Restrict EC2 Instance Type

Question

Hi,
I want to restrict user to launch only specific type of instance in specific region using IAM Policy. Please help me in writing the IAM policy.

Answer

Does Customer is using AWS organization to manage their AWS accounts, if so, please advice them to use SCP across org. If its a single account then follow the below IAM policy with Condition flag

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:us-west-2:account-id:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.micro",
                        "t3.micro"
                    ]
                },
                "ForAllValues:StringEquals": {
                    "aws:RequestedRegion": [
                        "us-west-2"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}
```

Answer

An SCP would be ideal - here's an example for instance type.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html#example-ec2-1

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMicroInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}
```

Restrict EC2 Instance Type

相关内容