below policy you can use just replace ACCOUNTID to your AWS account ID.
just have list permission to access to see ec2 instances and keypair import permission to use to connect ec2
_____________________________________-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:ImportKeyPair",
"Resource": [
"arn:aws:ec2:*:ACCOUNTID:instance/*",
"arn:aws:ec2:*:ACCOUNTID:key-pair/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeInstances",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
}
]
}