Which IAM permissions are needed for ec2-create-image?

Solution 1:

Unfortunately you can't lock this down on a resource level at the moment. There are a bunch of EC2 actions that doesn't support resource level permissions and ec2:CreateImage is one of them.

Solution 2:

Creating image also involves creation of snapshots attached to that instance. Below IAM policy should work.

{     
  "Effect": "Allow",
  "Action": [
    "ec2:Describe*",
    "ec2:CreateSnapshot",
    "ec2:CreateImage"
  ],
  "Resource": [
    "*"
  ]
}