An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True). This policy provides the permissions necessary to complete this action programmatically or from the console.

Missing Parameters
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:Describe*",
                "ec2:GetConsole*",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "iam:ListInstanceProfiles"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Condition": {}
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:::instance/*",
                "arn:aws:ec2:::key-pair/*",
                "arn:aws:ec2:::security-group/*",
                "arn:aws:ec2:::volume/*",
                "arn:aws:ec2:::network-interface/*",
                "arn:aws:ec2:::subnet/*"
            ],
            "Effect": "Allow",
            "Condition": {}
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:::image/ami-*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Approved": "True"
                }
            }
        }
    ]
}

Actions



Customize Template

Policy Parameters

* Required field