Launch template support - Amazon EC2 Auto Scaling
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Launch template support

Amazon EC2 Auto Scaling supports using Amazon EC2 launch templates with your Auto Scaling groups. We recommend that you allow users to create Auto Scaling groups from launch templates, because doing so allows them to use the latest features of Amazon EC2 Auto Scaling and Amazon EC2. For example, users must specify a launch template to use a mixed instances policy.

You can use the AmazonEC2FullAccess policy to give users complete access to work with Amazon EC2 Auto Scaling resources, launch templates, and other EC2 resources in their account. Or, you can create your own custom IAM policies to give users fine-grained permissions to work with launch templates, as described in this topic.

A sample policy that you can tailor for your own use

The following shows an example of a basic permissions policy that you can tailor for your own use. The policy grants permissions to create, update, and delete all Auto Scaling groups, but only if the group uses the tag purpose=testing. It then gives permission for all Describe actions. Because Describe actions do not support resource-level permissions, you must specify them in a separate statement without conditions.

IAM identities (users or roles) with this policy have permission to create or update an Auto Scaling group using a launch template because they're also given permission to use the ec2:RunInstances action.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup" ], "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/purpose": "testing" } } }, { "Effect": "Allow", "Action": [ "autoscaling:Describe*", "ec2:RunInstances" ], "Resource": "*" } ] }

Users who create or update Auto Scaling groups might need some related permissions, such as:

These permissions for actions to be completed when launching instances are checked when the user interacts with an Auto Scaling group. For more information, see Permissions validation for ec2:RunInstances and iam:PassRole.

The following examples show policy statements that you could use to control the access that IAM users have to using launch templates.

Require launch templates that have a specific tag

When granting ec2:RunInstances permissions, you can specify that users can only use launch templates with specific tags or specific IDs to limit permissions when launching instances with a launch template. You can also control the AMI and other resources that anyone using launch templates can reference and use when launching instances by specifying additional resource-level permissions for the RunInstances call.

The following example restricts permissions for the ec2:RunInstances action to launch templates that are located in the specified Region and that have the tag purpose=testing. It also gives users access to the resources specified in a launch template: AMIs, instance types, volumes, key pairs, network interfaces, and security groups.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws-cn:ec2:region:account-id:launch-template/*", "Condition": { "StringEquals": { "aws:ResourceTag/purpose": "testing" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region::image/ami-*", "arn:aws-cn:ec2:region:account-id:instance/*", "arn:aws-cn:ec2:region:account-id:subnet/*", "arn:aws-cn:ec2:region:account-id:volume/*", "arn:aws-cn:ec2:region:account-id:key-pair/*", "arn:aws-cn:ec2:region:account-id:network-interface/*", "arn:aws-cn:ec2:region:account-id:security-group/*" ] } ] }

For more information about using tag-based policies with launch templates, see Control access to launch templates with IAM permissions in the Amazon EC2 User Guide for Linux Instances.

Require a launch template and a version number

You can also use IAM permissions to enforce that a launch template and the version number of the launch template must be specified when creating or updating Auto Scaling groups.

The following example allows users to create and update Auto Scaling groups only if a launch template and the version number of the launch template are specified. If users with this policy omit the version number to specify either the $Latest or $Default launch template version, or attempt to use a launch configuration instead, the action fails.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "Bool": { "autoscaling:LaunchTemplateVersionSpecified": "true" } } }, { "Effect": "Deny", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "Null": { "autoscaling:LaunchConfigurationName": "false" } } } ] }

Require the use of instance metadata service version 2 (IMDSv2)

For extra security, you can set your users' permissions to require the use of a launch template that requires IMDSv2. For more information, see Configuring the instance metadata service in the Amazon EC2 User Guide for Linux Instances.

The following example specifies that users can't call the ec2:RunInstances action unless the instance is also opted in to require the use of IMDSv2 (indicated by "ec2:MetadataHttpTokens":"required").

{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireImdsV2", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws-cn:ec2:*:*:instance/*", "Condition": { "StringNotEquals": { "ec2:MetadataHttpTokens": "required" } } } ] }
Tip

To force replacement Auto Scaling instances to launch that use a new launch template or a new version of a launch template with the instance metadata options configured, you can start an instance refresh. For more information, see Update Auto Scaling instances.

