By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Possible to Deny ec2:RunInstances Condition ForAnyValue:StringLike u*.*

0

Hello,
I'm trying to create a IAM policy based off of the guide below:
https://aws.amazon.com/premiumsupport/knowledge-center/restrict-launch-tagged-ami/

But rather than restricting by tag, I want to deny the more costly instance types. I've seen some docs that say the ".metal" should work, but I'm having trouble with it. Also, is it possible to deny entire instance types via something like "u.*" as a condition? I'd like to keep the list short rather than having to maintain a large list if possible.

Example deny statement below:

"Statement" : \[  
  {  
    "Sid" : "LaunchEC2withLimitedTypes",  
    "Effect" : "Deny",  
    "Action" : \[  
      "ec2:RunInstances",  
      "ec2:ModifyInstanceAttribute",  
    ],  
    "Resource" : "arn:aws:ec2:us-east-1::image/ami-*",  
    "Condition" : {  
      "ForAnyValue:StringLike" : {  
        "ec2:InstanceType" : \[  
          "*.metal",  
          "u**.**",  
          "p**.**",  
          "i**.**",  
          "x**.**"  
        ]  
      }  
    }  
  }
Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
jakobikk
asked 3 years ago285 views
1 Answer
1

changing resource from arn:aws:ec2:us-east-1::image/ami-** to arn:aws:ec2:::instance/** resolved the issue.

jakobikk
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content