What are the minimum permission needed to start an EC2 instance

0

What are the least privileged needed to start an EC2 instance: Can get to work with ec2:*

but when try to limit the policy with the following the creation fails:

        - Sid: EC2GuardRail
                Effect: Allow
                Action:
                   - 'ec2:RunInstance'
                   - 'iam:PassRole'
                   - 'ec2:DescribeSubnets'
                   - 'ec2:DescribeSecurityGroups'
                   - 'ec2:DescribeInstances'
                   - 'ec2:DescribeInstancesTypes'
                   - 'ec2:CreateTags'
                   - 'ec2:DescribeImages'
                   - 'ec2:DescribeKeyPairs'
                   - 'ec2:DescribeVpcs'
                   - 'ec2:CreateSecurityGroup'
                   - 'ec2:AuthorizeSecurityGroupIngress'
                   - 'ec2:CreateKeyPair'
                   - 'ec2:RunInstance'
                   - 'ec2:TerminateInstance'
                Resource:
                 - '*'
1 Answer
-1

Hello,

To start an EC2 instance, the only Action I see that you're missing is ec2:StartInstances.

In regards to minimum permissions for starting an instance, I would recommend allowing:

ec2:StartInstances
ec2:DescribeInstances

You may also want to grant ec2:StopInstances if you want to allow a user to also stop the instance.

You could also limit the scope to only the user who created the instance or instances that match a specific tag. See here for additional documentation on that: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_tag-owner.html

profile pictureAWS
EXPERT
Chris_G
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions