AWS IAM EC2 policy limited to originating instance

Question

I'm working on a setup where I need to terminate AWS instances because of inactivity (i.e. nothing new in web-server access logs since a period of time). Those instances are testing instances and are created automatically by CI/CD software.

I would like those instances to identify themselves that they become abandoned and terminate themselves. I want to assign a generic iam-role to each of them that will only allow the instance the termination of itself and not the peer instances.

So far I've been here:

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse
• https://www.reddit.com/r/aws/comments/4gglxk/iam_policy_to_allow_ec2_instance_to_only_query/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

And figured out that there are 2 variables available in policies:

ec2-instance-id
ec2:SourceInstanceARN

I came up with few variations of my role policy but none of them work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "${ec2:SourceInstanceARN}"
        }
    ]
}

Is it actually possible to achieve the desired behavior, i.e. to only allow instance to perform specific operation on itself (e.g. Termination)?

UPDATE:
I do know that I can work with tags, that is what I'm doing meanwhile, but that means that all tagged instances can terminate their peers. That is a bit too loose restriction, I'd like to really limit it to the instance it

AWS IAM: Allow EC2 instance to stop itself
IAM policy to allow EC2 instance API access only to modify itself

Answer 1

You were close with your condition. The trick is to compare instance ARN with ec2:sourceInstanceARN:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:TerminateInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

Clearly for testing purposes I allowed my instances with this policy to tag and stop themselves.