Example policies to control access the Amazon EC2 API - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Example policies to control access the Amazon EC2 API

You can use IAM policies to grant users the permissions required to work with Amazon EC2. For step-by-step directions, see Creating IAM policies in the IAM User Guide.

The following examples show policy statements that you could use to grant users permissions to use Amazon EC2. These policies are designed for requests that are made using the Amazon CLI or an Amazon SDK. In the following examples, replace each user input placeholder with your own information.

For example policies for working in the Amazon EC2 console, see Example policies to control access to the Amazon EC2 console.

Example: Read-only access

The following policy grants users permissions to use all Amazon EC2 API actions whose names begin with Describe. The Resource element uses a wildcard to indicate that users can specify all resources with these API actions. The * wildcard is also necessary in cases where the API action does not support resource-level permissions. For more information about which ARNs you can use with which Amazon EC2 API actions, see Actions, resources, and condition keys for Amazon EC2.

Users don't have permission to perform any actions on the resources (unless another statement grants them permission to do so) because they're denied permission to use API actions by default.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" } ] }

Example: Restrict access to a specific Region

The following policy denies users permission to use all Amazon EC2 API actions unless the Region is Europe (Frankfurt). It uses the global condition key aws:RequestedRegion, which is supported by all Amazon EC2 API actions.

{ "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:*", "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": "eu-central-1" } } } ] }

Alternatively, you can use the condition key ec2:Region, which is specific to Amazon EC2 and is supported by all Amazon EC2 API actions.

{ "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:*", "Resource": "*", "Condition": { "StringNotEquals": { "ec2:Region": "eu-central-1" } } } ] }

Work with instances

Example: Describe, launch, stop, start, and terminate all instances

The following policy grants users permissions to use the API actions specified in the Action element. The Resource element uses a * wildcard to indicate that users can specify all resources with these API actions. The * wildcard is also necessary in cases where the API action does not support resource-level permissions. For more information about which ARNs you can use with which Amazon EC2 API actions, see Actions, resources, and condition keys for Amazon EC2.

The users don't have permission to use any other API actions (unless another statement grants them permission to do so) because users are denied permission to use API actions by default.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeAvailabilityZones", "ec2:RunInstances", "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances" ], "Resource": "*" } ] }

Example: Describe all instances, and stop, start, and terminate only particular instances

The following policy allows users to describe all instances, to start and stop only instances i-1234567890abcdef0 and i-0598c7d356eba48d7, and to terminate only instances in the US East (N. Virginia) Region (us-east-1) with the resource tag "purpose=test".

The first statement uses a * wildcard for the Resource element to indicate that users can specify all resources with the action; in this case, they can list all instances. The * wildcard is also necessary in cases where the API action does not support resource-level permissions (in this case, ec2:DescribeInstances). For more information about which ARNs you can use with which Amazon EC2 API actions, see Actions, resources, and condition keys for Amazon EC2.

The second statement uses resource-level permissions for the StopInstances and StartInstances actions. The specific instances are indicated by their ARNs in the Resource element.

The third statement allows users to terminate all instances in the US East (N. Virginia) Region (us-east-1) that belong to the specified Amazon account, but only where the instance has the tag "purpose=test". The Condition element qualifies when the policy statement is in effect.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:StartInstances" ], "Resource": [ "arn:aws-cn:ec2:us-east-1:account-id:instance/i-1234567890abcdef0", "arn:aws-cn:ec2:us-east-1:account-id:instance/i-0598c7d356eba48d7" ] }, { "Effect": "Allow", "Action": "ec2:TerminateInstances", "Resource": "arn:aws-cn:ec2:us-east-1:account-id:instance/*", "Condition": { "StringEquals": { "aws:ResourceTag/purpose": "test" } } } ] }

Launch instances (RunInstances)

The RunInstances API action launches one or more On-Demand Instances or one or more Spot Instances. RunInstances requires an AMI and creates an instance. Users can specify a key pair and security group in the request. Launching into a VPC requires a subnet, and creates a network interface. Launching from an Amazon EBS-backed AMI creates a volume. Therefore, the user must have permissions to use these Amazon EC2 resources. You can create a policy statement that requires users to specify an optional parameter on RunInstances, or restricts users to particular values for a parameter.

For more information about the resource-level permissions that are required to launch an instance, see Actions, resources, and condition keys for Amazon EC2.

By default, users don't have permissions to describe, start, stop, or terminate the resulting instances. One way to grant the users permission to manage the resulting instances is to create a specific tag for each instance, and then create a statement that enables them to manage instances with that tag. For more information, see Work with instances.

