Suppose, after a period of monitoring EC2 for the dev/test environment - you are allowed to create Instance Families: T3, T4g, M5! You see that the dev team often uses Instance Family as T3 with Instance Type as t3.small and t3.large.
After meeting with the Tech lead, in the spirit of cost optimization with least-privilege permissions, you continue to create a new Permissions policies for the dev/test environment, avoiding the human-error in creating instances with configurations like m5.4xlarge(16 vCPU, 64 GiB ram) may be without using up all the performance - causing waste.
Create an IAM Policy that only allows users to initialize EC2 with instance types: t3.small and t3.large
IAM
Policies
JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:148922931563:instance/*",
"Condition": {
"StringNotLike": {
"ec2:InstanceType": [
"t3.small",
"t3.large"
]
}
}
}
]
}
EC2_InstanceTypeRestrict
Restrict to all, except t3.small & t3.large
Add policy EC2_InstanceTypeRestrict to group CostTest
EC2_InstanceTypeRestrict
.Check User’s policy
At this time, at IAM User: TestUser, in the Policy Name section you see the appearance of the policy EC2_InstanceTypeRestrict
In the section Attached via - Group CostTest, it means that these policies are assigned to the User through the group, not directly to the User.
-> This satisfies AWS’s best practice of centralized rights management through Group
Check Permissions policies for Instance Type: t3.small
EC2
In the Name section, enter EC2_InstanceTypeRestrict
In the Architecture section, keep the value 64-bit (x86)
t3.small
Check Permissions policies for Instance type: m5.4xlarge
EC2_m5.4xlarge
m5.4xlarge
You can proceed to step 3 again, creating EC2 with instance type t3.large to check the effectiveness of the permission policy: EC2_InstanceTypeRestrict