The AWS EC2 Dashboard allows users to view/change the userdata for any given EC2 instance via
Actions -> Instance Settings -> View/Change User Data"
Is there an AWS IAM action that can restrict this feature from users of the Console?
Amazon EC2 User Data is retrieved via the DescribeInstanceAttribute API call. You can create a policy to DENY such permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NoAttributes",
"Effect": "Deny",
"Action": [
"ec2:DescribeInstanceAttribute"
],
"Resource": [
"*"
]
}
]
}
However, there is a risk that denying this permission might have some unintended side-effects because it will also block access to other attributes, too. So, make sure you test it.
It's also worth pointing out that User Data is only executed the first time the instance boots ("once per instance-id"). So, even if users have the ability to edit the User Data, it won't actually be executed after the first boot.