AMIs

The following policy allows users to launch instances using only the specified AMIs, ami-9e1670f7 and ami-45cf5c3c. The users can't launch an instance using other AMIs (unless another statement grants the users permission to do so).

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region::image/ami-9e1670f7", "arn:aws-cn:ec2:region::image/ami-45cf5c3c", "arn:aws-cn:ec2:region:account-id:instance/*", "arn:aws-cn:ec2:region:account-id:volume/*", "arn:aws-cn:ec2:region:account-id:key-pair/*", "arn:aws-cn:ec2:region:account-id:security-group/*", "arn:aws-cn:ec2:region:account-id:subnet/*", "arn:aws-cn:ec2:region:account-id:network-interface/*" ] } ] }

Alternatively, the following policy allows users to launch instances from all AMIs owned by Amazon, or certain trusted and verified partners. The Condition element of the first statement tests whether ec2:Owner is amazon. The users can't launch an instance using other AMIs (unless another statement grants the users permission to do so).

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region::image/ami-*" ], "Condition": { "StringEquals": { "ec2:Owner": "amazon" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region:account-id:instance/*", "arn:aws-cn:ec2:region:account-id:subnet/*", "arn:aws-cn:ec2:region:account-id:volume/*", "arn:aws-cn:ec2:region:account-id:network-interface/*", "arn:aws-cn:ec2:region:account-id:key-pair/*", "arn:aws-cn:ec2:region:account-id:security-group/*" ] } ] }

Instance types

The following policy allows users to launch instances using only the t2.micro or t2.small instance type, which you might do to control costs. The users can't launch larger instances because the Condition element of the first statement tests whether ec2:InstanceType is either t2.micro or t2.small.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region:account-id:instance/*" ], "Condition": { "StringEquals": { "ec2:InstanceType": ["t2.micro", "t2.small"] } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region::image/ami-*", "arn:aws-cn:ec2:region:account-id:subnet/*", "arn:aws-cn:ec2:region:account-id:network-interface/*", "arn:aws-cn:ec2:region:account-id:volume/*", "arn:aws-cn:ec2:region:account-id:key-pair/*", "arn:aws-cn:ec2:region:account-id:security-group/*" ] } ] }

Alternatively, you can create a policy that denies users permissions to launch any instances except t2.micro and t2.small instance types.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region:account-id:instance/*" ], "Condition": { "StringNotEquals": { "ec2:InstanceType": ["t2.micro", "t2.small"] } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region::image/ami-*", "arn:aws-cn:ec2:region:account-id:network-interface/*", "arn:aws-cn:ec2:region:account-id:instance/*", "arn:aws-cn:ec2:region:account-id:subnet/*", "arn:aws-cn:ec2:region:account-id:volume/*", "arn:aws-cn:ec2:region:account-id:key-pair/*", "arn:aws-cn:ec2:region:account-id:security-group/*" ] } ] }

Subnets

The following policy allows users to launch instances using only the specified subnet, subnet-12345678. The group can't launch instances into any another subnet (unless another statement grants the users permission to do so).

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region:account-id:subnet/subnet-12345678", "arn:aws-cn:ec2:region:account-id:network-interface/*", "arn:aws-cn:ec2:region:account-id:instance/*", "arn:aws-cn:ec2:region:account-id:volume/*", "arn:aws-cn:ec2:region::image/ami-*", "arn:aws-cn:ec2:region:account-id:key-pair/*", "arn:aws-cn:ec2:region:account-id:security-group/*" ] } ] }

Alternatively, you could create a policy that denies users permissions to launch an instance into any other subnet. The statement does this by denying permission to create a network interface, except where subnet subnet-12345678 is specified. This denial overrides any other policies that are created to allow launching instances into other subnets.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region:account-id:network-interface/*" ], "Condition": { "ArnNotEquals": { "ec2:Subnet": "arn:aws-cn:ec2:region:account-id:subnet/subnet-12345678" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region::image/ami-*", "arn:aws-cn:ec2:region:account-id:network-interface/*", "arn:aws-cn:ec2:region:account-id:instance/*", "arn:aws-cn:ec2:region:account-id:subnet/*", "arn:aws-cn:ec2:region:account-id:volume/*", "arn:aws-cn:ec2:region:account-id:key-pair/*", "arn:aws-cn:ec2:region:account-id:security-group/*" ] } ] }

EBS volumes

The following policy allows users to launch instances only if the EBS volumes for the instance are encrypted. The user must launch an instance from an AMI that was created with encrypted snapshots, to ensure that the root volume is encrypted. Any additional volume that the user attaches to the instance during launch must also be encrypted.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:volume/*" ], "Condition": { "Bool": { "ec2:Encrypted": "true" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/ami-*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:security-group/*" ] } ] }

Tags

Tag instances on creation

The following policy allows users to launch instances and tag the instances during creation. For resource-creating actions that apply tags, users must have permissions to use the CreateTags action. The second statement uses the ec2:CreateAction condition key to allow users to create tags only in the context of RunInstances, and only for instances. Users cannot tag existing resources, and users cannot tag volumes using the RunInstances request.

For more information, see Grant permission to tag Amazon EC2 resources during creation.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:us-east-1:account-id:instance/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

Tag instances and volumes on creation with specific tags

The following policy includes the aws:RequestTag condition key that requires users to tag any instances and volumes that are created by RunInstances with the tags environment=production and purpose=webserver. If users don't pass these specific tags, or if they don't specify tags at all, the request fails.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:region::image/*", "arn:aws:ec2:region:account-id:subnet/*", "arn:aws:ec2:region:account-id:network-interface/*", "arn:aws:ec2:region:account-id:security-group/*", "arn:aws:ec2:region:account-id:key-pair/*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:region:account-id:volume/*", "arn:aws:ec2:region:account-id:instance/*" ], "Condition": { "StringEquals": { "aws:RequestTag/environment": "production" , "aws:RequestTag/purpose": "webserver" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account-id:*/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

Tag instances and volumes on creation with at least one specific tag

The following policy uses the ForAnyValue modifier on the aws:TagKeys condition to indicate that at least one tag must be specified in the request, and it must contain the key environment or webserver. The tag must be applied to both instances and volumes. Any tag values can be specified in the request.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:region::image/*", "arn:aws:ec2:region:account-id:subnet/*", "arn:aws:ec2:region:account-id:network-interface/*", "arn:aws:ec2:region:account-id:security-group/*", "arn:aws:ec2:region:account-id:key-pair/*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:region:account-id:volume/*", "arn:aws:ec2:region:account-id:instance/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": ["environment","webserver"] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account-id:*/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

If instances are tagged on creation, they must be tagged with a specific tag

In the following policy, users do not have to specify tags in the request, but if they do, the tag must be purpose=test. No other tags are allowed. Users can apply the tags to any taggable resource in the RunInstances request.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account-id:*/*", "Condition": { "StringEquals": { "aws:RequestTag/purpose": "test", "ec2:CreateAction" : "RunInstances" }, "ForAllValues:StringEquals": { "aws:TagKeys": "purpose" } } } ] }

To disallow anyone called tag on create for RunInstances

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRun", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:us-east-1::image/*", "arn:aws:ec2:us-east-1:*:subnet/*", "arn:aws:ec2:us-east-1:*:network-interface/*", "arn:aws:ec2:us-east-1:*:security-group/*", "arn:aws:ec2:us-east-1:*:key-pair/*", "arn:aws:ec2:us-east-1:*:volume/*", "arn:aws:ec2:us-east-1:*:instance/*", "arn:aws:ec2:us-east-1:*:spot-instances-request/*" ] }, { "Sid": "VisualEditor0", "Effect": "Deny", "Action": "ec2:CreateTags", "Resource": "*" } ] }

Only allow specific tags for spot-instances-request. Surprise inconsistency number 2 comes into play here. Under normal circumstances, specifying no tags will result in Unauthenticated. In the case of spot-instances-request, this policy will not be evaluated if there are no spot-instances-request tags, so a non-tag Spot on Run request will succeed.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRun", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:us-east-1::image/*", "arn:aws:ec2:us-east-1:*:subnet/*", "arn:aws:ec2:us-east-1:*:network-interface/*", "arn:aws:ec2:us-east-1:*:security-group/*", "arn:aws:ec2:us-east-1:*:key-pair/*", "arn:aws:ec2:us-east-1:*:volume/*", "arn:aws:ec2:us-east-1:*:instance/*", ] }, { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:us-east-1:*:spot-instances-request/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "production" } } } ] }

Tags in a launch template

In the following example, users can launch instances, but only if they use a specific launch template (lt-09477bcd97b0d310e). The ec2:IsLaunchTemplateResource condition key prevents users from overriding any of the resources specified in the launch template. The second part of the statement allows users to tag instances on creation—this part of the statement is necessary if tags are specified for the instance in the launch template.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/lt-09477bcd97b0d310e" }, "Bool": { "ec2:IsLaunchTemplateResource": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account-id:instance/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

Elastic GPUs

In the following policy, users can launch an instance and specify an elastic GPU to attach to the instance. Users can launch instances in any Region, but they can only attach an elastic GPU during a launch in the us-east-2 Region.

The ec2:ElasticGpuType condition key ensures that instances use either the eg1.medium or eg1.large elastic GPU type.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:account-id:elastic-gpu/*" ], "Condition": { "StringEquals": { "ec2:Region": "us-east-2", "ec2:ElasticGpuType": [ "eg1.medium", "eg1.large" ] } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/ami-*", "arn:aws:ec2:*:account-id:network-interface/*", "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ec2:*:account-id:subnet/*", "arn:aws:ec2:*:account-id:volume/*", "arn:aws:ec2:*:account-id:key-pair/*", "arn:aws:ec2:*:account-id:security-group/*" ] } ] }

Launch templates

In the following example, users can launch instances, but only if they use a specific launch template (lt-09477bcd97b0d310e). Users can override any parameters in the launch template by specifying the parameters in the RunInstances action.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/lt-09477bcd97b0d310e" } } } ] }

In this example, users can launch instances only if they use a launch template. The policy uses the ec2:IsLaunchTemplateResource condition key to prevent users from overriding any pre-existing ARNs in the launch template.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/*" }, "Bool": { "ec2:IsLaunchTemplateResource": "true" } } } ] }

The following example policy allows user to launch instances, but only if they use a launch template. Users cannot override the subnet and network interface parameters in the request; these parameters can only be specified in the launch template. The first part of the statement uses the NotResource element to allow all other resources except subnets and network interfaces. The second part of the statement allows the subnet and network interface resources, but only if they are sourced from the launch template.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "NotResource": ["arn:aws:ec2:region:account-id:subnet/*", "arn:aws:ec2:region:account-id:network-interface/*" ], "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/*" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": ["arn:aws:ec2:region:account-id:subnet/*", "arn:aws:ec2:region:account-id:network-interface/*" ], "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/*" }, "Bool": { "ec2:IsLaunchTemplateResource": "true" } } } ] }

The following example allows users to launch instances only if they use a launch template, and only if the launch template has the tag Purpose=Webservers. Users cannot override any of the launch template parameters in the RunInstances action.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "NotResource": "arn:aws:ec2:region:account-id:launch-template/*", "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/*" }, "Bool": { "ec2:IsLaunchTemplateResource": "true" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:region:account-id:launch-template/*", "Condition": { "StringEquals": { "aws:ResourceTag/Purpose": "Webservers" } } } ] }

Work with Spot Instances

You can use the RunInstances action to create Spot Instance requests, and tag the Spot Instance requests on create. The resource to specify for RunInstances is spot-instances-request.

The spot-instances-request resource is evaluated in the IAM policy as follows:

  • If you don't tag a Spot Instance request on create, Amazon EC2 does not evaluate the spot-instances-request resource in the RunInstances statement.

  • If you tag a Spot Instance request on create, Amazon EC2 evaluates the spot-instances-request resource in the RunInstances statement.

Therefore, for the spot-instances-request resource, the following rules apply to the IAM policy:

  • If you use RunInstances to create a Spot Instance request and you don't intend to tag the Spot Instance request on create, you don’t need to explicitly allow the spot-instances-request resource; the call will succeed.

  • If you use RunInstances to create a Spot Instance request and intend to tag the Spot Instance request on create, you must include the spot-instances-request resource in the RunInstances allow statement, otherwise the call will fail.

  • If you use RunInstances to create a Spot Instance request and intend to tag the Spot Instance request on create, you must specify the spot-instances-request resource or * wildcard in the CreateTags allow statement, otherwise the call will fail.

You can request Spot Instances using RunInstances or RequestSpotInstances. The following example IAM policies apply only when requesting Spot Instances using RunInstances.

Example: Request Spot Instances using RunInstances

The following policy allows users to request Spot Instances by using the RunInstances action. The spot-instances-request resource, which is created by RunInstances, requests Spot Instances.

