Onyekachi shows you how to
restrict access to launch EC2
instances from only tagged AMIs


I want to restrict users' access so that they can launch Amazon Elastic Compute Cloud (Amazon EC2) instances only from tagged Amazon Machine Images (AMIs). How can I restrict access to launch EC2 instances using AMI tags?

To restrict users' access to launch EC2 instances using tagged AMIs, create an AMI from an existing instance—or use an existing AMI—and then add a tag to the AMI. Then, create a custom IAM policy with a tag condition that restricts users' permissions to launch only instances that use the tagged AMI.

In this example IAM policy, there are three statement IDs (Sids):

  • Sid ReadOnlyAccess allows users to view any EC2 resources in your account using Describe*, which includes all the EC2 actions that begin with Describe. Sid ReadOnlyAccess also allows users to get console output and screenshots of an EC2 instance. For more information, see GetConsoleOutput and GetConsoleScreenshot. The CloudWatch permissions for DescribeAlarms and GetMetricStatistics allow basic health information about EC2 instances to be displayed in the Amazon EC2 console. The IAM permission for ListInstanceProfiles allows the existing instance profiles to be listed in the IAM role list on the Configure Instance Details page when launching an EC2 instance. However, the ListInstanceProfiles API does not allow users to attach an IAM role to an EC2 instance.
  • Sid ActionsRequiredtoRunInstancesInVPC grants users permission to perform the RunInstances API using any instance, key pair, security group, volume, network interface, or subnet in us-east-1 using resource-level permissions by specifying the ARN for each resource.
  • Sid LaunchingEC2withAMIsAndTags allows users to launch EC2 instances using an AMI if the AMI has an environment tag set to "Prod" and the instance is in us-east-1. Resource-level permission is set to an ARN for any AMI that is in us-east-1, and the condition matches the value of EC2:ResourceTag/Environment tag key and key value "Prod."

This policy allows users to list roles when launching an EC2 instance, but users won't be able to launch an instance with a role attached unless they have the iam:PassRole permission. This policy does not allow users to create new security groups. Users must select an existing security group to launch an EC2 instance unless users have the EC2:CreateSecurityGroup permission. The EC2:CreateSecurityGroup grants access to create only a security group—this action does not add or modify any rules. To add inbound rules, users must have permissions to the inbound EC2:AuthorizeSecurityGroupIngress API action and the outbound EC2:AuthorizeSecurityGroupEgress API action.

The following IAM policy uses resource-level permissions for the required resources for the RunInstances action. For more information about the required resources for RunInstances, see Resource-Level Permissions for RunInstances.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "ReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Sid": "ActionsRequiredtoRunInstancesInVPC",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
            "Sid": "LaunchingEC2withAMIsAndTags",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:us-east-1::image/ami-*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Environment": "Prod"

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-05-09