I have a usecase where I need to restrict a federated user to launch only one EC2 instance, is there any workaround to setup these things in policy.
Create a lambda that runs on schedule to clean up your account and delete anything that isn't tagged correctly.
http://www.1strategy.com/blog/2016/02/23/use-aws-lambda-terminate-untagged-ec2-instances/
If your users have more than one tagged ec2 instance keep the oldest. Then let your users know that any resources not tagged correctly or created passed their limit will be auto deleted. Most people will learn after one ec2 instance gets deleted about 5 or 10 min after they created it.
Creating a lambda that runs on schedule: https://medium.com/blogfoster-engineering/running-cron-jobs-on-aws-lambda-with-scheduled-events-e8fe38686e20
You can grab the aws resources with specific tags like this in your lambda function as seen here: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/ResourceGroupsTaggingAPI.html#getResources-property
var params = {
PaginationToken: 'STRING_VALUE',
ResourceTypeFilters: [
'STRING_VALUE',
/* more items */
],
ResourcesPerPage: 0,
TagFilters: [
{
Key: 'STRING_VALUE',
Values: [
'STRING_VALUE',
/* more items */
]
},
/* more items */
],
TagsPerPage: 0
};
resourcegroupstaggingapi.getResources(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
The call back here provide the resource Arn and the tags associated with it. From here you can either let this resources live or delete them.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With