DEV Community

Cover image for How to use IAM Policy to allow creating specific EC2 instances?
AWS Community Builders profile image KaungThant Lwin
KaungThant Lwin for AWS Community Builders

Posted on • Edited on

7 1

How to use IAM Policy to allow creating specific EC2 instances?

#aws #tutorial #iampolicy #awsbuilder

Today I would like to share about IAM policy to control access while creating EC2 instances. Especially, I just using this for sharing IAM user access to my lab sharing "Thingyan AWS Lab" for our People, Myanmar.

Because, I just want them to use free tier only cause they are 1st time trying to create EC2 instance. So I just using IAM policy as the following one.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*",
"cloudfront:*",
"cloudwatch:*",
"elasticloadbalancing:*",
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ap-southeast-1"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"t2.micro"
]
}
}
}
]
}

First statement path is for allowing EC2, S3, CloudFront, Cloudwatch, Elasticloadbalancing, to access these services within specific AWS Region (ap-southeast-1 - Singapore). I would like to create services in singapore region only.
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*",
"cloudfront:*",
"cloudwatch:*",
"elasticloadbalancing:*",
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ap-southeast-1"
}
}
},

Second statement is to allow only to create t2.micro EC2 instance. So, I like to use the condition that the requested instance type is not like t2.micro, it will deny everything. That is all and please check the following step by steps.

First step is creating IAM policy.
Go to IAM Policy Page

And click on create policy and I will create the custom policy with json

Policy Page

paste the above policy json code to this and after this please click on Next Tags
Create Policy with Json

If you want to add tags, you can add and if not, you can click on Next:Review,

You have to add the policy name and description and check the policy summary.

Create Policy

If everything is looking fine, you can go ahead to create policy.

After creating policy you have to create IAM User Groups at

Click on create group and add the IAM and attach the policy you created before.
Create IAM Group and attached policy

After everything is complete, your IAM user can only access to the services within specific AWS region.

profile
Sentry
 Promoted

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

profile
AWS Community Builders

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post

Read next

majeedatwahab profile image

Building Responsive Card Layouts with HTML and CSS Flexbox

Majeedat Abdulwahab -

derlin profile image

How to connect to AWS OpenSearch or Elasticsearch clusters using python

Lucy Linder -

mursalfk profile image

Deploying a Globally Accessible Web Application with Disaster Recovery

Mursal Furqan Kumbhar -

imsushant12 profile image

Interview Questions on AWS Networking: VPC, Load Balancers, and Auto Scaling

Sushant Gaurav -