Amazon EC2: Attach or detach volumes to an EC2 instance

This example shows how you might create an identity-based policy that allows EBS volume owners to attach or detach volumes to the specified EC2 instance. The instance is specified with an ARN in the Condition element. This policy grants the permissions necessary to complete this action programmatically from the Amazon API or Amazon CLI. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

Amazon EC2 instances can run Amazon commands with permissions granted by an Amazon service role for an EC2 instance that is attached to the instance profile. You can attach this policy to the role, or add this statement to an existing policy. Only the instance identified by instance-id can attach or detach volumes to instances in the account, including its own. Other statement elements that might exist in a larger policy are not impacted by the restriction of this one statement. For more information about creating IAM policies to control access to Amazon EC2 resources, see Controlling Access to Amazon EC2 Resources in the Amazon EC2 User Guide for Linux Instances.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
            }
        }
    ]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

DynamoDB: Allow item access based on a Amazon Cognito ID

EC2: Attach or detach tagged EBS volumes