Minimum IAM policy required by AWS for Packer to do its thing. https://github.com/mitchellh/packer Permissions are broken out by API functionality and a resource array has been defined with a wild card for each group. For tighter security resource level permissions can be applied per this documentation: http://aws.typepad.com/aws/2013/07/resourc…

PackerPolicy.json

{
    "Statement": [
        {
            "Sid": "PackerSecurityGroupAccess",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "PackerAMIAccess",
            "Action": [
                "ec2:CreateImage",
                "ec2:RegisterImage",
                "ec2:DeregisterImage",
                "ec2:DescribeImages"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "PackerSnapshotAccess",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:DeleteSnaphot",
                "ec2:DescribeSnapshots"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "PackerInstanceAccess",
            "Action": [
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances",
                "ec2:TerminateInstances",
                "ec2:DescribeInstances",
                "ec2:CreateTags"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "PackerKeyPairAccess",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:DeleteKeyPair",
                "ec2:DescribeKeyPairs"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "PackerS3Access",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:PutObject*",
                "s3:DeleteObject*"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "PackerS3BucketAccess",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:CreateBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ]
}

The new resource-level permissions for EC2 might allow even stricter policies http://aws.typepad.com/aws/2013/07/resource-permissions-for-ec2-and-rds-resources.html

Thanks for sharing your policies!

Definitely! Also added a link and note about AWS Resource level permissions in the description, it's unfortunate there isn't an inline comment syntax for these policies, I wanted to put a note in each Resource block.

A slightly modified version of my own (Volumes added, S3 removed): https://github.com/evgeny-goldin/playbooks/blob/master/packer/packer-iam.json

Missing ec2:ModifyInstanceAttribute, which causes Packer to fail when enabling Enhanced Networking.

Missing ec2:DescribeSubnets, needed for looking up Availability Zone when using a VPC subnet.
If you are creating a Windows image, you will also need ec2:GetPasswordData.

See also https://www.packer.io/docs/builders/amazon.html#using-an-iam-instance-profile

Since packer supports spot instance now, you can add existing AWS role AmazonEC2SpotFleetRole and permission ec2:CancelSpotInstanceRequests to allow packer to use spot instance to build the AMI image.

There's a typo on line 34 - Snaphot instead of Snapshot