Articles → AWS → Restrict The EC2 Launch Using Service Control Policy

Restrict The EC2 Launch Using Service Control Policy






Steps




  1. Create an AWS organization and add an account
  2. Create an organizational unit
  3. Move the account to OU
  4. Enable the service control policy
  5. Create the service control policy for EC2
  6. Attach the service control policy
  7. Switch role
  8. Launch an EC2 instance



Create An AWS Organization And Add An Account





Create An Organizational Unit




Picture showing the Create new option for creating the new organizational unit
Click to Enlarge



Picture showing the screen to create the new organizational unit
Click to Enlarge


Move Account To OU




Picture showing the Move option for moving the account in the organizational unit
Click to Enlarge



Picture showing the review screen before moving the account in the organizational unit
Click to Enlarge


Enable The Service Control Policy




Picture showing the Policies tab inside the organizational unit
Click to Enlarge



Picture showing the count of policy types available
Click to Enlarge



Picture showing the link of service control policies
Click to Enlarge



Picture showing the Enable service control policies button for enabling the service control policies
Click to Enlarge


Create The Service Control Policy For EC2




Picture showing the Create policy button for creating the new policy
Click to Enlarge



Picture showing the create new service control policy screen
Click to Enlarge



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMicroInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals":{               	
          "ec2:InstanceType":"t2.micro"
        }
      }
    }
  ]
}


Picture showing the service control policy json
Click to Enlarge




Attach The Service Control Policy




Picture showing the attach policy menu for attaching the policy
Click to Enlarge



Picture showing selecting the organizational unit for attaching the policy
Click to Enlarge


Switch Role




Picture showing the switch role button
Click to Enlarge



Picture showing the switch role screen in AWS console
Click to Enlarge



Picture showing the switch role screen to enter the account no and role name
Click to Enlarge




Launch An EC2 Instance




Picture showing the error message when ec2 instance is launched other than t2.micro
Click to Enlarge


Posted By  -  Karan Gupta
 
Posted On  -  Monday, May 30, 2022

Query/Feedback


Your Email Id  
 
Subject 
 
Query/FeedbackCharacters remaining 250