Allow AWS IAM user to run only one instance of ec2

Question

Allow AWS IAM user to run only one instance of ec2

On Amazon AWS, I would like to give my registered IAM (Windows) user a small API-based program that will launch an AMI-based instance and then connect their machine to it. Easy - but if the same user has to try to start another instance while the first one is still working (from the same or another machine), the second and subsequent attempts should fail. AMI will be used by several users. The instance will be unique to the user.

Please note that this problem is different from some similar questions, because I need to run the instance on demand, but not allow additional instances. The goal is to prohibit the use of the application more than licensed.

The ideal detection and prevention of this will occur on the AWS side, as it is more secure.

On the client side, I see how I can use tags for this - mark the running instance with the username and find the tags before allowing the instance to start.

Is there a way to do this on the server side, with IAM policy terms or something?

+4

amazon-web-services amazon-ec2 amazon-iam

user2793921 Mar 05 '14 at 22:14

source share

1 answer

Anthony Neace · Accepted Answer · 2014-03-05T22:47:53+0000

. , ec2, , , ResourceTag "MyTag" "MyTagValue".

:

{
  "Statement": [
    {
      "Action": [
        "ec2:PurchaseReservedInstancesOffering",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances"
      ],
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/MyTag": "MyTagValue"
        }
      }
    },
    {
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*"
    }   
  ]
}

IAM Policy Simulator:

, , ..

, ec2 allow "Action": "ec2:*" ... , EC2 .

Allow AWS IAM user to run only one instance of ec2

More articles: