- Read
- Top Stories
Latest - All Top Stories
- All About Startup Growth With Lomit Patel on the HackerNoon Podcast
- How the Future of Streaming Will Leverage Web 3.0 to Make Media Free of Every End User
- Machine Learning Magic: How to Speed Up Offline Inference for Large Datasets
- Stablecoin History: The Master of All AltCoins
- R.I.P. Alexa Dot Com: You Will Be Sorely Missed
- Write
Writer Contests Writing Prompts - Learn
Self-Paced Courses Tech Deep Dives Build Skillzz - Apply Psychology of Colors
- Auto-Generate Graphics
- Build Frontend for Ethereum dApps
- Build a Private Blockchain
- Create Generative Art with Python
- Choose the Right Kubernetes Container
- Get Featured on Product Hunt without Hunter
- Go Serverless with AWS
- Hack Smart Contracts
- Host Your Git Server on Raspberry Pi
- Implement QA Properly
- Insert Binary Tree in Rust
- Learn Anything
- Measure Technical Debt
- Protect Your Code with Gulp
- Write NFT Smart Contracts
- STARTUPS
- Noonies Awards
Important Info Award Categories Award-Winning Titles - Tech Giants
- About
Company People Software by HackerNoon - Help
- Sponsor
- Shop
Earn Passively on TON Swap Today!
AWS Policy to Terminate Instances Based on Profile
March 21st 2017 1,511 reads
AWS Policy to Terminate Instances Based on Profile based on Profile reads: "ec2:TerminateWebInstances", "Worker" and "Web" The following snippet shows how to allow EC2 to terminate EC2 instances based on the target instance profile. It would be added to the policy of the role Worker, and will allow Worker to terminate any target with instance profile Web. Do you let instances terminate other instances, and if so, how? Please comment below or find me on Twitter.
Terminating EC2 instances is a critical action that should be denied by default, and only explicitly allowed for specific roles.
There are situations where we want an instance to be able to terminate other instances, for example a Worker role to be able to check the health status of the Web instances and terminate the bad ones.
Most of the examples I've found on allowing ec2:TerminateInstances through a IAM policy specify conditions based on source ip, user authentication methods, or target instance tags.
The following snippet shows how to allow ec2:TerminateInstances based on the target instance profile:
{
"Sid": "TerminateWebInstances",
"Action": [
"ec2:TerminateInstances"
],
"Condition": {
"StringEquals":
{ "ec2:InstanceProfile":
"arn:aws:iam::<accountId>:instance-profile/<Web>" }
},
"Resource": [
"arn:aws:ec2:us-west-1:<accountId>:instance/*"
],
"Effect": "Allow"
}In the example above, this snippet would be added to the policy of the role Worker, and will allow Worker to terminate any target with instance profile Web.
Make sure to change your account region, account id, and <Web> with the target instance profile you'd like to terminate.
Do you let instances terminate other instances, and if so, how? I'd be interested to know. Please comment below or find me on Twitter.
Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.
To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!
