AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I allow EKS Auto Mode, ECS Managed Instances, and Lambda to launch EC2 instances when using Service Control Policies (SCPs) ?

5 minute read

Content level: Advanced

Service Control Policies (SCPs) that restrict EC2 instance launches can prevent AWS managed services from provisioning compute resources. This article shows you how to create an SCP that blocks direct user launches while allowing Amazon EKS Auto Mode, Amazon ECS Managed Instances, and AWS Lambda Managed Instances to operate normally.

Resolution

Prerequisites

Before you begin, make sure you have:

AWS Organizations with SCPs enabled
Permissions to create and attach SCPs in your organization
Knowledge of the AWS regions where you operate
Understanding of your organization's security requirements

Create the SCP policy

This SCP uses an exception-based deny approach that blocks EC2 instance launches unless they use AMIs from AWS-owned accounts for EKS Auto Mode, ECS Managed Instances, and Lambda Managed Instances.

Important: The policy denies instance launches that use AMIs from accounts other than the specified AWS-owned accounts. This allows managed services to operate while blocking direct user launches with custom AMIs.

Open the AWS Organizations console.
In the navigation pane, choose Policies, and then choose Service control policies.
Choose Create policy.
Enter a name for the policy, such as AllowManagedServicesOnly.
In the policy editor, enter the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2RunInstancesExceptManagedServices",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*::image/*",
      "Condition": {
        "StringNotEquals": {
          "aws:ResourceAccount": [
            "891376953411",
            "832570432258",
            "118124083970"
          ]
        }
      }
    }
  ]
}

Choose Create policy.

Note: The AMI account IDs shown in this example are specific to the eu-central-1 region:

891376953411 - EKS Auto Mode AMI account
832570432258 - ECS Managed Instances AMI account
118124083970 - Lambda Managed Instances AMI account

Important: This policy allows users to manually launch EC2 instances if they use one of the managed AMIs owned by EKS Auto Mode, ECS Managed Instances , or Lambda Managed Instances. If you need to prevent all manual EC2 launches, you must implement additional IAM policy restrictions.

Update the policy for your region

The AMI account IDs vary by AWS region. You must update the policy with the correct account IDs for your region.

To find the AMI account IDs for your region:

To find the account IDs of the AMIs owned by EKS Auto Mode, see EKS Auto Mode controls and AMI accounts.
To find the account IDs of the AMIs owned by ECS managed instances, see ECS managed instances AMI accounts.
Lambda Managed Instances AMI account IDs are not published in the AWS documentation. Use the script below to discover them.

Discover Lambda Managed Instances AMI account IDs:

Unlike EKS Auto Mode and ECS Managed Instances, AWS does not publish a list of Lambda AMI account IDs per region. You can discover them by querying the AMIs directly:

regions="ap-south-1 ca-central-1 eu-central-1 us-west-1 us-west-2 eu-north-1 eu-west-3 eu-west-2 eu-west-1 ap-northeast-3 ap-northeast-2 ap-northeast-1 sa-east-1 ap-southeast-1 ap-southeast-2 us-east-1 us-east-2"

echo -e "Region\tAccount ID"
echo -e "------\t----------"

for region in $regions; do
  account_id=$(aws ec2 describe-images \
    --region "$region" \
    --filters "Name=name,Values=aws-lambda-managed-instances-*" \
    --query 'Images[0].OwnerId' \
    --output text 2>/dev/null)

  if [ -n "$account_id" ] && [ "$account_id" != "None" ]; then
    echo -e "$region\t$account_id"
  else
    echo -e "$region\tNot Found"
  fi
done

Note: You need the ec2:DescribeImages permission to run this script. The AMI account IDs may change over time, so re-run this script periodically to verify them.

Attach the SCP to your organization

In the AWS Organizations console, navigate to the organizational unit (OU) or account where you want to apply the policy.
Choose Policies, and then choose Service control policies.
Choose Attach next to the policy you created.
Select the target OU or account, and then choose Attach policy.

Important: Test the policy in a non-production OU before applying it to production accounts.

Verify the policy

After attaching the SCP, verify that:

EKS Auto Mode can provision nodes when you deploy workloads
ECS Managed Instances can be created for your tasks
Lambda Managed Instances capacity provider can provision instances
Direct EC2 launches with custom AMIs are blocked

To test that direct launches are blocked, attempt to launch an instance with a custom AMI. The operation should fail with an authorization error.

How the policy works

Resource ARN format

The policy uses arn:aws:ec2:*::image/* as the resource ARN. Note the double colon (::) before image/*. This is the correct format for AMI resources, which don't include an account ID in their ARN structure.

Exception-based deny logic

The policy uses a StringNotEquals condition on aws:ResourceAccount to create exceptions to the deny rule. This allows instance launches that use AMIs from the specified AWS-owned accounts. Each managed service (EKS Auto Mode, ECS Managed Instances, and Lambda Managed Instances) uses official AMIs owned by dedicated AWS accounts, while user launches typically use custom AMIs from other accounts.

The deny rule applies to all EC2 instance launches UNLESS the AMI belongs to one of the allowed AWS-owned accounts, effectively allowing managed services while blocking direct user launches.

Advanced configuration

Allow custom AMIs from your organization

If you need to allow specific custom AMIs from your organization, add your AWS account ID to the aws:ResourceAccount list:

"aws:ResourceAccount": [
  "891376953411",
  "832570432258",
  "118124083970",
  "<your-aws-account-id>"
]

Replace <your-aws-account-id> with your AWS account ID.

Important: Adding your account ID allows users to launch instances with your custom AMIs. Ensure you have proper AMI governance and approval processes in place.

Related information

Topics: Serverless Management & Governance Compute Containers
Tags: Amazon EC2 Management & Governance Amazon Elastic Container Service AWS Lambda Amazon EKS Auto Mode
Language: English

EXPERT

Marouen Ouenzerfi

published 2 months ago102 views

No comments

Relevant content

How to Automatically Block New AWS Service Operations using SCPs When Your Budget Is Exceeded
EXPERT
Kanwar Bajwa
published 4 months ago
How do I troubleshoot DNS in Amazon EKS Auto Mode
EXPERT
Olawale Olaleye
published 7 months ago
How to troubleshoot common scaling issues in EKS Auto-Mode
EXPERT
ghanem
published 7 months ago
EKS Auto cannot create AWSServiceRoleForEC2Spot Service Linked Role
JD
asked a year ago
EKS Auto Mode: Required EC2 Permissions Missing in AmazonEKSComputePolicy?
Alon Shrestha
asked 10 months ago
Using mixed instance ASG policies for multi-architecture ECS clusters?
Accepted Answer
Farski
asked a year ago
How do I use SCPs and tag policies so that users in my organization's member accounts in Organizations can't create resources?
AWS OFFICIALUpdated a year ago
How do I troubleshoot and resolve issues with SCPs that use IAM tag-based restrictions?
AWS OFFICIALUpdated 6 months ago
How do I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created and accessed?
AWS OFFICIALUpdated 2 years ago
How do I restrict access so that users launch Amazon EC2 instances from only tagged AMIs?
AWS OFFICIALUpdated 2 years ago