Identity and Access Management integration for Image Builder
Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
-
Service user - request permissions from your administrator if you cannot access features (see Troubleshoot IAM issues in Image Builder)
-
Service administrator - determine user access and submit permission requests (see How Image Builder works with IAM policies and roles)
-
IAM administrator - write policies to manage access (see Image Builder identity-based policies)
Authenticating with identities
For detailed information about how to provide authentication for people and processes in your AWS account, see Identities in the IAM User Guide.
IAM permissions for custom workflows
When using custom workflows with specific step actions like RegisterImage, additional IAM permissions may be required beyond the standard Image Builder managed policies. This section describes the additional permissions needed for custom workflow step actions.
RegisterImage step action permissions
The RegisterImage step action requires specific Amazon EC2 permissions to register AMIs and optionally retrieve snapshot tags. When using the includeSnapshotTags parameter, additional permissions are needed to describe snapshots.
Required permissions for RegisterImage step action:
For all resources, allow the following actions:
-
ec2:RegisterImage -
ec2:DescribeSnapshots
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RegisterImage", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*::image/*", "Condition": { "StringEquals": { "ec2:CreateAction": "RegisterImage" } } } ] }
Permission details:
-
ec2:RegisterImage- Required to register new AMIs from snapshots -
ec2:DescribeSnapshots- Required when usingincludeSnapshotTags: trueto retrieve snapshot tags for merging with AMI tags -
ec2:CreateTags- Required to apply tags to the registered AMI, including both Image Builder default tags and merged snapshot tags
Note
The ec2:DescribeSnapshots permission is only used when the includeSnapshotTags parameter is set to true. If you don't use this feature, you can omit this permission.
Tag merging behavior:
When includeSnapshotTags is enabled, the RegisterImage step action will:
-
Retrieve tags from the first snapshot specified in the block device mapping
-
Exclude any AWS reserved tags (those with keys starting with "aws:")
-
Merge snapshot tags with Image Builder's default AMI registration tags
-
Give precedence to Image Builder tags when tag keys conflict
Image Builder resource-based policies
For information about how to create a component, see Use components to customize your Image Builder image.
Restricting Image Builder component access to specific IP addresses
The following example grants permissions to any user to perform any Image Builder operations on components. However, the request must originate from the range of IP addresses specified in the condition.
The condition in this statement identifies the 54.240.143.* range of allowed Internet Protocol version 4 (IPv4) IP addresses, with one exception: 54.240.143.188.
The Condition block uses the IpAddress and NotIpAddress conditions and the aws:SourceIp condition key, which is an AWS-wide condition key. For more information about these condition keys, see Specifying Conditions in a Policy. Theaws:sourceIp IPv4 values use the standard CIDR notation. For more information, see IP Address Condition Operators in the IAM User Guide.