Example Policies for Working in the Amazon EC2 Console
You can use IAM policies to grant users permissions to view and work with specific
resources in the Amazon EC2 console. You can use the example policies in the previous section;
however, they are designed for requests that are made with the AWS CLI, the Amazon EC2 CLI, or an
AWS SDK. The console uses additional API actions for its features, so these policies may not
work as expected. For example, a user that has permission to use only the
DescribeVolumes API action will encounter errors when trying to view volumes
in the console. This section demonstrates policies that enable users to work with specific
parts of the console.
Note
To help you work out which API actions are required to perform tasks in the console, you can use a service such as AWS CloudTrail. For more information, see the AWS CloudTrail User Guide. If your policy does not grant permission to create or modify a specific resource, the console displays an encoded message with diagnostic information. You can decode the message using the DecodeAuthorizationMessage API action for AWS STS, or the decode-authorization-message command in the AWS CLI.
For additional information about creating policies for the Amazon EC2 console, see the following AWS Security Blog post: Granting Users Permission to Work in the Amazon EC2 Console.
Example 1: Read-only access
To allow users to view all resources in the Amazon EC2 console, you can use the same policy as the following example: 1: Read-only access. Users cannot perform any actions on those resources or create new resources, unless another statement grants them permission to do so.
a. View instances, AMIs, and snapshots
Alternatively, you can provide read-only access to a subset of resources. To do this,
replace the * wildcard in the ec2:Describe API action with specific
ec2:Describe actions for each resource. The following policy allows users
to view all instances, AMIs, and snapshots in the Amazon EC2 console. The
ec2:DescribeTags action allows users to view public AMIs. The console requires the tagging information to display public AMIs; however, you can remove
this action if you want users to view only private AMIs.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances", "ec2:DescribeImages",
"ec2:DescribeTags", "ec2:DescribeSnapshots"
],
"Resource": "*"
}
]
}
Note
Currently, the Amazon EC2 ec2:Describe* API actions do not support
resource-level permissions, so you cannot control which individual resources users can
view in the console. Therefore, the * wildcard is necessary in the
Resource element of the above statement. For more information about
which ARNs you can use with which Amazon EC2 API actions, see Supported Resource-Level Permissions for
Amazon EC2 API Actions.
b. View instances and CloudWatch metrics
The following policy allows users to view instances in the Amazon EC2 console, as well as CloudWatch
alarms and metrics in the Monitoring tab of the
Instances page. The Amazon EC2 console uses the CloudWatch API to
display the alarms and metrics, so you must grant users permission to use the
cloudwatch:DescribeAlarms and
cloudwatch:GetMetricStatistics actions.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}Example 2: Using the EC2 launch wizard
The Amazon EC2 launch wizard is a series of screens with options to configure and launch an instance. Your policy must include permission to use the API actions that allow users to work with the wizard's options. If your policy does not include permission to use those actions, some items in the wizard cannot load properly, and users cannot complete a launch.
a. Basic launch wizard access
To complete a launch successfully, users must be given permission to use the
ec2:RunInstances API action, and at least the following API actions:
ec2:DescribeImages: To view and select an AMI.ec2:DescribeVPCs: To view the available network options, which are EC2-Classic and a list of VPCs. This is required even if you are not launching into a VPC.ec2:DescribeSubnets: If launching into a VPC, to view all available subnets for the chosen VPC.ec2:DescribeSecurityGroups: To view the security groups page in the wizard. Users can select an existing security group.ec2:DescribeKeyPairsorec2:CreateKeyPair: To select an existing key pair, or create a new one.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances", "ec2:DescribeImages",
"ec2:DescribeKeyPairs","ec2:DescribeVpcs", "ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
}
]
}You can add API actions to your policy to provide more options for users, for example:
ec2:DescribeAvailabilityZones: If launching into EC2-Classic, to view and select a specific Availability Zone.ec2:DescribeNetworkInterfaces: If launching into a VPC, to view and select existing network interfaces for the selected subnet.ec2:CreateSecurityGroup: To create a new security group; for example, to create the wizard's suggestedlaunch-wizard-xsecurity group. However, this action alone only creates the security group; it does not add or modify any rules. To add inbound rules, users must be granted permission to use theec2:AuthorizeSecurityGroupIngressAPI action. To add outbound rules to VPC security groups, users must be granted permission to use theec2:AuthorizeSecurityGroupEgressAPI action. To modify or delete existing rules, users must be granted permission to use the relevantec2:RevokeSecurityGroup*API action.ec2:CreateTags: To add a tag to the instance. By default, the launch wizard attempts to add a tag with a key ofNameto an instance. Users that do not have permission to use this action will encounter a warning that this tag could not be applied to an instance; however, this does not affect the success of the launch, so you should only grant users permission to use this action if it's absolutely necessary.Important
Be careful about granting users permission to use the
ec2:CreateTagsaction. This limits your ability to use theec2:ResourceTagcondition key to restrict the use of other resources; users can change a resource's tag in order to bypass those restrictions.