Note

To use RunInstances to create Spot Instance requests, you can omit spot-instances-request from the Resource list if you do not intend to tag the Spot Instance requests on create. This is because Amazon EC2 does not evaluate the spot-instances-request resource in the RunInstances statement if the Spot Instance request is not tagged on create.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRun", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:us-east-1::image/*", "arn:aws:ec2:us-east-1:*:subnet/*", "arn:aws:ec2:us-east-1:*:network-interface/*", "arn:aws:ec2:us-east-1:*:security-group/*", "arn:aws:ec2:us-east-1:*:key-pair/*", "arn:aws:ec2:us-east-1:*:volume/*", "arn:aws:ec2:us-east-1:*:instance/*", "arn:aws:ec2:us-east-1:*:spot-instances-request/*" ] } ] }
Warning

NOT SUPPORTED – Example: Deny users permission to request Spot Instances using RunInstances

The following policy is not supported for the spot-instances-request resource.

The following policy is meant to give users the permission to launch On-Demand Instances, but deny users the permission to request Spot Instances. The spot-instances-request resource, which is created by RunInstances, is the resource that requests Spot Instances. The second statement is meant to deny the RunInstances action for the spot-instances-request resource. However, this condition is not supported because Amazon EC2 does not evaluate the spot-instances-request resource in the RunInstances statement if the Spot Instance request is not tagged on create.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRun", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:us-east-1::image/*", "arn:aws:ec2:us-east-1:*:subnet/*", "arn:aws:ec2:us-east-1:*:network-interface/*", "arn:aws:ec2:us-east-1:*:security-group/*", "arn:aws:ec2:us-east-1:*:key-pair/*", "arn:aws:ec2:us-east-1:*:volume/*", "arn:aws:ec2:us-east-1:*:instance/*" ] }, { "Sid": "DenySpotInstancesRequests - NOT SUPPORTED - DO NOT USE!", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:us-east-1:*:spot-instances-request/*" } ] }

Example: Tag Spot Instance requests on create

The following policy allows users to tag all resources that are created during instance launch. The first statement allows RunInstances to create the listed resources. The spot-instances-request resource, which is created by RunInstances, is the resource that requests Spot Instances. The second statement provides a * wildcard to allow all resources to be tagged when they are created at instance launch.

Note

If you tag a Spot Instance request on create, Amazon EC2 evaluates the spot-instances-request resource in the RunInstances statement. Therefore, you must explicitly allow the spot-instances-request resource for the RunInstances action, otherwise the call will fail.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRun", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:us-east-1::image/*", "arn:aws:ec2:us-east-1:*:subnet/*", "arn:aws:ec2:us-east-1:*:network-interface/*", "arn:aws:ec2:us-east-1:*:security-group/*", "arn:aws:ec2:us-east-1:*:key-pair/*", "arn:aws:ec2:us-east-1:*:volume/*", "arn:aws:ec2:us-east-1:*:instance/*", "arn:aws:ec2:us-east-1:*:spot-instances-request/*" ] }, { "Sid": "TagResources", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*" } ] }

Example: Deny tag on create for Spot Instance requests

The following policy denies users the permission to tag the resources that are created during instance launch.

The first statement allows RunInstances to create the listed resources. The spot-instances-request resource, which is created by RunInstances, is the resource that requests Spot Instances. The second statement provides a * wildcard to deny all resources being tagged when they are created at instance launch. If spot-instances-request or any other resource is tagged on create, the RunInstances call will fail.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRun", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:us-east-1::image/*", "arn:aws:ec2:us-east-1:*:subnet/*", "arn:aws:ec2:us-east-1:*:network-interface/*", "arn:aws:ec2:us-east-1:*:security-group/*", "arn:aws:ec2:us-east-1:*:key-pair/*", "arn:aws:ec2:us-east-1:*:volume/*", "arn:aws:ec2:us-east-1:*:instance/*", "arn:aws:ec2:us-east-1:*:spot-instances-request/*" ] }, { "Sid": "DenyTagResources", "Effect": "Deny", "Action": "ec2:CreateTags", "Resource": "*" } ] }
Warning

NOT SUPPORTED – Example: Allow creating a Spot Instance request only if it is assigned a specific tag

The following policy is not supported for the spot-instances-request resource.

The following policy is meant to grant RunInstances the permission to create a Spot Instance request only if the request is tagged with a specific tag.

The first statement allows RunInstances to create the listed resources.

The second statement is meant to grant users the permission to create a Spot Instance request only if the request has the tag environment=production. If this condition is applied to other resources created by RunInstances, specifying no tags results in an Unauthenticated error. However, if no tags are specified for the Spot Instance request, Amazon EC2 does not evaluate the spot-instances-request resource in the RunInstances statement, which results in non-tagged Spot Instance requests being created by RunInstances.

