How can the company prevent developer accounts from launching unapproved EC2 instance types?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A large company organizes hundreds of AWS accounts in AWS Organizations in Developer, Test, and Production OUs.Developers who have full administrative privileges in their respective accounts use the accounts in the Developer OU.The company wants to allow only certain Amazon EC2 instance types to be used within the Developer OU.

How can the company prevent developer accounts from launching unapproved EC2 instance types?

Create a now launch template in each AWS account in the Developer OU to deny the ec2:RunInstances API call for instance types that are not in an approved list Associate these templates with all IAM principals in the account.

Create an IAM policy to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to all IAM principals in all the AWS accounts in the Developer OU.

Use a managed SCP that is attached to the organization’s root account to deny the ec2:RunInstances API call for instance types that are not in an approved list

Create an SCP to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to the Developer OU.

Explanations:

Launch templates cannot be used to deny actions; they are primarily used to define configurations for launching EC2 instances. IAM policies or Service Control Policies (SCPs) are required to restrict actions.

While an IAM policy can restrict EC2 actions, applying it to all IAM principals in all accounts is not the most efficient way to manage restrictions at the organizational level. Also, this does not leverage SCPs, which are more appropriate for managing permissions across multiple accounts.

Managed SCPs do not allow for the specification of conditions based on instance types. To restrict instance types effectively, an SCP would need to be customized, which is not possible with managed policies.

An SCP can be created to deny the ec2API call for unapproved instance types and attached specifically to the Developer OU. This approach ensures that the restriction applies to all accounts within the OU and is the most appropriate method for managing permissions at the organizational level.

2026-03-29

2 Comments

  1. Albert
    Author

    I systematize that the answer is:
    Create an SCP to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to the Developer OU.

  2. Joan
    Author

    I have a feeling that the answer is:
    Create an SCP to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to the Developer OU.

Leave a Reply to Joan Cancel reply

Your email address will not be published. Required fields are marked *

thirteen + four =