Use AWS managed policies for EC2 Image Builder
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWSImageBuilderFullAccess policy
The AWSImageBuilderFullAccess policy grants full access to Image Builder resources for the role it's attached to, allowing the role to list, describe, create, update, and delete Image Builder resources. The policy also grants targeted permissions to related AWS services that are needed, for example, to verify resources, or to display current resources for the account in the AWS Management Console.
Permissions details
This policy includes the following permissions:
-
Image Builder – Administrative access is granted, so that the role can list, describe, create, update, and delete Image Builder resources.
-
Amazon EC2 – Access is granted for Amazon EC2 Describe actions that are needed to verify resource existence or get lists of resources belonging to the account.
-
IAM – Access is granted to get and use instance profiles whose name contains "imagebuilder", to verify the existence of the Image Builder service-linked role via the
iam:GetRole
API action, and to create the Image Builder service-linked role. -
License Manager – Access is granted to list license configurations or licenses for a resource.
-
Amazon S3 – Access is granted to list buckets belonging to the account, and also Image Builder buckets with "imagebuilder" in their names.
-
Amazon SNS – Write permissions are granted to Amazon SNS to verify topic ownership for topics containing "imagebuilder".
Policy example
The following is an example of the AWSImageBuilderFullAccess policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "arn:aws:sns:*:*:*imagebuilder*" }, { "Effect": "Allow", "Action": [ "license-manager:ListLicenseConfigurations", "license-manager:ListLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" }, { "Effect": "Allow", "Action": [ "iam:GetInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*imagebuilder*" }, { "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:instance-profile/*imagebuilder*", "arn:aws:iam::*:role/*imagebuilder*" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3::*:*imagebuilder*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeVolumes", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplates" ], "Resource": "*" } ] }
AWSImageBuilderReadOnlyAccess policy
The AWSImageBuilderReadOnlyAccess policy provides
read-only access to all Image Builder resources. Permissions are granted to verify that the
Image Builder service-linked role exists via the iam:GetRole
API action.
Permissions details
This policy includes the following permissions:
-
Image Builder – Access is granted for read-only access to Image Builder resources.
-
IAM – Access is granted to verify the existence of the Image Builder service-linked role via the
iam:GetRole
API action.
Policy example
The following is an example of the AWSImageBuilderReadOnlyAccess policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:Get*", "imagebuilder:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" } ] }
AWSServiceRoleForImageBuilder policy
The AWSServiceRoleForImageBuilder policy allows Image Builder to call AWS services on your behalf.
Permissions details
This policy is attached to the Image Builder service-linked role when the role is created through Systems Manager. For more information about the Image Builder service-linked role, see Use IAM service-linked roles for Image Builder.
The policy includes the following permissions:
-
CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with
/aws/imagebuilder/
. -
Amazon EC2 – Access is granted for Image Builder to create images and launch EC2 instances in your account, using related snapshots, volumes, network interfaces, subnets, security groups, license configuration and key pairs as required, as long as the image, instance, and volumes that are being created or used are tagged with
CreatedBy: EC2 Image Builder
orCreatedBy: EC2 Fast Launch
.Image Builder can get information about Amazon EC2 images, instance attributes, instance status, the instance types that are available to your account, launch templates, subnets, hosts, and tags on your Amazon EC2 resources.
Image Builder can update image settings to enable or disable faster launching of Windows instances in your account, where the image is tagged with
CreatedBy: EC2 Image Builder
.Additionally, Image Builder can start, stop, and terminate instances that are running in your account, share Amazon EBS snapshots, create and update images and launch templates, de-register existing images, add tags, and replicate images across accounts that you have granted permissions to via the Ec2ImageBuilderCrossAccountDistributionAccess policy. Image Builder tagging is required for all of these actions, as described previously.
-
Amazon ECR – Access is granted for Image Builder to create a repository if needed for container image vulnerability scans, and tag the resources it creates to limit the scope of its operations. Access is also granted for Image Builder to delete the container images that it created for the scans after it takes snapshots of the vulnerabilities.
-
EventBridge – Access is granted for Image Builder to create and manage EventBridge rules.
-
IAM – Access is granted for Image Builder to pass any role in your account to Amazon EC2, and to VM Import/Export.
-
Amazon Inspector – Access is granted for Image Builder to determine when Amazon Inspector completes build instance scans, and to collect findings for images that are configured to allow it.
