DEVHIDE
Login Or Sign up

Limit the type of EC2 instance in IAM policy

505 Views Asked by At

I want to create and IAM policy in which the IAM user will not be able to launch any instance other than t2.micro Ubuntu in us-east-1 region. I have added the ami in IAM policybut instead of allowing just the Ubuntu ami, AWS is allowing the IAM user to launch all instances. What might be the problem

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "TheseActionsDontSupportResourceLevelPermissions",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*"
        ],
        "Resource": "*"
    },
    {
        "Sid": "TheseActionsSupportResourceLevelPermissions",
        "Effect": "Allow",
        "Action": [
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
        ],
        "Resource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
    }
]

}

amazon-web-services amazon-ec2 amazon-iam aws-policies
Original Q&A
2

There are 2 best solutions below

1
On

I would recommend using Deny rules to disallow launching instances if the wrong instance type or the wrong ami is used. Note that I removed the Sid parameter as it is optional.

An explicit Deny rule will override any Allow rules. That makes it easier to disallow unwanted actions, instead of trying to carve out the allowed action. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

Try the following:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "ec2:Describe*"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Deny",
         "Action": [
           "ec2:RunInstances"
         ],
         "Resource": "*",
         "Condition": {
            "StringNotLike": {
               "ec2:ImageType": "t2.micro"
            }
         }
      },
      {
         "Effect": "Deny",
         "Action": [
           "ec2:RunInstances"
         ],
         "NotResource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
      }
   ]
}
2
On

this should point you in the right direction

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"TheseActionsDontSupportResourceLevelPermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:Describe*"
         ],
         "Resource":"*"
      },
      {
         "Sid":"TheseActionsSupportResourceLevelPermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
         ],
         "Resource":"arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c",
         "Condition":{
            "ForAnyValue:StringLike":{
               "ec2:ImageType":"t2.micro"
            }
         }
      }
   ]
}

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-EC2

Related Questions in AMAZON-IAM

Related Questions in AWS-POLICIES

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.