Currently, the Amazon EC2 Describe* API actions do not support resource-level
permissions, so you cannot restrict which individual resources users can view in the
launch wizard. However, you can apply resource-level permissions on the
ec2:RunInstances API action to restrict which resources users can use to
launch an instance. The launch fails if users select options that they are not authorized
to use.
b. Restrict access to specific instance type, subnet, and region
The following policy allows users to launch m1.small instances using AMIs
owned by Amazon, and only into a specific subnet (subnet-1a2b3c4d). Users can
only launch in the sa-east-1 region. If users select a different region, or select a
different instance type, AMI, or subnet in the launch wizard, the launch fails.
The first statement grants users permission to view the options in the launch wizard,
as demonstrated in the example above. The second statement grants users permission to use
the network interface, volume, key pair, security group, and subnet resources for the
ec2:RunInstances action, which are required to launch an instance into a
VPC. For more information about using the ec2:RunInstances action, see 4: Launching instances (RunInstances). The third and fourth statements grant users
permission to use the instance and AMI resources respectively, but only if the instance is
an m1.small instance, and only if the AMI is owned by Amazon.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances", "ec2:DescribeImages",
"ec2:DescribeKeyPairs","ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action":"ec2:RunInstances",
"Resource": [
"arn:aws:ec2:sa-east-1:111122223333:network-interface/*",
"arn:aws:ec2:sa-east-1:111122223333:volume/*",
"arn:aws:ec2:sa-east-1:111122223333:key-pair/*",
"arn:aws:ec2:sa-east-1:111122223333:security-group/*",
"arn:aws:ec2:sa-east-1:111122223333:subnet/subnet-1a2b3c4d"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:sa-east-1:111122223333:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "m1.small"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:sa-east-1::image/ami-*"
],
"Condition": {
"StringEquals": {
"ec2:Owner": "amazon"
}
}
}
]
}Example 3: Working with volumes
The following policy grants users permission to view and create volumes, and attach and detach volumes to specific instances.
Users can attach any volume to instances that have the tag
"purpose=test", and also detach volumes from those instances. To attach a
volume using the Amazon EC2 console, it is helpful for users to have permission to use the
ec2:DescribeInstances action, as this allows them to select an instance
from a pre-populated list in the Attach Volume dialog box. However,
this also allows users to view all instances on the Instances page in
the console, so you can omit this action.
In the first statement, the ec2:DescribeVolumeStatus and
ec2:DescribeAvailabilityZones actions are necessary to ensure that volumes
display correctly in the console.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes", "ec2:DescribeVolumeStatus",
"ec2:DescribeAvailabilityZones", "ec2:CreateVolume",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:region:111122223333:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/purpose": "test"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:region:111122223333:volume/*"
}
]
}Example 4: Working with security groups
a. View security groups and add and remove rules
The following policy grants users permission to view security groups in the Amazon EC2
console, and to add and remove inbound and outbound rules for existing security groups
that have the tag Department=Test.
Note
You can't modify outbound rules for EC2-Classic security groups. For more information about security groups, see Amazon EC2 Security Groups for Linux Instances.
In the first statement, the ec2:DescribeTags action allows users to
view tags in the console, which makes it easier for users to identify the security groups
that they are allowed to modify.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups", "ec2:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress"
],
"Resource": [
"arn:aws:ec2:region:111122223333:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Test"
}
}
}
]
}b. Working with the Create Security Group dialog box
You can create a policy that allows users to work with the Create Security Group dialog box in the Amazon EC2 console. To use this dialog box, users must be granted permission to use at the least the following API actions:
ec2:CreateSecurityGroup: To create a new security group.ec2:DescribeVpcs: To view a list of existing VPCs in the VPC list. This action is required even if you are not creating a security group for a VPC.
