AWS IAM: allow IAM user to change EC2 instance type only


I’m trying to write a policy that would allow a group of users to change the instance type of any instance, but no other attributes.

I currently have:

but this would allow them to change any of the instances’ attributes. Is there a way to restrict this to allow changing the instanceType attribute only?


You can limit what attribute can be edited with a conditional:

EC2 policy docs:

Leave a Reply