An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True). This policy provides the permissions necessary to complete this action programmatically or from the console.

 
Tags
Console Access
API and CLI Access
Tags
Missing Parameters
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:Describe*",
                "ec2:GetConsole*",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "iam:ListInstanceProfiles"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Condition": []
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:::instance/*",
                "arn:aws:ec2:::key-pair/*",
                "arn:aws:ec2:::security-group/*",
                "arn:aws:ec2:::volume/*",
                "arn:aws:ec2:::network-interface/*",
                "arn:aws:ec2:::subnet/*"
            ],
            "Effect": "Allow",
            "Condition": []
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:::image/ami-*"
            ],
            "Effect": "Allow",
            "Condition": [
                {
                    "StringEquals": {
                        "ec2:ResourceTag/Approved": "True"
                    }
                }
            ]
        }
    ]
}
Customize Policy
* Required field