IAM policy for controlling EC2 with specific tags

Currently, EC2:DESCRIBE* IAM actions 'does not support resource-level permissions’,  which makes it difficult to have a ‘filter on ec2 instances based on who created them’.
(see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html) 


However, we can prevent users from terminating, stopping or starting EC2 which are not tagged to them. (See IAM policy below)


Step 1: Use the approach described in this blog post to achieve something similar to what you are looking for : (tagging instances at startup)
(See: https://blogs.aws.amazon.com/net/post/Tx2CCTE5QGSFDUW/Tagging-Amazon-EC2-Instances-at-Launch)


Step 2: limiting access to who can stop/terminate/start the instance. 

 {  
   "Version": "2012-10-17",  
   "Statement": [  
     {  
       "Sid": "StmtAllowDescribeOnEC2",  
       "Effect": "Allow",  
       "Action": [  
         "ec2:Describe*"  
       ],  
       "Resource": [  
         "*"  
       ]  
     },  
     {  
       "Sid": "AllowModifyForEc2OwnerTagOnly",  
       "Effect": "Allow",  
       "Action": [  
         "ec2:TerminateInstances",  
         "ec2:StopInstances",  
         "ec2:StartInstances"  
       ],  
       "Resource": "arn:aws:ec2:ap-southeast-1:408917696499:instance/*",  
       "Condition": {  
         "StringEquals": {  
           "ec2:ResourceTag/ec2_owner": "${aws:username}"  
         }  
       }  
     }  
   ]  
 }  

Here ec2_owner is the name of the tag that has to be mandated when the instance is created either via EC2 management APIs / CLI.

Or, you can be a bit more strict and write a logic inside the ec2 instance which checks ‘do I have an ec2_owner tag on me? - If 'No' then terminate my self.