Choose the JSON tab, and then enter the following custom policy:
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantIAMPassRoleOnlyForEC2",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME",
"arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "ReadOnlyEC2WithNonResource",
"Action": [
"ec2:Describe*",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "ModifyingEC2WithNonResource",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "RunInstancesWithTagRestrictions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
"arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/TAG-KEY": "TAG-VALUE"
}
}
},
{
"Sid": "RemainingRunInstancePermissionsNonResource",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:REGION::image/*",
"arn:aws:ec2:REGION::snapshot/*",
"arn:aws:ec2:REGION:ACCOUNTNUMBER*:network-interface/*",
"arn:aws:ec2:REGION:ACCOUNTNUMBER*:key-pair/*",
"arn:aws:ec2:REGION:ACCOUNTNUMBER*:security-group/*"
]
},
{
"Sid": "EC2RunInstancesVpcSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
}
}
},
{
"Sid": "EC2VpcNonResourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateRoute",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
}
}
},
{
"Sid": "AllowInstanceActionsTagBased",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:DisassociateIamInstanceProfile",
"ec2:GetConsoleScreenshot",
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": [
"arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
"arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/TAG-KEY": "TAG-VALUE"
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
"arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
Note: Replace the ACCOUNTNUMBER, REGION, TAG-KEY, TAG-VALUE, VPC-ID, and ROLENAME parameters with your values.