Note: I think we'll want to use an administrator policy to create the service, then this policy to ensure no one can spin up a huge amount of EC2 servers or something and drive bills up. Shouldn't be an issue, but this enforces it.
I think this policy is more open than it needs to be, especially around IAM (possible escalation vuln?), but it's late here and I've confirmed that it works at a high level.
Also, the visual editor makes things horribly unreadable. I'd want to hand-edit this to be somewhat maintainable.