All IAM policy templates
AWS IAM policy template • EC2

EC2 Read-Only (Describe Only)

List and describe EC2 resources for dashboards, inventory, or cost tooling — no start/stop/terminate.

Policy

Replace the placeholder ARNs (YOUR-BUCKET-NAME, ACCOUNT_ID, REGION, etc.) with your real resource identifiers before use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DescribeOnly",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs"
      ],
      "Resource": "*"
    }
  ]
}

Why it's scoped this way

  • Resource: "*" is correct here, not a red flag — EC2 Describe* actions do not support resource-level permissions in IAM (AWS's own documentation confirms this), so scoping Resource further has no effect and Action is the only real boundary.
  • The action list is an explicit allowlist of Describe* calls rather than "ec2:Describe*" wildcarded — new Describe actions AWS adds later are not implicitly granted, which matters if this role's output feeds an automated system.
  • No ec2:StartInstances, ec2:StopInstances, ec2:TerminateInstances, or ec2:RunInstances — this role can observe the fleet but cannot change it.

Hardening it further

  • If only specific instances matter, filter client-side by tag after the Describe call — IAM cannot restrict which instances a Describe* response includes.
  • Pair this with a permissions boundary if the role is assumed by a third-party tool, so it can never be widened beyond read-only even by a future policy edit.

Paste your finished policy into the free AI-Powered IAM analyzer to catch anything you loosened while filling it in.

Related templates

Check your finished policy — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.