-
AWS KMS – Access is granted for Amazon EBS to encrypt, decrypt, or re-encrypt Amazon EBS volumes. This is crucial to ensure that encrypted volumes work when Image Builder builds an image.
-
License Manager – Access is granted for Image Builder to update License Manager specifications via
license-manager:UpdateLicenseSpecificationsForResource
. -
Amazon SNS – Write permissions are granted for any Amazon SNS topic in your account.
-
Systems Manager – Access is granted for Image Builder to list Systems Manager commands and their invocations, inventory entries , describe instance information and automation execution statuses, describe hosts for instance placement support, and get command invocation details. Image Builder can also send automation signals, and stop automation executions for any resource in your account.
Image Builder is able to issue run command invocations to any instance that is tagged
"CreatedBy": "EC2 Image Builder"
for the following script files:AWS-RunPowerShellScript
,AWS-RunShellScript
, orAWSEC2-RunSysprep
. Image Builder is able to start an Systems Manager automation execution in your account for automation documents where the name starts withImageBuilder
.Image Builder is also able to create or delete State Manager associations for any instance in your account, as long as the association document is
AWS-GatherSoftwareInventory
, and to create the Systems Manager service-linked role in your account. -
AWS STS – Access is granted for Image Builder to assume roles named EC2ImageBuilderDistributionCrossAccountRole from your account to any account where the Trust policy on the role permits it. This is used for cross-account image distribution.
To view the permissions for this policy, see AWSServiceRoleForImageBuilder in the AWS Managed Policy Reference.
Ec2ImageBuilderCrossAccountDistributionAccess policy
The Ec2ImageBuilderCrossAccountDistributionAccess
policy grants permissions for Image Builder to distribute images across accounts in target Regions.
Additionally, Image Builder can describe, copy, and apply tags to any Amazon EC2 image in the account.
The policy also grants the ability to modify AMI permissions via the
ec2:ModifyImageAttribute
API action.
Permissions details
This policy includes the following permissions:
-
Amazon EC2 – Access is granted for Amazon EC2 to describe, copy, and modify attributes for an image, and to create tags for any Amazon EC2 images in the account.
Policy example
The following is an example of the Ec2ImageBuilderCrossAccountDistributionAccess policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:CopyImage", "ec2:ModifyImageAttribute" ], "Resource": "*" } ] }
EC2ImageBuilderLifecycleExecutionPolicy policy
The EC2ImageBuilderLifecycleExecutionPolicy policy grants permissions for Image Builder to perform actions such as deprecate, disable, or delete Image Builder image resources and their underlying resources (AMIs, snapshots) to support automated rules for image lifecycle management tasks.
Permissions details
This policy includes the following permissions:
-
Amazon EC2 – Access is granted for Amazon EC2 to perform the following actions for Amazon Machine Images (AMIs) in the account that are tagged with
CreatedBy: EC2 Image Builder
.-
Enable and disable an AMI.
-
Enable and disable image deprecation.
-
Describe and deregister an AMI.
-
Describe and modify AMI image attributes.
-
Delete volume snapshots that are associated with the AMI.
-
Retrieve tags for a resource.
-
Add or remove tags from an AMI for deprecation.
-
-
Amazon ECR – Access is granted for Amazon ECR to perform the following batch actions on ECR repositories with the
LifecycleExecutionAccess: EC2 Image Builder
tag. Batch actions support automated container image lifecycle rules.-
ecr:BatchGetImage
-
ecr:BatchDeleteImage
Access is granted at the repository level for ECR repositories that are tagged with
LifecycleExecutionAccess: EC2 Image Builder
. -
-
AWS Resource groups – Access is granted for Image Builder to get resources based on tags.
-
EC2 Image Builder – Access is granted for Image Builder to delete Image Builder image resources.
