Which IAM permissions are needed for ec2-create-image?

Question

I looked through the official docs and couldn't seem to find any reference as to which permissions the IAM user needs in order to be able to use this command.

I want the IAM user to only be able to create images for this one particular instance, so I had my policy set up like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt999",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateImage"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ec2:us-east-1:<my account id>:instance/<my instance id>"
      ]
    }
  ]
}

But I kept getting Access Denied errors when using the EC2 CLI. I changed the Resource part to just "*" and now it works, but now my IAM user can create AMI's (therefore cause reboots) to any EC2 instances in my account.

How can I lock this down?

score 8 · Accepted Answer · answered Mar 03 '15 at 20:58

8

Unfortunately you can't lock this down on a resource level at the moment. There are a bunch of EC2 actions that doesn't support resource level permissions and ec2:CreateImage is one of them.

answered Mar 03 '15 at 20:58

Bazze

1,531
10
11

1

Boo! Well let's hope they eventually allow for that - I don't like to grant overly broad permissions. Thanks for the link – wwarren Mar 03 '15 at 21:20
1

@wwarren: Let's certainly hope so, I couldn't agree more. When it comes to permissions, stars are rarely ideal. – Bazze Mar 03 '15 at 21:26
I think I just threw up in my mouth a little bit. This is so unfortunate. – Justin Fortier Mar 12 '21 at 16:48

score 7 · Answer 2 · edited Nov 10 '16 at 01:23

7

Creating image also involves creation of snapshots attached to that instance. Below IAM policy should work.

{     
  "Effect": "Allow",
  "Action": [
    "ec2:Describe*",
    "ec2:CreateSnapshot",
    "ec2:CreateImage"
  ],
  "Resource": [
    "*"
  ]
}

edited Nov 10 '16 at 01:23

bryan kennedy

1,721
3
16
31

answered Jun 06 '15 at 05:30

nkryption

91
1
2

Note: the contents of the "Statement" section was given up there, it's not the complete IAM policy. – Fabien Haddadi Apr 16 '19 at 03:33
If you want to create tags on the image while creating then add 'ec2:CreateTags' action also in above policy. – ExploringApple Jan 04 '21 at 13:18

Marshall Calante · Answer 3 · 2021-10-05T09:04:13.763

CreateImage now supports resource level policies. The following policy allows creating an image but only for the specified instance id:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateImage",
            "Effect": "Allow",
            "Action": "ec2:CreateImage",
            "Resource": "arn:aws:ec2:*::image/*"
        },
        {
            "Sid": "RestrictCreateImageToInstance",
            "Effect": "Allow",
            "Action": "ec2:CreateImage",
            "Resource": "arn:aws:ec2:*:999999999999:instance/i-999999999",

        }
    ]
}

Update the account number and instance id to suit your requirements. You could also restrict this based on the instance tags:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateImage",
            "Effect": "Allow",
            "Action": "ec2:CreateImage",
            "Resource": "arn:aws:ec2:*::image/*"
        },
        {
            "Sid": "RestrictCreateImageToInstances",
            "Effect": "Allow",
            "Action": "ec2:CreateImage",
            "Resource": "arn:aws:ec2:*:999999999999:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "Test"
                }
            }
        }
    ]
}

score 0 · Answer 4 · answered Jul 28 '16 at 08:52

0

You can't lock/limit CreateImage on resource level and @nkryption answer was right. http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html

answered Jul 28 '16 at 08:52

Ryan

136
5

Which IAM permissions are needed for ec2-create-image?

4 Answers4