Introduction to Amazon EC2 > Limit resource usage using IAM services > Limited EC2 usage by Instance Family

Limited EC2 usage by Instance Family

Limit EC2 usage by Instance Family

create vpc for linux instance

AWS provides different instance families in EC2. Depending on your workload requirements - different families will be most cost effective. For environments like dev/test, you can limit instance families in that account to type General Purpose - cost-optimized.
We will create a policy that only allows operations to be performed on a few specific instance families. This not only limits the launch of an EC2 instance but also limits all other operations on the remaining services.
- Noted: instance family is instance family representing criteria such as:
  1. C – Compute optimized
  2. R – Memory optimized
  3. M – General purpose
  - You can refer to the following document for more information: Amazon Elastic Compute Cloud - Instance types

Compute requirements
- Suppose, as a Cloud engineer, you receive a request from the Dev team: need virtual machines that meet the following criteria:
  1. Appropriate configuration to run for development environments
  2. Can run CPU architecture: x86 and Arm
  3. Run for small and medium databases
  4. Virtual machines can be used as code repositories solutions
  5. Because in the development phase, the usage needs are only General Purpose
Select Compute
- You need to go to AWS’s EC2 page to check which Instance Families meet the above criteria
- In the PAGE CONTENT section you will see EC2 divided into groups with different uses, select General Purpose
- Select the instance family and check:
  1. Features to get an overview of the chip, performance,…
  2. Use Cases to understand in more detail the purposes of use,…
- With the above criteria, there are many suitable instance families, but within the framework of this lab, we will choose: T3, T4g, M5 because:
  1. Development environments : T3, T4g
  2. CPU Architecture
    - x86: T3, M5
    - Arm: T4g
  3. Small and medium databases : M5, T3
  4. Code repositories: T3, T4g
  5. General Purpose: T3, T4g, M5
Create an IAM Policy that only allows users to initialize EC2 with instance family: T3, T4g, M5
- In the AWS console, in the search box, enter IAM
- Select IAM service
- On the left side of the screen, select Policies
- Select Create policy
- Create policy in JSON data format instead of Visual. Select JSON
- Scan the entire current code and press the Delete button
- Copy the following code into the Policy editor box, Scroll down and select Next
  - Meaning: User has the right to create EC2 with instance family: T3, T4g, M5
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:148922931563:instance/*",
            "Condition": {
                "StringNotLike": {
                    "ec2:InstanceType": [
                        "t3.*",
                        "t4g.*",
                        "m5.*"
                    ]
                }
            }
        }
    ]
}
```
- Noted: in the Resource line, replace the 12-digit sequence with your AWS account ID. Select the triangle symbol, then select the square symbol to copy the AWS account ID
- In the Policy name section, enter: EC2_FamilyRestrict
- In the Description section, enter: Restrict to all, except t3, t4g and m5 families
- Scroll to the bottom of the page and select Create policyy
Add policy EC2_FamilyRestrict to group CostTest
- At IAM Console, left section - select User groups
- Select CostTest
- Select Permissions
- Select Add permissions, select Attach policies
- In the search box 🔍, enter EC2_FamilyRestrict.
- Check the box symbol □ to select a policy, select Attach policies
- Check Permissions policies
  - Now in the CostTest group there is policy EC2_FamilyRestrict and policy RegionRestrict that you created in lab 8.1
- Remove policy RegionRestrict because of least-privilege permissions criteria
  - Check the box symbol □ to select the policy, select Remove
- Check User’s policy
  - Select Users
  - Select TestUser
  - At this time, at IAM User: TestUser, in the Policy Name section you see the appearance of policy EC2_FamilyRestrict
  - In the section Attached via - Group CostTest, it means that these policies are assigned to the User through the group, not directly to the User.
  - -> This satisfies AWS’s best practice of centralized permission management through Group
Check Permissions policies for Instance family: T4g
- Log in to TestUser with the information you created in lab 8.1, step 4
- Make sure you are in Region Singapore
- In the search box 🔍, enter EC2
- At the EC2 interface, in the middle of the page, select Launch instance
- In the Name section, enter EC2_T4g_FamilyRestrict
- In the Architecture section, select the triangle symbol, select 64-bit(Arm)
- In the Instance type section, select the triangle symbol, select t4g.micro
- In the key pair name section, select the triangle symbol, select Proceed without a key pair (Not recommended)
- Select Launch instance
- Select Instance ID that has just been successfully created
- Congratulations, you have successfully created EC2 with instance family T4g
Check Permissions policies for Instance family: M6i
- Select Launch instance
- In the Name section, enter EC2_M6i_FamilyRestrict
- In the Architecture section, keep the value 64-bit(x86)
- In the Instance type section, select the triangle symbol, select m6i.large
- In the key pair name section, select the triangle symbol, select Proceed without a key pair (Not recommended)
- Select Launch instance
- You received the response Instance launch failed - because you are not authorized. This satisfies the permission policy: EC2_FamilyRestrict that you created in step 3.
You can proceed to step 5 again, creating EC2 with instance family T3 and M5 to test the effectiveness of permission policy: EC2_FamilyRestrict