I want to allow users only to create t2.micro/small/medium for development and allow them to use only spot instances. Have created IAM policy to restrict type/size of instances. In addition I want to put restriction on "on-demand" instances (team MUST opt for spot instances only). What is the cleaner way of achieving it?
Asked
Active
Viewed 725 times
2
-
How are users currently granted permission to launch Amazon EC2 instances? Have you considered changing the policies that grant them such permissions, so that they can only launch particular instance types? Also, what do you mean by "avoid on-demand instances" — what billing option do you want them to use? Please edit the question to include these details, instead of replying in a comment. – John Rotenstein Jun 22 '20 at 01:18
3 Answers
2
Try AWS Service Catalog.. that is the exact service which can help u here.
Deepak Singhal
- 10,568
- 11
- 59
- 98
2
Use the ec2:InstanceMarketType condition key in your IAM policy.
Example (untested):
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:InstanceMarketType": "spot"
}
}
}
}
References:
Harish KM
- 1,303
- 7
- 17
2
allow full access with the account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "limitedSize",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"cloudwatch:DescribeAlarms"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"t3.*",
"t2.*"
]
}
}
}
]
}
