Je trouve this documentation SSFE, il explique ce que api qui ne supporte pas les autorisations au niveau des ressources, que la raison pour laquelle la politique dans ma question n'a pas fonctionné, le travaillé ci-dessous pour mon cas, après le déplacement des actions à utiliser * pour Ressources:
{
"Version": "2012-10-17",
"Statement": [
{ // This allows viewing instances if user login to dashboard (does not include cloudwatch, you can add it if you want)
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{ // Users are limited to starting instances that in west region, and only micro instances
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-west-2:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t1.micro",
"t2.micro"
]
}
}
},
{ // allow user to launch instances using images in west region
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:image/ami-*",
"arn:aws:ec2:us-west-2:*:subnet/*",
"arn:aws:ec2:us-west-2:*:network-interface/*",
"arn:aws:ec2:us-west-2:*:volume/*",
"arn:aws:ec2:us-west-2:*:key-pair/*",
"arn:aws:ec2:us-west-2:*:security-group/*"
]
},
{ // these don't fall under resource-level permission, so they need to be separated in order to users to launch instances
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{ // This also cannot have resource-level permission, allows user to create images from existing running instances
"Effect": "Allow",
"Action": [
"ec2:CreateImage"
],
"Resource": [
"*"
]
}
]
}
Espérons que cela aide les autres.