Restrict Amazon EC2 user permissions

How can I wire this WPT 2.16 instance up so that I can create a new EC2 user with permission restricted to instances that are only relevant to WPT?

I’m an EC2 noob and I am trying to take advantage of the new autoscaling. Everything looks pretty straight forward and I have the primary instance up and running. But for the autoscaling feature to work, it requires a user with permissions that can create/destroy instances on the fly. I’m slightly paranoid about giving an application global access, as a bug in “terminate” logic could potentially wipe out a bunch of other critical EC2 instances. I didn’t see anything in the setup docs about how to do this.

Thank you