Below is an example for IAM policy and commands to allow IAM users (could be federated users as well) create EC2 instances in self-service manner, while enforcing the following:
- The IAM user must provide "owner" tag with their currently logged-in IAM username as value. Otherwise they won't be able to create the instance.
- Each IAM user can start, stop and terminate their own instances only. The enforcement is based on currently logged-in IAM username.
- The IAM user can only apply "owner" tag when creating the instance and cannot modify any tag later.
Supported Resource-Level Permissions for Amazon EC2 API Actions