  • Added ecr:CreateRepository, with a requirement for Image Builder to tag the repository with CreatedBy: EC2 Image Builder (tag-on-create). Also added ecr:TagResource (required for tag-on-create) with the same CreatedBy tag constraint, and an additional constraint that requires the repository name to start with image-builder-*. The name constraint prevents the escalation of privileges and prevents changes to repositories that Image Builder didn't create.

  • Added ecr:BatchDeleteImage for ECR repositories tagged with CreatedBy: EC2 Image Builder. This permission requires the repository name to start with image-builder-*.

  • Added event permissions for Image Builder to create and manage Amazon EventBridge managed rules that include ImageBuilder-* in the name.

March 30, 2023

AWSServiceRoleForImageBuilder – Update to an existing policy

Image Builder made the following changes to the service role:

  • Added License Manager licenses as a resource for the ec2:RunInstance call to allow customers to use base image AMIs that are associated with a license configuration.

March 22, 2022

AWSServiceRoleForImageBuilder – Update to an existing policy

Image Builder made the following changes to the service role:

  • Added permissions for EC2 EnableFastLaunch API action, to enable and disable faster launching for Windows instances.

  • Tightened scope more for ec2:CreateTags action and resource tag conditions.

February 21, 2022

AWSServiceRoleForImageBuilder – Update to an existing policy

Image Builder made the following changes to the service role:

  • Added permissions to call the VMIE service to import a VM and create a base AMI from it.

  • Tightened scope for ec2:CreateTags action and resource tag conditions.

November 20, 2021

AWSServiceRoleForImageBuilder – Update to an existing policy

Image Builder added new permissions to fix issues where more than one inventory association causes the image build to get stuck.

August 11, 2021

AWSImageBuilderFullAccess – Update to an existing policy

Image Builder made the following changes to the full access role:

  • Added permissions to allow ec2:DescribeInstanceTypeOffereings.

  • Added permissions to call ec2:DescribeInstanceTypeOffereings to enable the Image Builder console to accurately reflect the instance types that are available in the account.

April 13, 2021

Image Builder started tracking changes

Image Builder started tracking changes for its AWS managed policies.

April 02, 2021