I have a policy that allows the user to launch an EC2 instance in an AWS account, but I want to restrict the user to one instance only?
In the following command, I am using a --count keyword but this can be modified by the user to any number.
aws ec2 run-instances --image-id ami-00ee4df451840fa9d --count 1 --instance-type t2.micro --security-group-ids xxxxxxxxxxxx --key-name xxxxxxxxx --subnet-id xxxxxxxxx --profile userX --region us-west-2
Is there a way to restrict the user to run only one instance?
Thanks
CodePudding user response:
It is not possible to use IAM Policies to restrict the quantity of Amazon EC2 instances that an IAM User can launch.
IAM Policies determine whether the user is permitted to make an API request (eg RunInstances()
), but are not able to look at existing resources to make that decision.
You would need to create a 'service' that will launch instances on behalf of users, after first checking that no existing instance exists. For example, this could be a web-app that you write that verifies the conditions and then launches the instance on behalf of the user.
Also, please note that Amazon EC2 instances are not associated with 'users' -- they are associated with an AWS Account. Therefore, you would also need a means of associating existing instances with IAM Users, such as adding a Tag to identify the user who requested the instance. (Make sure that users don't have permission to modify this tag!)