Note that specifying another tag other than environment=production results in an Unauthenticated error, because if a user tags a Spot Instance request, Amazon EC2 evaluates the spot-instances-request resource in the RunInstances statement.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRun", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:us-east-1::image/*", "arn:aws:ec2:us-east-1:*:subnet/*", "arn:aws:ec2:us-east-1:*:network-interface/*", "arn:aws:ec2:us-east-1:*:security-group/*", "arn:aws:ec2:us-east-1:*:key-pair/*", "arn:aws:ec2:us-east-1:*:volume/*", "arn:aws:ec2:us-east-1:*:instance/*" ] }, { "Sid": "RequestSpotInstancesOnlyIfTagIs_environment=production - NOT SUPPORTED - DO NOT USE!", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:us-east-1:*:spot-instances-request/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "production" } } }, { "Sid": "TagResources", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*" } ] }

Example: Deny creating a Spot Instance request if it is assigned a specific tag

The following policy denies RunInstances the permission to create a Spot Instance request if the request is tagged with environment=production.

The first statement allows RunInstances to create the listed resources.

The second statement denies users the permission to create a Spot Instance request if the request has the tag environment=production. Specifying environment=production as a tag results in an Unauthenticated error. Specifying other tags or specifying no tags will result in the creation of a Spot Instance request.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRun", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:us-east-1::image/*", "arn:aws:ec2:us-east-1:*:subnet/*", "arn:aws:ec2:us-east-1:*:network-interface/*", "arn:aws:ec2:us-east-1:*:security-group/*", "arn:aws:ec2:us-east-1:*:key-pair/*", "arn:aws:ec2:us-east-1:*:volume/*", "arn:aws:ec2:us-east-1:*:instance/*", "arn:aws:ec2:us-east-1:*:spot-instances-request/*" ] }, { "Sid": "DenySpotInstancesRequests", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:us-east-1:*:spot-instances-request/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "production" } } }, { "Sid": "TagResources", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*" } ] }

Example: Work with Reserved Instances

The following policy gives users permission to view, modify, and purchase Reserved Instances in your account.

It is not possible to set resource-level permissions for individual Reserved Instances. This policy means that users have access to all the Reserved Instances in the account.

The Resource element uses a * wildcard to indicate that users can specify all resources with the action; in this case, they can list and modify all Reserved Instances in the account. They can also purchase Reserved Instances using the account credentials. The * wildcard is also necessary in cases where the API action does not support resource-level permissions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeReservedInstances", "ec2:ModifyReservedInstances", "ec2:PurchaseReservedInstancesOffering", "ec2:DescribeAvailabilityZones", "ec2:DescribeReservedInstancesOfferings" ], "Resource": "*" } ] }

To allow users to view and modify the Reserved Instances in your account, but not purchase new Reserved Instances.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeReservedInstances", "ec2:ModifyReservedInstances", "ec2:DescribeAvailabilityZones" ], "Resource": "*" } ] }

Example: Tag resources

The following policy allows users to use the CreateTags action to apply tags to an instance only if the tag contains the keyenvironment and the value production. No other tags are allowe and the user cannot tag any other resource types.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account-id:instance/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "production" } } } ] }

The following policy allows users to tag any taggable resource that already has a tag with a key of owner and a value of the username. In addition, users must specify a tag with a key of anycompany:environment-type and a value of either test or prod in the request. Users can specify additional tags in the request.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account-id:*/*", "Condition": { "StringEquals": { "aws:RequestTag/anycompany:environment-type": ["test","prod"], "aws:ResourceTag/owner": "${aws:username}" } } } ] }

You can create an IAM policy that allows users to delete specific tags for a resource. For example, the following policy allows users to delete tags for a volume if the tag keys specified in the request are environment or cost-center. Any value can be specified for the tag but the tag key must match either of the specified keys.

Note

If you delete a resource, all tags associated with the resource are also deleted. Users do not need permissions to use the ec2:DeleteTags action to delete a resource that has tags; they only need permissions to perform the deleting action.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DeleteTags", "Resource": "arn:aws:ec2:us-east-1:account-id:volume/*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": ["environment","cost-center"] } } } ] }

This policy allows users to delete only the environment=prod tag on any resource, and only if the resource is already tagged with a key of owner and a value of the username. Users can't delete any other tags for a resource.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteTags" ], "Resource": "arn:aws:ec2:region:account-id:*/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "prod", "aws:ResourceTag/owner": "${aws:username}" }, "ForAllValues:StringEquals": { "aws:TagKeys": ["environment"] } } } ] }

Example: Work with IAM roles

The following policy allows users to attach, replace, and detach an IAM role to instances that have the tag department=test. Replacing or detaching an IAM role requires an association ID, therefore the policy also grants users permission to use the ec2:DescribeIamInstanceProfileAssociations action.

