Restrict launching certain EC2 Instances

Administrators will need range of permissions to perform routine tasks. Usually, IAM policies assigned to administrators are more relaxed as compared to other IAM users. For example, one of policies assigned to administrators may allow them to perform all actions on ec2 instances. In such a scenario, programmatic keys of administrators can be misused (intentionally or unintentionally) to create ec2 instances which are very expensive to run. Such a mistake can end up costing hundreds and thousands of dollars to organization. If your AWS Account only needs small or medium ec2-instances then it might be a good idea to restrict administrators from creating any other instance type. Following IAM policy restrict administrators to launch certain instance types.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyLargeInstanceCreation",
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceType": ["t2.small"]
                }
            }
        }
    ]
}
The policy allows to create only t2.small instances. Another policy will have to be attached with user/group which allows action such as ec2.* or ec2:RunInstances. It is important to understand difference between Explicit Deny and Default Deny. AWS evaluates all policies for an action and an explicit Deny takes precedence over allow. This policy will make sure that no other instances will be launched even if there is another policy assigned to group, which allows wild card ec2.* access. For example, Administrator won't be able to create large ec2 instance even if following policy is attached.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
Explicit Deny vs Default Deny

Comments

Popular posts from this blog

Practice Questions - AWS Solutions Architect - Associate Certification

Continuous Integration using AWS CodePipeline (GitHub to Elastic BeanStalk)

AWS Parameter Store