AWS IAM user - Limit number EC2 instances and limiting EBS storage

Question

I am trying to see if its possible to restrict(set some max limit) the number of EC2 instances which are created by an IAM user? Can i create custom policy for this?

Note: I am looking for IAM user level permission. Not AWS Account level restriction.

Similarly i am also looking for restricting EBS storage limit per IAM user.

Answer 1

You could limit it to some degree by defining a very small subnet and only letting the IAM role launch into that specific subnet. See the accepted answer at What is the smallest subnet one can create on AWS in the VPC? for details on this approach.

Answer 2

One general solution to this kind of requirement is reactive, not proactive. Write automation based on CloudTrail Logs or AWS Config or by simply enumerating the current state of your AWS account periodically, and raise alerts (or terminate resources) if your policies have not been complied with.

Answer 3

You cannot limit the number of EC2 instances by IAM.

Today, you can't limit the number of instances using an IAM policy, though I believe you can limit the overall number of instances per AWS account.

It does look like you can limit EBS sizes, but I don't believe you can limit the total account storage size through IAM. This reference covers individual EBS size: How to limit EC2 EBS volume size for ec2:RunInstances in IAM policy?

References:

https://forums.aws.amazon.com/thread.jspa?threadID=174503

How to limit EC2 EBS volume size for ec2:RunInstances in IAM policy?