By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Deny specific version of Ubuntu AMI instances being deployed

0

How can prevent users from deploying a specific flavor of Ubuntu say for example: 18.0.4 LTS?

I still want them to be able to deploy versions 21 and higher and other versions of Linux such as CentOS just not this specific version.

Topics
Compute
Tags
Linux ProvisioningAmazon EC2Linux
Language
English
Hex
asked 10 months ago160 views
2 Answers
1

You could put conditions on user IAM roles to prevent specific AMIs, but there isn't a mechanism to prevent a certain OS in general.

profile picture
jhmartin1
answered 10 months ago
0

Thanks, I actually got it working by creating two separate policies and when scoping with two default policies that allow other EC2 instances gave me the intended results of denying any AMI containing CentOS but still allowing any other AMI image from being deployed.

The first policy below I created denies all CentOS by searching for an attribute that contains any wording that contains centos.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:*",
                "elasticloadbalancing:*",
                "autoscaling:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "autoscaling.amazonaws.com",
                        "ec2scheduled.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "transitgateway.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Deny",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "ec2:ImageID": "ami-002070d43b0a4f171"
                },
                "ForAnyValue:StringLike": {
                    "ec2:Attribute/Condition": [
                        "Linux/Unix",
                        "CentOS*"
                    ]
                }
            }
        }
    ]
}

Then the second policy I created denies marketplace instances from being launched except ones that I own or from Amazon:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyMarketPlaceAMIAccess",
            "Effect": "Deny",
            "Action": [
                "ec2:RunScheduledInstances",
                "ec2:RunInstances"
            ],
            "Resource": "arn:aws:ec2:*::image/ami-*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:Owner": [
                        "amazon",
                        "self"
                    ]
                }
            }
        }
    ]
}

Once these two are created I scoped these two policies as well as the two native policies to allow other EC2 instances from being launched.

  1. AmazonEC2FullAccess
  2. AWSCloudShellFullAccess
  3. Custom policy 1
  4. Custom policy 2

Example:

Example

Hex
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content