How can we control number of EC2 instances to be launched by federated user?

Question

I have a usecase where I need to restrict a federated user to launch only one EC2 instance, is there any workaround to setup these things in policy.

Answer 1

Create a lambda that runs on schedule to clean up your account and delete anything that isn't tagged correctly.

http://www.1strategy.com/blog/2016/02/23/use-aws-lambda-terminate-untagged-ec2-instances/

If your users have more than one tagged ec2 instance keep the oldest. Then let your users know that any resources not tagged correctly or created passed their limit will be auto deleted. Most people will learn after one ec2 instance gets deleted about 5 or 10 min after they created it.

Creating a lambda that runs on schedule: https://medium.com/blogfoster-engineering/running-cron-jobs-on-aws-lambda-with-scheduled-events-e8fe38686e20

You can grab the aws resources with specific tags like this in your lambda function as seen here: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/ResourceGroupsTaggingAPI.html#getResources-property

var params = {
  PaginationToken: 'STRING_VALUE',
  ResourceTypeFilters: [
    'STRING_VALUE',
    /* more items */
  ],
  ResourcesPerPage: 0,
  TagFilters: [
    {
      Key: 'STRING_VALUE',
      Values: [
        'STRING_VALUE',
        /* more items */
      ]
    },
    /* more items */
  ],
  TagsPerPage: 0
};
resourcegroupstaggingapi.getResources(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

The call back here provide the resource Arn and the tags associated with it. From here you can either let this resources live or delete them.