AWS Security Blog
Amazon EC2 Resource-Level Permissions for RunInstances
Yesterday the EC2 team announced fine grained controls for managing RunInstances. This release enables you to set fine-grained controls over the AMIs, Snapshots, Subnets, and other resources that can be used when creating instances and the types of instances and volumes that users can create when using the RunInstances API.
This is a major milestone in the security story around EC2. Prior to this it was not practical to use a single account for a variety of users within a single org. This one feature makes that not only much more feasible, but allows for long-requested things like “only allow my users to launch blessed AMIs” and other such super-useful stuff.
To learn more, see Derek Lyon’s post on the AWS Blog.