You must be logged in to view saved presets
An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True). This policy provides the permissions necessary to complete this action programmatically or from the console.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"iam:ListInstanceProfiles"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {}
},
{
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::instance/*",
"arn:aws:ec2:::key-pair/*",
"arn:aws:ec2:::security-group/*",
"arn:aws:ec2:::volume/*",
"arn:aws:ec2:::network-interface/*",
"arn:aws:ec2:::subnet/*"
],
"Effect": "Allow",
"Condition": {}
},
{
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::image/ami-*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Approved": "True"
}
}
}
]
}