IAM policy for controlling EC2 with specific tags
Currently, EC2:DESCRIBE* IAM actions 'does not support resource-level permissions’, which makes it difficult to have a ‘filter on ec2 instances based on who created them’. (see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html) However, we can prevent users from terminating, stopping or starting EC2 which are not tagged to them. (See IAM policy below) Step 1: Use the approach described in this blog post to achieve something similar to what you are looking for : (tagging instances at startup) (See: https://blogs.aws.amazon.com/net/post/Tx2CCTE5QGSFDUW/Tagging-Amazon-EC2-Instances-at-Launch) Step 2: limiting access to who can stop/terminate/start the instance. { "Version": "2012-10-17", "Statement": [ { "Sid": "StmtAllowDescribeOnEC2", "Effect": "Allow", "Action": [ "ec2:Describe*...