Overly broad permissions

Heya Francois, I got some feedback concerning your suggested quickstart integration.

The use of amzn managed policies is frowned upon or will create a governance/compliance alert at a quite a few sites. The people who run this stuff are aware of this issue and usually - for a quickstart - they'll be fine to cut and paste an amzn managed policy into a customer managed policy. So this should be fine, fwiw.

The set of create permissions are overly broad. I did two things here:

• break apart ec2:Create* action, and explicitely define a reasonably subset, related to instance management
• create two seperate statements that handle the ec2:CreateTags action. IIRC ec2:RunInstances has a tags parameter and you should use it. If you're calling ec2:CreateTags on something that is not an instance the other statement will allow that

Please find a patch attached. I will be testing this next week.

A word of caution: I did not write any CFN in the last 4 years.

Cheers, Mark

tagging.patch