Hello,
I'm trying to create a IAM policy based off of the guide below:
https://aws.amazon.com/premiumsupport/knowledge-center/restrict-launch-tagged-ami/
But rather than restricting by tag, I want to deny the more costly instance types. I've seen some docs that say the ".metal" should work, but I'm having trouble with it. Also, is it possible to deny entire instance types via something like "u.*" as a condition? I'd like to keep the list short rather than having to maintain a large list if possible.
Example deny statement below:
"Statement" : \[
{
"Sid" : "LaunchEC2withLimitedTypes",
"Effect" : "Deny",
"Action" : \[
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
],
"Resource" : "arn:aws:ec2:us-east-1::image/ami-*",
"Condition" : {
"ForAnyValue:StringLike" : {
"ec2:InstanceType" : \[
"*.metal",
"u**.**",
"p**.**",
"i**.**",
"x**.**"
]
}
}
}