Prerequisites

AWS Prerequisites

Please have a look at the following prerequisites for the creation fo AMIs

A Default VPC should be available in the account were you want to create the customized image.

You should also assign IAM permissions to the user you are specifing for the connection with at least the following permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "NonResourceBasedReadOnlyPermissions",
            "Action": [
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeImages",
                "ec2:DescribeVolumes",
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "NonResourceBasedWritePermissions",
            "Action": [
                "ec2:CopyImage",
                "ec2:CreateImage",
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteKeypair",
                "ec2:DeleteSnapshot",
                "ec2:ModifyImageAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:RegisterImage"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "IAMPassroleToInstance",
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::_ACCOUNT_ID_:role/_ROLE_NAME_"
        },
        {
            "Sid": "AllowInstanceActions",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:StopInstances",
                "ec2:TerminateInstances"

            ],
            "Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceProfile": "arn:aws:iam::_ACCOUNT_ID_:instance-profile/_ROLE_NAME_"
                }
            }
        },
        {
            "Sid": "EC2RunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceProfile": "arn:aws:iam::_ACCOUNT_ID_:instance-profile/_ROLE_NAME_"
                }
            }
        },
        {
            "Sid": "EC2LimitSize",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
            "Condition": {
                "ForAnyValue:StringNotLike": {
                    "ec2:InstanceType": [
                        "*.nano",
                        "*.small",
                        "*.micro"
                    ]
                }
            }
        },
        {
            "Sid": "EC2RunInstancesSubnet",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:subnet/*",
            "Condition": {
                "StringEquals": {
                    "ec2:Vpc": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:vpc/_VPC_ID_"
                }
            }
        },
        {
            "Sid": "RemainingRunInstancePermissions",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:volume/*",
                "arn:aws:ec2:_REGION_::image/*",
                "arn:aws:ec2:_REGION_::snapshot/*",
                "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:network-interface/*",
                "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:key-pair/*",
                "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:security-group/*",
                "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:subnet/*"
            ]
        },
        {
            "Sid": "EC2VpcNonresourceSpecificActions",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeSecurityGroups",
                "ec2:DeleteSecurityGroup"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Vpc": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:vpc/_VPC_ID_"
                }
            }
        }
    ]
}

You can read more about necessary permissions here.