Users must have permission to use the iam:PassRole action in order to pass the role to the instance.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AssociateIamInstanceProfile", "ec2:ReplaceIamInstanceProfileAssociation", "ec2:DisassociateIamInstanceProfile" ], "Resource": "arn:aws:ec2:us-east-1:account-id:instance/*", "Condition": { "StringEquals": { "aws:ResourceTag/department":"test" } } }, { "Effect": "Allow", "Action": "ec2:DescribeIamInstanceProfileAssociations", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::account-id:role/DevTeam*" } ] }

The following policy allows users to attach or replace an IAM role for any instance. Users can only attach or replace IAM roles with names that begin with TestRole-. For the iam:PassRole action, ensure that you specify the name of the IAM role and not the instance profile (if the names are different). For more information, see Instance profiles.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AssociateIamInstanceProfile", "ec2:ReplaceIamInstanceProfileAssociation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:DescribeIamInstanceProfileAssociations", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::account-id:role/TestRole-*" } ] }

Example: Work with route tables

The following policy allows users to add, remove, and replace routes for route tables that are associated with VPC vpc-ec43eb89 only. To specify a VPC for the ec2:Vpc condition key, you must specify the full ARN of the VPC.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteRoute", "ec2:CreateRoute", "ec2:ReplaceRoute" ], "Resource": [ "arn:aws:ec2:region:account-id:route-table/*" ], "Condition": { "StringEquals": { "ec2:Vpc": "arn:aws:ec2:region:account-id:vpc/vpc-ec43eb89" } } } ] }

Example: Allow a specific instance to view resources in other Amazon services

The following is an example of a policy that you might attach to an IAM role. The policy allows an instance to view resources in various Amazon services. It uses the ec2:SourceInstanceARN global condition key to specify that the instance from which the request is made must be instance i-093452212644b0dd6. If the same IAM role is associated with another instance, the other instance cannot perform any of these actions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes", "s3:ListAllMyBuckets", "dynamodb:ListTables", "rds:DescribeDBInstances" ], "Resource": [ "*" ], "Condition": { "ArnEquals": { "ec2:SourceInstanceARN": "arn:aws:ec2:region:account-id:instance/i-093452212644b0dd6" } } } ] }

Example: Work with launch templates

The following policy allows users to create a launch template version and modify a launch template, but only for a specific launch template (lt-09477bcd97b0d3abc). Users cannot work with other launch templates.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate" ], "Effect": "Allow", "Resource": "arn:aws:ec2:region:account-id:launch-template/lt-09477bcd97b0d3abc" } ] }

The following policy allows users to delete any launch template and launch template version, provided that the launch template has the tag Purpose=Testing.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DeleteLaunchTemplate", "ec2:DeleteLaunchTemplateVersions" ], "Effect": "Allow", "Resource": "arn:aws:ec2:region:account-id:launch-template/*", "Condition": { "StringEquals": { "aws:ResourceTag/Purpose": "Testing" } } } ] }

Work with instance metadata

The following policies ensure that users can only retrieve instance metadata using Instance Metadata Service Version 2 (IMDSv2). You can combine the following four policies into one policy with four statements. When combined as one policy, you can use the policy as a service control policy (SCP). It can work equally well as a deny policy that you apply to an existing IAM policy (taking away and limiting existing permission), or as an SCP that is applied globally across an account, an organizational unit (OU), or an entire organization.

Note

The following RunInstances metadata options policies must be used in conjunction with a policy that gives the principal permissions to launch an instance with RunInstances. If the principal does not also have RunInstances permissions, it will not be able to launch an instance. For more information, see the policies in Work with instances and Launch instances (RunInstances).

Important

If you use Auto Scaling groups and you need to require the use of IMDSv2 on all new instances, your Auto Scaling groups must use launch templates.

When an Auto Scaling group uses a launch template, the ec2:RunInstances permissions of the IAM principal are checked when a new Auto Scaling group is created. They are also checked when an existing Auto Scaling group is updated to use a new launch template or a new version of a launch template.

