What are the minimum permission needed to start an EC2 instance

Question

What are the least privileged needed to start an EC2 instance:
Can get to work with ec2:*

but when try to limit the policy with the following  the creation fails:

```
        - Sid: EC2GuardRail
                Effect: Allow
                Action:
                   - 'ec2:RunInstance'
                   - 'iam:PassRole'
                   - 'ec2:DescribeSubnets'
                   - 'ec2:DescribeSecurityGroups'
                   - 'ec2:DescribeInstances'
                   - 'ec2:DescribeInstancesTypes'
                   - 'ec2:CreateTags'
                   - 'ec2:DescribeImages'
                   - 'ec2:DescribeKeyPairs'
                   - 'ec2:DescribeVpcs'
                   - 'ec2:CreateSecurityGroup'
                   - 'ec2:AuthorizeSecurityGroupIngress'
                   - 'ec2:CreateKeyPair'
                   - 'ec2:RunInstance'
                   - 'ec2:TerminateInstance'
                Resource:
                 - '*'
```

Answer

Hello,

To start an EC2 instance, the only Action I see that you're missing is `ec2:StartInstances`.

In regards to minimum permissions for starting an instance, I would recommend allowing:
```
ec2:StartInstances
ec2:DescribeInstances
```

You may also want to grant `ec2:StopInstances` if you want to allow a user to also stop the instance.

You could also limit the scope to only the user who created the instance or instances that match a specific tag.  See here for additional documentation on that:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_tag-owner.html

What are the minimum permission needed to start an EC2 instance

관련 콘텐츠