AWS Prerequisites
Please have a look at the following prerequisites for the creation fo AMIs
A Default VPC should be available in the account were you want to create the customized image.
You should also assign IAM permissions to the user you are specifing for the connection with at least the following permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeVolumes",
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "NonResourceBasedWritePermissions",
"Action": [
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeypair",
"ec2:DeleteSnapshot",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RegisterImage"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::_ACCOUNT_ID_:role/_ROLE_NAME_"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::_ACCOUNT_ID_:instance-profile/_ROLE_NAME_"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::_ACCOUNT_ID_:instance-profile/_ROLE_NAME_"
}
}
},
{
"Sid": "EC2LimitSize",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro"
]
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:vpc/_VPC_ID_"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:volume/*",
"arn:aws:ec2:_REGION_::image/*",
"arn:aws:ec2:_REGION_::snapshot/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:network-interface/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:key-pair/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:security-group/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:subnet/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeSecurityGroups",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:vpc/_VPC_ID_"
}
}
}
]
}
You can read more about necessary permissions here.