Use Amazon VPC Endpoint Policies for granular control of Amazon EC2 APIs
Amazon Elastic Compute Cloud (EC2) now lets you attach IAM resource policies to your VPC endpoints. VPC Endpoint policies can help you meet compliance and regulatory requirements by granularly controlling access to Amazon EC2 APIs.
You can use a VPC endpoint policy to define the Amazon EC2 actions (RunInstances, CreateVolume, etc) that may be performed, the principal that may perform the actions, and the resources on which the actions may be performed. The list of resource types supported for each EC2 action can be found in the Amazon EC2 IAM policy documentation.
VPC endpoint policies for Amazon EC2 are available in all public AWS regions. You can get started with endpoint policies by creating a VPC endpoint for Amazon EC2, or by adding a policy to an existing VPC endpoint. For more information about using VPC endpoint policies, see the Amazon EC2 documentation.