How to restrict IAM policy to not allow stop/terminate an EC2 instance but can create new instances?

Question

I want to create IAM policy which will restrict group or users to stop/terminate two used EC2 instances but they can create their own EC2 instances. I used following policy statement for this:

{
        "Sid": "Stmt1449662318000",
        "Effect": "Allow",
        "Action": [
            "ec2:*"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Sid": "Stmt1449662339000",
        "Effect": "Deny",
        "Action": [
            "ec2:*"
        ],
        "Resource": [
            "arn:aws:ec2::myAcctId:instance/i-4a36178ef",
            "arn:aws:ec2::myAcctId:instance/i-9e3fb747"
        ]
    }

But this is not working correctly. It allows other user/group to stop my already used 2 instances. How to achieve this?

score 0 · Answer 1 · answered Dec 10 '15 at 07:35

I was able to achieve this by adding following statement to policy:

{
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition" : {
                    "StringNotEquals" : {
                        "ec2:ResourceTag/Name" : [
                                        "UAT-Environment",
                                        "INT-Environment"
                                      ]
                            }
                    }
    }

How to restrict IAM policy to not allow stop/terminate an EC2 instance but can create new instances?

1 Answers1