Policy example
The following is an example of the EC2ImageBuilderLifecycleExecutionPolicy policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Ec2ImagePermission", "Effect": "Allow", "Action": [ "ec2:EnableImage", "ec2:DeregisterImage", "ec2:EnableImageDeprecation", "ec2:DescribeImageAttribute", "ec2:DisableImage", "ec2:DisableImageDeprecation" ], "Resource": "arn:aws:ec2:*::image/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Sid": "EC2DeleteSnapshotPermission", "Effect": "Allow", "Action": "ec2:DeleteSnapshot", "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Sid": "EC2TagsPermission", "Effect": "Allow", "Action": [ "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*::image/*" ], "Condition": { "StringEquals": { "aws:RequestTag/DeprecatedBy": "EC2 Image Builder", "aws:ResourceTag/CreatedBy": "EC2 Image Builder" }, "ForAllValues:StringEquals": { "aws:TagKeys": "DeprecatedBy" } } }, { "Sid": "ECRImagePermission", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:BatchDeleteImage" ], "Resource": "arn:aws:ecr:*:*:repository/*", "Condition": { "StringEquals": { "ecr:ResourceTag/LifecycleExecutionAccess": "EC2 Image Builder" } } }, { "Sid": "ImageBuilderEC2TagServicePermission", "Effect": "Allow", "Action": [ "ec2:DescribeImages", "tag:GetResources", "imagebuilder:DeleteImage" ], "Resource": "*" } ] }
EC2InstanceProfileForImageBuilder policy
The EC2InstanceProfileForImageBuilder policy grants the minimum permissions required for an EC2 instance to work with Image Builder. This does not include permissions required to use the Systems Manager Agent.
Permissions details
This policy includes the following permissions:
-
CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with
/aws/imagebuilder/
. -
Image Builder – Access is granted to get any Image Builder component.
-
AWS KMS – Access is granted to decrypt an Image Builder component, if it was encrypted via AWS KMS.
-
Amazon S3 – Access is granted to get objects stored in an Amazon S3 bucket whose name starts with
ec2imagebuilder-
.
Policy example
The following is an example of the EC2InstanceProfileForImageBuilder policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }
EC2InstanceProfileForImageBuilderECRContainerBuilds policy
The EC2InstanceProfileForImageBuilderECRContainerBuilds policy grants the minimum permissions required for an EC2 instance when working with Image Builder to build Docker images and then register and store the images in an Amazon ECR container repository. This does not include permissions required to use the Systems Manager Agent.
Permissions details
This policy includes the following permissions:
-
CloudWatch Logs – Access is granted to create and upload CloudWatch Logs to any log group whose name starts with
/aws/imagebuilder/
. -
Amazon ECR – Access is granted for Amazon ECR to get, register, and store a container image, and to get an authorization token.
-
Image Builder – Access is granted to get an Image Builder component or container recipe.
-
AWS KMS – Access is granted to decrypt an Image Builder component or container recipe, if it was encrypted via AWS KMS.
-
Amazon S3 – Access is granted to get objects stored in an Amazon S3 bucket whose name starts with
ec2imagebuilder-
.
Policy example
The following is an example of the EC2InstanceProfileForImageBuilderECRContainerBuilds policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:PutImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }
Image Builder updates to AWS managed policies
This section provides information about updates to AWS managed policies for Image Builder since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Image Builder document history page.
Change | Description | Date |
---|---|---|
EC2ImageBuilderLifecycleExecutionPolicy – New policy |
Image Builder added the new |
November 17, 2023 |
AWSServiceRoleForImageBuilder – Update to an existing policy |
Image Builder made the following changes to the service role to provide instance placement support.
|
October 19, 2023 |
AWSServiceRoleForImageBuilder – Update to an existing policy |
Image Builder made the following changes to the service role to provide instance placement support.
|
September 28, 2023 |
AWSServiceRoleForImageBuilder – Update to an existing policy |
Image Builder made the following changes to the service role to allow Image Builder workflows to collect vulnerability findings for both AMI and ECR container image builds. The new permissions support the CVE detection and reporting feature.
|
March 30, 2023 |
AWSServiceRoleForImageBuilder – Update to an existing policy |
Image Builder made the following changes to the service role:
|
March 22, 2022 |
AWSServiceRoleForImageBuilder – Update to an existing policy |
Image Builder made the following changes to the service role:
|
February 21, 2022 |
AWSServiceRoleForImageBuilder – Update to an existing policy |
Image Builder made the following changes to the service role:
|
November 20, 2021 |
AWSServiceRoleForImageBuilder – Update to an existing policy |
Image Builder added new permissions to fix issues where more than one inventory association causes the image build to get stuck. |
August 11, 2021 |
AWSImageBuilderFullAccess – Update to an existing policy |
Image Builder made the following changes to the full access role:
|
April 13, 2021 |
Image Builder started tracking changes |
Image Builder started tracking changes for its AWS managed policies. |
April 02, 2021 |