IAM to prevent launching Public AMIs

Question

Is there any IAM Permission that can prevent launching any Public AMIs. I want my user to launch only Private AMIs. Is there any other mechanism in EC2?

Accepted Answer

You can leverage Condition operator in IAM JSON policy elements Eg. Boolean conditions enable the creation of Condition elements that limit access by comparing a key to either "true" or "false."

```
{
            "Sid": "DenyLaunchingPublicAMI",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:::image/ami-*",
            "Condition": {
                "Bool": {
                    "ec2:Public": "true"
                }
 }
```
**Document:**

* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Boolean

Answer

You can also consult the following 
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html#block-public-access-to-amis

IAM to prevent launching Public AMIs

相關內容