Articles → AWS → Restrict The EC2 Launch Using Service Control Policy

Restrict The EC2 Launch Using Service Control Policy

In this article, we will restrict the EC2 launch using a service control policy.

Steps

For this article, we will work on the following steps: -

Create an AWS organization and add an account
Create an organizational unit
Move the account to OU
Enable the service control policy
Create the service control policy for EC2
Attach the service control policy
Switch role
Launch an EC2 instance

Let us get started.

Create An AWS Organization And Add An Account

First, create an AWS organization and add an account.

Create An Organizational Unit

To create an organization unit, go to the AWS accounts page. Click on Actions → Organizational unit → Create new.

Picture showing the Create new option for creating the new organizational unit

Click to Enlarge

A screen will appear to enter the Organizational unit name. Click on the Create organizational unit button.

Picture showing the screen to create the new organizational unit

Click to Enlarge

Move Account To OU

To move the account to the organizational unit, select the account and click on Actions → AWS Account → Move.

Picture showing the Move option for moving the account in the organizational unit

Click to Enlarge

A screen will appear for information. Click on the Move AWS account button.

Picture showing the review screen before moving the account in the organizational unit

Click to Enlarge

Enable The Service Control Policy

First, go to the detail screen of your organizational unit. Click on the Policies tab.

Picture showing the Policies tab inside the organizational unit

Click to Enlarge

On the Policies screen, click on the 4 policy types available. Please note that the number of policies could vary.

Picture showing the count of policy types available

Click to Enlarge

A screen will appear to select the policy type. Click on the Service control policies link.

Picture showing the link of service control policies

Click to Enlarge

In the next screen, click on the Enable service control policies button to enable the service control policies.

Picture showing the Enable service control policies button for enabling the service control policies

Click to Enlarge

Create The Service Control Policy For EC2

In the service control policy screen, click on the Create policy button.

Picture showing the Create policy button for creating the new policy

Click to Enlarge

A screen will appear to enter the Policy name.

Picture showing the create new service control policy screen

Click to Enlarge

Scroll down to enter the following JSON in the policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMicroInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals":{               	
          "ec2:InstanceType":"t2.micro"
        }
      }
    }
  ]
}

Picture showing the service control policy json

Click to Enlarge

Scroll down to the bottom and save the policy.

Attach The Service Control Policy

To attach the policy, select the policy and click on Actions → Attach policy.

Picture showing the attach policy menu for attaching the policy

Click to Enlarge

A screen will appear to select the organizational unit. Click on the Attach policy button to attach the policy to the organizational unit.

Picture showing selecting the organizational unit for attaching the policy

Click to Enlarge

Switch Role

To switch the role, log in to the AWS console as an IAM user. From the profile dropdown on the top right-hand side, click on the Switch role button.

Click to Enlarge

A screen will appear specifying the steps to switch roles. Click on the Switch role button.

Picture showing the switch role screen in AWS console

Click to Enlarge

In the next screen, enter the Account and Role.

Picture showing the switch role screen to enter the account no and role name

Click to Enlarge

Click on the Switch Role button. Your roles will be switched.

Launch An EC2 Instance

Now, launch an EC2 instance with an instance type other than t2.micro using the new account. You will get the following error.

Picture showing the error message when ec2 instance is launched other than t2.micro

Click to Enlarge

Posted By -	Karan Gupta

Posted On -	Monday, May 30, 2022

Query/Feedback

Your Email Id

Subject

Query/Feedback	Characters remaining 250