Restrict access to Amazon EC2 resources

The following example controls the configuration of the instances that a user can launch by restricting access to Amazon EC2 resources. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:region:account-id:launch-template/*", "arn:aws-cn:ec2:region::image/ami-04d5cc9b88example", "arn:aws-cn:ec2:region:account-id:subnet/subnet-1a2b3c4d", "arn:aws-cn:ec2:region:account-id:volume/*", "arn:aws-cn:ec2:region:account-id:key-pair/*", "arn:aws-cn:ec2:region:account-id:network-interface/*", "arn:aws-cn:ec2:region:account-id:security-group/sg-903004f88example" ] }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws-cn:ec2:region:account-id:instance/*", "Condition": { "StringEquals": { "ec2:InstanceType": ["t2.micro", "t2.small"] } } } ] }

In this example, there are two statements:

  • The first statement requires that users launch instances into a specific subnet (subnet-1a2b3c4d), using a specific security group (sg-903004f88example), and using a specific AMI (ami-04d5cc9b88example). It also gives users access to the resources specified in a launch template: network interfaces, key pairs, and volumes.

  • The second statement allows users to launch instances using only the t2.micro and t2.small instance types, which you might do to control costs.

    However, note that there is not currently an effective way to completely prevent users who have permission to launch instances with a launch template from launching other instance types. This is because an instance type specified in a launch template can be overridden to use instance types that are defined using attribute-based instance type selection.

For a full list of the resource-level permissions that you can use to control the configuration of the instances that a user can launch, see Actions, resources, and condition keys for Amazon EC2 in the Service Authorization Reference.

Permissions required to tag instances and volumes

The following example allows users to tag instances and volumes on creation. This policy is needed if there are tags specified in the launch template. For more information, see Grant permission to tag resources during creation in the Amazon EC2 User Guide for Linux Instances.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws-cn:ec2:region:account-id:*/*", "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }

Additional launch template permissions

You must give your console users permissions for the ec2:DescribeLaunchTemplates and ec2:DescribeLaunchTemplateVersions actions. Without these permissions, launch template data cannot load in the Auto Scaling group wizard, and users cannot step through the wizard to launch instances using a launch template. You can specify these additional actions in the Action element of an IAM policy statement.

Permissions validation for ec2:RunInstances and iam:PassRole

Users can specify which version of a launch template their Auto Scaling group uses. Depending on their permissions, this can be a specific numbered version, or the $Latest or $Default version of the launch template. If it's the latter, take special care. This may override permissions for ec2:RunInstances and iam:PassRole that you intended to restrict.

This section explains the scenario of using the latest or default version of the launch template with an Auto Scaling group.

When a user calls the CreateAutoScalingGroup, UpdateAutoScalingGroup, or StartInstanceRefresh APIs, Amazon EC2 Auto Scaling checks their permissions against the version of the launch template that is the latest or default version at that time before proceeding with the request. This validates permissions for actions to be completed when launching instances, such as the ec2:RunInstances and iam:PassRole actions. To accomplish this, we issue an Amazon EC2 RunInstances dry run call to validate whether the user has the required permissions for the action, without actually making the request. When a response is returned, it is read by Amazon EC2 Auto Scaling. If the user's permissions do not allow a given action, Amazon EC2 Auto Scaling fails the request and returns an error to the user containing information about the missing permission.

After the initial verification and request are complete, whenever instances launch, Amazon EC2 Auto Scaling launches them with the latest or default version, even if it has changed, using the permissions of its service-linked role. This means that a user who is using the launch template could potentially update it to pass an IAM role to an instance even if they don't have the iam:PassRole permission.

Use the autoscaling:LaunchTemplateVersionSpecified condition key if you want to limit who has access to configuring groups to use the $Latest or $Default version. This ensures that the Auto Scaling group only accepts a specific numbered version when a user calls the CreateAutoScalingGroup and UpdateAutoScalingGroup APIs. For an example that shows how to add this condition key to an IAM policy, see Require a launch template and a version number.

For Auto Scaling groups that are configured to use the $Latest or $Default launch template version, consider limiting who can create and manage versions of the launch template, including the ec2:ModifyLaunchTemplate action that allows a user to specify the default launch template version. For more information, see Control versioning permissions in the Amazon EC2 User Guide for Linux Instances.

To learn more about permissions to view, create, and delete launch templates and launch template versions, see Control access to launch templates with IAM permissions in the Amazon EC2 User Guide for Linux Instances.

For more information about the resource-level permissions that you can use to control access to the RunInstances call, see Actions, resources, and condition keys for Amazon EC2 in the Service Authorization Reference.