What are the required AWS IAM policy permissions to provision EC2 Instances from the CLI?

1
votes

I am writing an IAM Policy to deploy EC2 Instances from the CLI, I don't want to give EC2 full access. Following principle of least privilege, what are the permissions required to provision EC2 Instances

1
amazon-web-servicesamazon-ec2amazon-iamrolesamazon-policy

1 Answers

2
votes

It depends on if you want them to lunch from console or CLI.

For console, according to docs the following policy is suited:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateSecurityGroup",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateKeyPair"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "*"
        }
    ]
}

For CLI the policies are shown here.