How to limit AWS autoscaling to not allow the use of a specific role?

Question

I have a IAM role dedicated for EC2, but I would like to restrict use of this role to only certain services eg. Service Catalog. I can't do it on autoscaling level - it uses service linked role which is impossible to edit. I believe that I can somehow block that access on trusted relationship policy level on the target role. I have tried many things but nothing works for me. I think the main problem is that this role is not directly used by autoscaling, but this is a process chain which starts from autoscaling and ends on ec2. Role is no strictly used by the service but is passed through instance profile.

Any suggestions how to approach this topic ?

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123344566:root"
        ],
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": "????"
        }
      }
    }
  ]
}

BG Seba

Answer 1

It appears that your requirement is:

• You have a privileged IAM Role (let's call it Admin Role)
• You want to allow non-Admins to create Amazon EC2 Auto Scaling groups
• You do not want them to be able to attach the Admin Role to the Auto Scaling group because they could login to the resulting instances and gain privileged access

I think that you will need to control the ability to create Launch Templates and Launch Configurations:

• Creating a Launch Template requires the ec2:CreateLaunchTemplate permission
• Creating a Launch Configuration requires the autoscaling:createLaunchConfiguration permission

If users are not allowed to create these templates, then they cannot select a role. They would need to use an existing template to launch the Auto Scaling group.