Limit the type of EC2 instance in IAM policy

Question

Limit the type of EC2 instance in IAM policy

540 Views Asked by AudioBubble At 01 December 2020 at 12:28

I want to create and IAM policy in which the IAM user will not be able to launch any instance other than t2.micro Ubuntu in us-east-1 region. I have added the ami in IAM policybut instead of allowing just the Ubuntu ami, AWS is allowing the IAM user to launch all instances. What might be the problem

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "TheseActionsDontSupportResourceLevelPermissions",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*"
        ],
        "Resource": "*"
    },
    {
        "Sid": "TheseActionsSupportResourceLevelPermissions",
        "Effect": "Allow",
        "Action": [
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
        ],
        "Resource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
    }
]

}

Original Q&A

There are 2 best solutions below

**Tomek Klas** · Answer 1 · 2020-12-01T13:02:10.590000

this should point you in the right direction

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"TheseActionsDontSupportResourceLevelPermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:Describe*"
         ],
         "Resource":"*"
      },
      {
         "Sid":"TheseActionsSupportResourceLevelPermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
         ],
         "Resource":"arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c",
         "Condition":{
            "ForAnyValue:StringLike":{
               "ec2:ImageType":"t2.micro"
            }
         }
      }
   ]
}

**stefansundin** · Answer 2 · 2020-12-02T04:48:19.833000

I would recommend using Deny rules to disallow launching instances if the wrong instance type or the wrong ami is used. Note that I removed the Sid parameter as it is optional.

An explicit Deny rule will override any Allow rules. That makes it easier to disallow unwanted actions, instead of trying to carve out the allowed action. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

Try the following:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "ec2:Describe*"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Deny",
         "Action": [
           "ec2:RunInstances"
         ],
         "Resource": "*",
         "Condition": {
            "StringNotLike": {
               "ec2:ImageType": "t2.micro"
            }
         }
      },
      {
         "Effect": "Deny",
         "Action": [
           "ec2:RunInstances"
         ],
         "NotResource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
      }
   ]
}

Limit the type of EC2 instance in IAM policy

There are 2 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-EC2

Related Questions in AMAZON-IAM

Related Questions in AWS-POLICIES

Trending Questions

Popular # Hahtags

Popular Questions