Amazon AWS IAM Policy for single VPC Subnet

Basically, the IAM documentation is totally unreliable when it comes to doing anything other than set global admin or read-only policies.

This is the policy I eventually got to work (for the subnet bit at least):

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:eu-west-1:937821706121:network-interface/*"
      ],
     "Condition": {
         "ArnNotEquals": {
            "ec2:Subnet": "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516"
            }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:eu-west-1::image/ami-*",
         "arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
         "arn:aws:ec2:eu-west-1:937821706121:instance/*",
         "arn:aws:ec2:eu-west-1:937821706121:subnet/*",
         "arn:aws:ec2:eu-west-1:937821706121:volume/*",
         "arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
         "arn:aws:ec2:eu-west-1:937821706121:security-group/*"
         ]
      }
   ]
}

This took a lot of trial and error.

Basically, when you want to limit the user based on specific resources, you need to create a Statement that first denies the ability to run instances unless conditions are met on specific arn resources, and then at the end, permit them to do anything.

Update:

Amazon have admitted that their docs were inaccurate:

https://forums.aws.amazon.com/thread.jspa?threadID=160287&tstart=0