Overview

An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True). This policy provides the permissions necessary to complete this action programmatically or from the console.

Configuration Templates

Missing Parameters
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:Describe*",
                "ec2:GetConsole*",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "iam:ListInstanceProfiles"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Condition": {}
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:::instance/*",
                "arn:aws:ec2:::key-pair/*",
                "arn:aws:ec2:::security-group/*",
                "arn:aws:ec2:::volume/*",
                "arn:aws:ec2:::network-interface/*",
                "arn:aws:ec2:::subnet/*"
            ],
            "Effect": "Allow",
            "Condition": {}
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:::image/ami-*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Approved": "True"
                }
            }
        }
    ]
}

Actions



Customize Policy
* Required field

Sources and Documentation

Configuration Source: AWS Knowledge Center

Additional Documentation: