2 Answers
- Newest
- Most votes
- Most comments
1
Does Customer is using AWS organization to manage their AWS accounts, if so, please advice them to use SCP across org. If its a single account then follow the below IAM policy with Condition flag
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-west-2:account-id:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.micro",
"t3.micro"
]
},
"ForAllValues:StringEquals": {
"aws:RequestedRegion": [
"us-west-2"
]
}
}
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
answered 2 months ago
0
An SCP would be ideal - here's an example for instance type. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html#example-ec2-1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMicroInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
Relevant content
- Accepted Answerasked a year ago
- asked 2 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 years ago
