Articles → AWS → Restrict The EC2 Launch Using Service Control Policy

Restrict The EC2 Launch Using Service Control Policy






Steps




  1. Create an AWS organization and add an account
  2. Create an organizational unit
  3. Move the account to OU
  4. Enable the service control policy
  5. Create the service control policy for EC2
  6. Attach the service control policy
  7. Switch role
  8. Launch an EC2 instance



Create An AWS Organization And Add An Account





Create An Organizational Unit




Picture showing the Create new option for creating the new organizational unit

Click to Enlarge



Picture showing the screen to create the new organizational unit

Click to Enlarge


Move Account To OU




Picture showing the Move option for moving the account in the organizational unit

Click to Enlarge



Picture showing the review screen before moving the account in the organizational unit

Click to Enlarge


Enable The Service Control Policy




Picture showing the Policies tab inside the organizational unit

Click to Enlarge



Picture showing the count of policy types available

Click to Enlarge



Picture showing the link of service control policies

Click to Enlarge



Picture showing the Enable service control policies button for enabling the service control policies

Click to Enlarge


Create The Service Control Policy For EC2




Picture showing the Create policy button for creating the new policy

Click to Enlarge



Picture showing the create new service control policy screen

Click to Enlarge



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMicroInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals":{               	
          "ec2:InstanceType":"t2.micro"
        }
      }
    }
  ]
}


Picture showing the service control policy json

Click to Enlarge




Attach The Service Control Policy




Picture showing the attach policy menu for attaching the policy

Click to Enlarge



Picture showing selecting the organizational unit for attaching the policy

Click to Enlarge


Switch Role




Picture showing the switch role button

Click to Enlarge



Picture showing the switch role screen in AWS console

Click to Enlarge



Picture showing the switch role screen to enter the account no and role name

Click to Enlarge




Launch An EC2 Instance




Picture showing the error message when ec2 instance is launched other than t2.micro

Click to Enlarge


Posted By  -  Karan Gupta
 
Posted On  -  Monday, May 30, 2022

Query/Feedback


Your Email Id  
 
Subject 
 
Query/FeedbackCharacters remaining 250