Restrictions on the use of IMDSv1 on IAM principals for RunInstances are only checked when an Auto Scaling group that is using a launch template, is created or updated. For an Auto Scaling group that is configured to use the Latest or Default launch template, the permissions are not checked when a new version of the launch template is created. For permissions to be checked, you must configure the Auto Scaling group to use a specific version of the launch template.

To enforce the use of IMDSv2 on instances launched by Auto Scaling groups, the following additional steps are required:
  1. Disable the use of launch configurations for all accounts in your organization by using either service control policies (SCPs) or IAM permissions boundaries for new principals that are created. For existing IAM principals with Auto Scaling group permissions, update their associated policies with this condition key. To disable the use of launch configurations, create or modify the relevant SCP, permissions boundary, or IAM policy with the "autoscaling:LaunchConfigurationName" condition key with the value specified as null.

  2. For new launch templates, configure the instance metadata options in the launch template. For existing launch templates, create a new version of the launch template and configure the instance metadata options in the new version.

  3. In the policy that gives any principal the permission to use a launch template, restrict association of $latest and $default by specifying "autoscaling:LaunchTemplateVersionSpecified": "true". By restricting the use to a specific version of a launch template, you can ensure that new instances will be launched using the version in which the instance metadata options are configured. For more information, see LaunchTemplateSpecification in the Amazon EC2 Auto Scaling API Reference, specifically the Version parameter.

  4. For an Auto Scaling group that uses a launch configuration, replace the launch configuration with a launch template. For more information, see Replacing a Launch Configuration with a Launch Template in the Amazon EC2 Auto Scaling User Guide.

  5. For an Auto Scaling group that uses a launch template, make sure that it uses a new launch template with the instance metadata options configured, or uses a new version of the current launch template with the instance metadata options configured. For more information, see update-auto-scaling-group in the Amazon CLI Command Reference.

Require the use of IMDSv2

The following policy specifies that you can’t call the RunInstances API unless the instance is also opted in to require the use of IMDSv2 (indicated by "ec2:MetadataHttpTokens": "required"). If you do not specify that the instance requires IMDSv2, you get an UnauthorizedOperation error when you call the RunInstances API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireImdsV2", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEquals": { "ec2:MetadataHttpTokens": "required" } } } ] }

Deny opt-out of IMDSv2

The following policy specifies that you cannot call the ModifyInstanceMetadataOptions API and allow the option of IMDSv1 or IMDSv2. If you call the ModifyInstanceMetadataOptions API, the HttpTokens attribute must be set to required.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "DenyIMDSv1HttpTokensModification", "Effect": "Deny", "Action": "ec2:ModifyInstanceMetadataOptions", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEquals": { "ec2:Attribute/HttpTokens": "required" }, "Null": { "ec2:Attribute/HttpTokens": false } } }] }

Specify maximum hop limit

The following policy specifies that you can’t call the RunInstances API unless you also specify a hop limit, and the hop limit can’t be more than 3. If you fail to do that, you get an UnauthorizedOperation error when you call the RunInstances API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "MaxImdsHopLimit", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "NumericGreaterThan": { "ec2:MetadataHttpPutResponseHopLimit": "3" } } } ] }

Limit who can modify the instance metadata options

The following policy permits only users with the role ec2-imds-admins to make changes to the instance metadata options. If any principal other than the ec2-imds-admins role tries to call the ModifyInstanceMetadataOptions API, it will get an UnauthorizedOperation error. This statement could be used to control the use of the ModifyInstanceMetadataOptions API; there are currently no fine-grained access controls (conditions) for the ModifyInstanceMetadataOptions API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowOnlyImdsAdminsToModifySettings", "Effect": "Deny", "Action": "ec2:ModifyInstanceMetadataOptions", "Resource": "*", "Condition": { "StringNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/ec2-imds-admins" } } } ] }

Require role credentials to be retrieved from IMDSv2

The following policy specifies that if this policy is applied to a role, and the role is assumed by the EC2 service and the resulting credentials are used to sign a request, then the request must be signed by EC2 role credentials retrieved from IMDSv2. Otherwise, all of its API calls will get an UnauthorizedOperation error. This statement/policy can be applied generally because, if the request is not signed by EC2 role credentials, it has no effect.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireAllEc2RolesToUseV2", "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NumericLessThan": { "ec2:RoleDelivery": "2.0" } } } ] }

Work with Amazon EBS volumes and snapshots

For example policies for working with Amazon EBS volumes and snapshots, see Identity-based policy examples for Amazon EBS.