Amazon Elastic Compute Cloud
API Reference (API Version 2016-11-15)
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

Granting IAM Users Required Permissions for Amazon EC2 Resources

By default, AWS Identity and Access Management (IAM) users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permissions for the specific resources and API actions they'll need to use, and then attach those policies to the IAM users or groups that require those permissions.

When you make an API request, the parameters that you specify in the request determine which resources an IAM user must have permission to use. If the user doesn't have the required permissions, the request fails. For example, if you use RunInstances to launch an instance in a subnet (by specifying the SubnetId parameter), an IAM user must have permission to use the VPC.

Resource-level permissions refers to the ability to specify which resources users are allowed to perform actions on. Amazon EC2 has partial support for resource-level permissions. This means that for certain Amazon EC2 actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use. For example, you can grant users permission to launch instances, but only of a specific type, and only using a specific AMI.

For more information about the resources that are created or modified by the Amazon EC2 actions, and the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement, see Actions, Resources, and Condition Keys for Amazon EC2 in the IAM User Guide.

For more information and for example policies, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide.