6

I have a usecase where I need to restrict a federated user to launch only one EC2 instance, is there any workaround to setup these things in policy.

prasoon
  • 901
  • 8
  • 25

2 Answers2

1

Create a lambda that runs on schedule to clean up your account and delete anything that isn't tagged correctly.

http://www.1strategy.com/blog/2016/02/23/use-aws-lambda-terminate-untagged-ec2-instances/

If your users have more than one tagged ec2 instance keep the oldest. Then let your users know that any resources not tagged correctly or created passed their limit will be auto deleted. Most people will learn after one ec2 instance gets deleted about 5 or 10 min after they created it.

Creating a lambda that runs on schedule: https://medium.com/blogfoster-engineering/running-cron-jobs-on-aws-lambda-with-scheduled-events-e8fe38686e20

You can grab the aws resources with specific tags like this in your lambda function as seen here: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/ResourceGroupsTaggingAPI.html#getResources-property

var params = {
  PaginationToken: 'STRING_VALUE',
  ResourceTypeFilters: [
    'STRING_VALUE',
    /* more items */
  ],
  ResourcesPerPage: 0,
  TagFilters: [
    {
      Key: 'STRING_VALUE',
      Values: [
        'STRING_VALUE',
        /* more items */
      ]
    },
    /* more items */
  ],
  TagsPerPage: 0
};
resourcegroupstaggingapi.getResources(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

The call back here provide the resource Arn and the tags associated with it. From here you can either let this resources live or delete them.

0

I would not recommend automatically deleting resources. A mistake could be fatal to a company.

Ryan's answer is good. Use Lambda to monitor who owns what resources. Also use Lambda to automatically tag the owner for newly created resources. CloudTrail is an excellent resource for monitoring and measuring who does what and when.

However, I would have Lambda send an email to the employee and their manager (or appropriate chain of command) regarding the infraction instead of terminating resources. Most people learn quickly when they are called into a meeting for violating company policy that might result in a justifiable reprimand or job termination. This is a much better policy than trying to justify a software bug that took the entire company down.

John Hanley
  • 74,467
  • 6
  • 95
  • 159