DEV Community

Cover image for How to use IAM Policy to allow creating specific EC2 instances?
KaungThant Lwin for AWS Community Builders

Posted on • Updated on

How to use IAM Policy to allow creating specific EC2 instances?

Today I would like to share about IAM policy to control access while creating EC2 instances. Especially, I just using this for sharing IAM user access to my lab sharing "Thingyan AWS Lab" for our People, Myanmar.

Because, I just want them to use free tier only cause they are 1st time trying to create EC2 instance. So I just using IAM policy as the following one.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*",
"cloudfront:*",
"cloudwatch:*",
"elasticloadbalancing:*",
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ap-southeast-1"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"t2.micro"
]
}
}
}
]
}

First statement path is for allowing EC2, S3, CloudFront, Cloudwatch, Elasticloadbalancing, to access these services within specific AWS Region (ap-southeast-1 - Singapore). I would like to create services in singapore region only.
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*",
"cloudfront:*",
"cloudwatch:*",
"elasticloadbalancing:*",
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ap-southeast-1"
}
}
},

Second statement is to allow only to create t2.micro EC2 instance. So, I like to use the condition that the requested instance type is not like t2.micro, it will deny everything. That is all and please check the following step by steps.

First step is creating IAM policy.
Go to IAM Policy Page

And click on create policy and I will create the custom policy with json

Policy Page

paste the above policy json code to this and after this please click on Next Tags
Create Policy with Json

If you want to add tags, you can add and if not, you can click on Next:Review,

You have to add the policy name and description and check the policy summary.

Create Policy

If everything is looking fine, you can go ahead to create policy.

After creating policy you have to create IAM User Groups at

Click on create group and add the IAM and attach the policy you created before.
Create IAM Group and attached policy

After everything is complete, your IAM user can only access to the services within specific AWS region.

Top comments (0)