Amazon EC2: Attach or detach volumes to an EC2 instance - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon EC2: Attach or detach volumes to an EC2 instance

This example shows how you might create an identity-based policy that allows EBS volume owners to attach or detach volumes to the specified EC2 instance. The instance is specified with an ARN in the Condition element. This policy grants the permissions necessary to complete this action programmatically from the Amazon API or Amazon CLI. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

Amazon EC2 instances can run Amazon commands with permissions granted by an Amazon service role for an EC2 instance that is attached to the instance profile. You can attach this policy to the role, or add this statement to an existing policy. Only the instance identified by instance-id can attach or detach volumes to instances in the account, including its own. Other statement elements that might exist in a larger policy are not impacted by the restriction of this one statement. For more information about creating IAM policies to control access to Amazon EC2 resources, see Controlling Access to Amazon EC2 Resources in the Amazon EC2 User Guide for Linux Instances.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"} } } ] }