Profiles & Instance Tags
Administrative access can be restricted through the use of tags defined in a user's profile. Profile tags must correspond to the instance tags that have been set through the AWS console.
You can specify a tag for an EC2 instance through the AWS console.
Those tags can then be used when creating a profile in Bastillion for EC2.
Tags work on a name or name/value pair.
Profiles can then be assigned to users of which will only have access to the instances that have the appropriate tag(s).