AWS Identity and Access Management (IAM) introduces a new control for requests that AWS services make on your behalf

Today AWS Identity and Access Management (IAM) enabled you to control access for requests made on your behalf by AWS services. For example, using the new control, you can now grant your IAM principals the ability to launch Amazon Elastic Compute Cloud (EC2) instances, but only through AWS CloudFormation, without granting direct access to EC2.