How to allow local AMI management

Users are often required to manage local AMI within an AWS account. However, Turbot has restrictions in place that will prevent the management without proper policy settings.

The policy AWS > EC2 > Allow Local AMIs controls the ability to manage AMI within a given AWS account. If this policy is set to disabled, the following statement is present in the turbot_lockdown policy:

{
"Action": [
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelImportTask",
"ec2:CopyImage",
"ec2:CreateFpgaImage",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:DeregisterImage",
"ec2:ImportImage",
"ec2:ImportInstance",
"ec2:ImportSnapshot",
"ec2:ImportVolume",
"ec2:RegisterImage"
],
"Effect": "Deny",
"Resource": "*",
"Sid": "EC2DenyAllAmiMgmt"
}

In order to enable any of these actions, the policy AWS > EC2 > Allow Local AMIs must be set to enabled. Once the policy is set, the control Terraform Turbot AWS IAM in $region of $account will run and make changes to the turbot_lockdown policy. A refresh of the AWS page once the control has ran will allow users to perform actions such as deregistering an AMI, creating an image, and copying an image.

Reach out to help@turbot.com if there are any questions.

Was this article helpful?
0 out of 0 found this helpful