With these permissions, users can create a new security group successfully, but they cannot add any rules to it. To work with rules in the Create Security Group dialog box, you can add the following API actions to your policy:
ec2:AuthorizeSecurityGroupIngress: To add inbound rules.ec2:AuthorizeSecurityGroupEgress: To add outbound rules to VPC security groups.ec2:RevokeSecurityGroupIngress: To modify or delete existing inbound rules. This is useful if you want to allow users to use the Copy to new feature in the console. This feature opens the Create Security Group dialog box and populates it with the same rules as the security group that was selected.ec2:RevokeSecurityGroupEgress: To modify or delete outbound rules for VPC security groups. This is useful to allow users to modify or delete the default outbound rule that allows all outbound traffic.ec2:DeleteSecurityGroup: To cater for scenarios where invalid rules cannot be saved. If a user creates a security group with an invalid rule, the console first creates the security group, then attempts to add the rules to it. After that fails, the security group is deleted. The user remains in the Create Security Group dialog box, where an error is displayed. The rules remain listed, so the user can correct the invalid rule and try to create the security group again. This API action is not required, but if a user is not granted permission to use it and attempts to create a security group with invalid rules, the security group is created without any rules, and the user must add them afterward.
Currently, the ec2:CreateSecurityGroup API action does not support
resource-level permissions; however, you can apply resource-level permissions to the
ec2:AuthorizeSecurityGroupIngress and
ec2:AuthorizeSecurityGroupEgress actions to control how users can create
rules.
The following policy grants users permission to use the Create Security
Group dialog box, and to create inbound and outbound rules for security
groups that are associated with a specific VPC (vpc-1a2b3c4d). Users can
create security groups for EC2-Classic or another VPC, but they cannot add any rules to
them. Similarly, users cannot add any rules to any existing security group that's not
associated with VPC vpc-1a2b3c4d. Users are also granted permission to view
all security groups in the console. This makes it easier for users to identify the
security groups to which they can add inbound rules. This policy also grants users
permission to delete security groups that are associated with VPC
vpc-1a2b3c4d.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups", "ec2:CreateSecurityGroup", "ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:region:111122223333:security-group/*",
"Condition":{
"ArnEquals": {
"ec2:Vpc": "arn:aws:ec2:region:111122223333:vpc/vpc-1a2b3c4d"
}
}
}
]
}Example 5: Working with Elastic IP addresses
The following policy grants users permission to view Elastic IP addresses in the Amazon EC2
console. The console uses the ec2:DescribeInstances action to display
information about instances with which the Elastic IP addresses are associated. If users
are not granted permission to use this action, the Elastic IP addresses page cannot load
properly.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses", "ec2:DescribeInstances"
],
"Resource": "*"
}
]
}To allow users to work with Elastic IP addresses, you can add the following actions to your policy
ec2:AllocateAddress: To allocate an address for use in VPC or EC2-Classic.ec2:ReleaseAddress: To release an Elastic IP address.ec2:DescribeNetworkInterfaces: To work with the Associate Address dialog box. The dialog box displays the available network interfaces to which you can associate an Elastic IP address, and will not open if users are not granted permission to use this action. However, this only applies to EC2-VPC; this action is not required for associating an Elastic IP address to an instance in EC2-Classic.ec2:AssociateAddress: To associate an Elastic IP address with an instance or a network interface.ec2:DisassociateAddress: To disassociate an Elastic IP address from an instance or a network interface,
Example 6: Working with Reserved Instances
The following policy can be attached to an IAM user. It gives the user access to view and modify Reserved Instances in your account, as well as purchase new Reserved Instances in the AWS Management Console.
This policy allows users to view all the Reserved Instances, as well as On-Demand Instances, in the account. It's not possible to set resource-level permissions for individual Reserved Instances.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeReservedInstances", "ec2:ModifyReservedInstances",
"ec2:PurchaseReservedInstancesOffering", "ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones", "ec2:DescribeReservedInstancesOfferings"
],
"Resource": "*"
}
]
} The ec2:DescribeAvailabilityZones action is necessary to ensure that the
Amazon EC2 console can display information about the Availability Zones in which you
can purchase Reserved Instances. The ec2:DescribeInstances action
is not required, but ensures that the user can view the instances in the account
and purchase reservations to match the correct specifications.
You can adjust the API actions to limit user access, for example removing ec2:DescribeInstances
and ec2:DescribeAvailabilityZones means the user has read-only access.
