Amazon AWS IAM Policy for single VPC Subnet
Basically, the IAM documentation is totally unreliable when it comes to doing anything other than set global admin or read-only policies.
This is the policy I eventually got to work (for the subnet bit at least):
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*"
],
"Condition": {
"ArnNotEquals": {
"ec2:Subnet": "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1::image/ami-*",
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
"arn:aws:ec2:eu-west-1:937821706121:instance/*",
"arn:aws:ec2:eu-west-1:937821706121:subnet/*",
"arn:aws:ec2:eu-west-1:937821706121:volume/*",
"arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
"arn:aws:ec2:eu-west-1:937821706121:security-group/*"
]
}
]
}
This took a lot of trial and error.
Basically, when you want to limit the user based on specific resources, you need to create a Statement that first denies the ability to run instances unless conditions are met on specific arn resources, and then at the end, permit them to do anything.
Update:
Amazon have admitted that their docs were inaccurate:
https://forums.aws.amazon.com/thread.jspa?threadID=160287&tstart=0