How can I restrict access to launch Amazon EC2 instances from only tagged AMIs?

Resolution

To restrict users' access to launch EC2 instances using tagged AMIs, create an AMI from an existing instance—or use an existing AMI—and then add a tag to the AMI. Then, create a custom AWS Identity and Access Management (IAM) policy with a tag condition that restricts users' permissions to launch only instances that use the tagged AMI.

In this example IAM policy, there are three statement IDs (Sids):

• Sid ReadOnlyAccess allows users to view any EC2 resources in your account using Describe*, which includes all the EC2 actions that begin with Describe. Sid ReadOnlyAccess also allows users to get console output and screenshots of an EC2 instance. For more information, see GetConsoleOutput and GetConsoleScreenshot. The Amazon CloudWatch permissions for DescribeAlarms and GetMetricStatistics allow basic health information about EC2 instances to appear in the Amazon EC2 console. The IAM permission for ListInstanceProfiles allows the existing instance profiles to display in the IAM role list on the Configure Instance Details page when launching an EC2 instance. However, the ListInstanceProfiles API doesn't allow users to attach an IAM role to an EC2 instance.
• Sid ActionsRequiredtoRunInstancesInVPC grants users permission to perform the RunInstances API using any instance, key pair, security group, volume, network interface, or subnet in the us-east-1 Region using resource-level permissions by specifying the ARN for each resource.
• Sid LaunchingEC2withAMIsAndTags allows users to launch EC2 instances using an AMI if the AMI has a tag Environment with value set to Prod, and the AMI is in the us-east-1 Region. Resource-level permission is set to an ARN for any AMI that is in us-east-1 Region, and the condition matches the value of EC2:ResourceTag/Environment tag key and key value Prod.

The following IAM policy uses resource-level permissions for the required resources for the RunInstances API action. For more information about the required resources for RunInstances, see Supported resource-level permissions.

Note:

• This policy allows users to list roles when launching an EC2 instance, but users aren't able to launch an instance with a role attached unless they have the iam:PassRole permission.
• This policy doesn't allow users to create new security groups. Users must select an existing security group to launch an EC2 instance unless users have the EC2 CreateSecurityGroup permission. The EC2:CreateSecurityGroup API action grants access to create only a security group—this action doesn't add or modify any rules. To add inbound rules, users must have permissions to the inbound EC2 AuthorizeSecurityGroupIngress API action and the outbound EC2 AuthorizeSecurityGroupEgress API action.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:GetConsole*",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricStatistics",
        "iam:ListInstanceProfiles"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ActionsRequiredtoRunInstancesInVPC",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:us-east-1:AccountId:instance/*",
        "arn:aws:ec2:us-east-1:AccountId:key-pair/*",
        "arn:aws:ec2:us-east-1:AccountId:security-group/*",
        "arn:aws:ec2:us-east-1:AccountId:volume/*",
        "arn:aws:ec2:us-east-1:AccountId:network-interface/*",
        "arn:aws:ec2:us-east-1:AccountId:subnet/*"
      ]
    },
    {
      "Sid": "LaunchingEC2withAMIsAndTags",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:us-east-1::image/ami-*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/Environment": "Prod"
        }
      } 
    }
  ]
}