How do I restrict access so that users launch Amazon EC2 instances from only tagged AMIs?

Resolution

To restrict access so that users launch EC2 instances only from tagged AMIs, take one of the following actions:

• Create an AMI from an existing instance.
• Use an existing AMI, and then add a tag to the AMI.

Then, create a custom AWS Identity and Access Management (IAM) policy. The IAM policy uses a tag condition that restricts user permissions to launch only instances that use the tagged AMI.

In the following example IAM policy, these Sid (statement ID) values are used:

• ReadOnlyAccess allows users to view EC2 resources in your account with Describe* that includes all the EC2 actions that begin with Describe. ReadOnlyAccess also allows users to get console output and console screenshots of an instance. The Amazon CloudWatch permissions for DescribeAlarms and GetMetricStatistics allow health information about instances to appear in the Amazon EC2 console. The IAM permission for ListInstanceProfiles allows the existing instance profiles to display in the IAM role list. The IAM role list appears on the Configure Instance Details page when you launch an instance. However, the ListInstanceProfiles API doesn't allow users to attach an IAM role to an instance.
• ActionsRequiredtoRunInstancesInVPC grants users permission to perform the RunInstances API. You can use any instance, key pair, security group, volume, network interface, or subnet in the us-east-1 AWS Region. Resource-level permissions specify the ARN for each resource.
• LaunchingEC2withAMIsAndTags allows users to use an AMI to launch instances. The AMI must have an Environment tag with the value set to Prod in the us-east-1 Region. Resource-level permission is set to an ARN for any AMI that's in us-east-1 Region. The condition matches the value of EC2:ResourceTag/Environment tag key and Prod key value.

The following IAM policy uses supported resource-level permissions for the required resources for the RunInstances API action.

Note:

• This policy allows users to list roles when they're launching an instance. However, users can launch an instance with an attached role only when they have the iam:PassRole permission.
• This policy doesn't allow users to create new security groups. Unless users have the CreateSecurityGroup EC2 permission, they must select an existing security group to launch an EC2 instance. The EC2:CreateSecurityGroup API action grants access to create only a security group. The action doesn't add or modify any rules. To add inbound rules, users must have permissions to the inbound AuthorizeSecurityGroupIngress EC2 API action and the outbound AuthorizeSecurityGroupEgress EC2 API action.
• This policy doesn't allow users to attach the instance name or modify and attach tags to the EC2 instance resource. Unless users have the CreateTags permission when they're creating the instance, users must leave the tags and name blank.

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:GetConsole*",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricStatistics",
        "iam:ListInstanceProfiles"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ActionsRequiredtoRunInstancesInVPC",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:us-east-1:AccountId:instance/*",
        "arn:aws:ec2:us-east-1:AccountId:key-pair/*",
        "arn:aws:ec2:us-east-1:AccountId:security-group/*",
        "arn:aws:ec2:us-east-1:AccountId:volume/*",
        "arn:aws:ec2:us-east-1:AccountId:network-interface/*",
        "arn:aws:ec2:us-east-1:AccountId:subnet/*"
      ]
    },
    {
      "Sid": "LaunchingEC2withAMIsAndTags",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:us-east-1::image/ami-*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/Environment": "Prod"
        }
      } 
    }
  ]
}