IAM policies allow you to specify what actions your IAM users are allowed to perform against yourEC2 Instances. However, when it comes to access control, security groups are what you need in orderto define and control the way you want your instances to be accessed, and whether or not certainkind of communications are allowed or not. Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/UsingIAM.html