I am writing an IAM Policy to deploy EC2 Instances from the CLI, I don't want to give EC2 full access. Following principle of least privilege, what are the permissions required to provision EC2 Instances
It depends on if you want them to lunch from console or CLI.
For console, according to docs the following policy is suited:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateKeyPair"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
}
]
}
For CLI the policies are shown here.