I need to create an IAM policy that explicitly grants an IAM user, group, or role permissions to create and manage Amazon EC2 instances in a particular virtual private cloud (VPC).

AWS does not currently provide means to create a policy that controls access to EC2 resources by specifying an Amazon Resource Name (ARN) in a blanket EC2 control policy or by using ARNs with conditional statements. EC2 provides limited supported resource-level permissions, but there are several unsupported resource-level permissions. Even though some EC2 API actions can be controlled through the VPC ARN, EC2 instance control cannot be solely delegated through the VPC ARN.

It is possible to apply a custom IAM policy to restrict IAM user, group, or role permissions for creating and managing EC2 instances in a specified VPC. This can be accomplished with an IAM instance profile that grants an IAM entity permissions to:

  • Launch EC2 instances in a designated VPC.
  • Manage those EC2 instances launched by the IAM entity.

To make use of an IAM instance profile for this purpose, follow these steps:

Create a new IAM role

Have a user with permission to create and edit IAM resources sign in to the AWS Management Console and open the IAM console. From here the user will create an IAM role. This role will be referenced by the instance profile.

  1. In the AWS IAM console, choose Roles and then Create New Role.
  2. Enter a role name when prompted to Set Role Name. You will reference this role name later as an ARN in the policy.
  3. For the role type, under AWS Service Roles, choose Amazon EC2.
  4. You do not need to attach a policy to this role, so when prompted to Attach Policy, choose Next Step.
  5. In the Review dialog box, choose Create Role.

Create a managed policy to apply to the IAM entities that will be launching instances

  1. In the AWS IAM console, choose Policies and then Create Policy.
  2. Choose Create Your Own Policy.
  3. For the policy name, type "VPC Lockdown for VPC-ID", where VPC-ID is the ID of the VPC that you will apply the policy to.
  4. Optionally provide relevant information for the Description.
  5. Apply the custom policy listed below. Be sure to replace all occurrences of ACCOUNTNUMBER, REGION, and VPC-ID with values that correspond to your environment. In addition, replace ROLENAME with the name of the role you created in step 1b.

Note: Some items below must be replaced with specific resources from your environment. For more information, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "NonResourceBasedReadOnlyPermissions",
         "Action": [
            "ec2:Describe*",
            "ec2:CreateKeyPair",
            "ec2:CreateSecurityGroup",
            "iam:GetInstanceProfile",
            "iam:ListInstanceProfiles"
         ],
         "Effect": "Allow",
         "Resource": "*"
      },
      {
         "Sid": "IAMPassRoleToInstance",
         "Action": [
            "iam:PassRole"
         ],
         "Effect": "Allow",
         "Resource": "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME"
      },
      {
         "Sid": "AllowInstanceActions",
         "Effect": "Allow",
         "Action": [
            "ec2:RebootInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:StartInstances",
            "ec2:AttachVolume",
            "ec2:DetachVolume"
         ],
         "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
         "Condition": {
            "StringEquals": {
               "ec2:InstanceProfile": "arn:aws:iam::ACCOUNTNUMBER:instance-profile/ROLENAME"

            }
         }
      },
      {
         "Sid": "EC2RunInstances",
         "Effect": "Allow",
         "Action": "ec2:RunInstances",
         "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
         "Condition": {
            "StringEquals": {
               "ec2:InstanceProfile": "arn:aws:iam::ACCOUNTNUMBER:instance-profile/ROLENAME"
            }
         }
      },
      {
         "Sid": "EC2RunInstancesSubnet",
         "Effect": "Allow",
         "Action": "ec2:RunInstances",
         "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:subnet/*",
         "Condition": {
            "StringEquals": {
               "ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
            }
         }
      },
      {
         "Sid": "RemainingRunInstancePermissions",
         "Effect": "Allow",
         "Action": "ec2:RunInstances",
         "Resource": [        "arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*",
            "arn:aws:ec2:REGION::image/*",
            "arn:aws:ec2:REGION::snapshot/*",            "arn:aws:ec2:REGION:ACCOUNTNUMBER:network-interface/*",           "arn:aws:ec2:REGION:ACCOUNTNUMBER:key-pair/*",         "arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/*"
         ]
      },
      {
         "Sid": "EC2VpcNonresourceSpecificActions",
         "Effect": "Allow",
         "Action": [
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:DeleteSecurityGroup"
         ],
         "Resource": "*",
         "Condition": {
            "StringEquals": {
               "ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
            }
         }
      }
   ]
}

Attach the policy to a user, group, or role

  1. In the AWS IAM console navigation pane, choose Users (you also can do this for Groups or Roles).
  2. Choose the user, group, or role that you want to attach the policy to.
  3. Choose Policy type and then choose Customer Managed Policies to narrow the scope of the policies listed.
  4. Choose the policy created in step 2 and then choose Attach Policy.

When you attach this custom policy to a user, group, or role, the policy allows the following actions for the entity that policy is applied to:

  • Sign in to the AWS console and open the EC2 dashboard.

Launch an EC2 Instance provided that the entity or entity members:

  • Specifies the correct information for subnet and VPC.
  • Specifies the allowed instance profiles.

Complete the following actions on an EC2 instance launched with the proper instance profile:

  • Start the instance
  • Stop the instance
  • Reboot the instance
  • Terminate the instance
  • Attach a volume to the instance
  • Detach a volume from the instance

Complete the following actions from the VPC:

  • Delete security groups
  • Delete routes
  • Delete route tables
  • Delete network ACLs
  • Delete ACL entries
  • Authorize and revoke security group ingress and egress rules

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-12-08

Updated: 2017-10-02