AWS offers different instance families within EC2. Depending on your workload requirements - different types will be most cost effective. For non-specific environments such as testing or development, you can restrict the instance families in those accounts to the most cost effective generic types. It is also an effective way to increase Savings Plan or Reserved Instance utilization, by ensuring these accounts will consume any available commitment discounts.
We will create a policy that allows operations on specific instance families only. This will not only restrict launching an instance, but all other activities. NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.
Log on to the console as your regular user with the required permissions, Go to the IAM service page:
Select Policies from the left menu:
Click Create Policy:
Click on the JSON tab:
Copy and paste the policy into the console:
Click Review policy:
Enter the details:
You have successfully created an IAM policy to restrict usage by Instance Family.
Click on Groups from the left menu:
Click on the CostTest group (created previously):
We need to remove the RegionRestrict policy, as it permitted all EC2 actions. Click on Detach Policy for RegionRestrict:
Click on Detach:
Click on Attach Policy:
Click on Policy Type, then click Customer Managed:
Select the checkbox next to Ec2_FamilyRestrict, and click Attach Policy:
You have successfully attached the policy to the CostTest group.
Log out from the console
Logon to the console as the TestUser1 user, go to the EC2 Service dashboard:
Try to launch an instance by clicking Launch Instance, select Launch Instance:
Click on Select next to the Amazon Linux 2 AMI:
We will select an instance we are not able to launch first, so select a c5.large instance, click Review and Launch:
Make note of the security group created, click Launch:
Select Proceed without a key pair, and click I acknowledge that I will not be able to…, then click Launch Instances:
You will receive an error, notice the failed step was Initiating launches. Click Back to Review Screen:
Click Edit instance type:
We will select an instance type we can launch (t3, a1 or m5) select t3.micro, and click Review and Launch:
Select Yes, I want to continue with this instance type (t3.micro), click Next:
Select Proceed without a key pair, and click I acknowledge that i will not be able to…, then click Launch Instances:
You will receive a success message. Click on the Instance ID and terminate the instance as above:
Log out of the console as TestUser1.
You have successfully implemented an IAM policy that restricts all EC2 actions to T3, A1 and M5 instance types.