Terminating EC2 instances is a critical action that should be denied by default, and only explicitly allowed for specific roles.
There are situations where we want an instance to be able to terminate other instances, for example a Worker role to be able to check the health status of the Web instances and terminate the bad ones.
Most of the
examples I've found on allowing ec2:TerminateInstances through a IAM policy specify conditions based on source ip, user authentication methods, or target instance tags.
The following snippet shows how to allow ec2:TerminateInstances based on the target instance profile:
{"Sid": "TerminateWebInstances","Action": ["ec2:TerminateInstances"],"Condition": {"StringEquals":{ "ec2:InstanceProfile":"arn:aws:iam::<accountId>:instance-profile/<Web>" } },"Resource": ["arn:aws:ec2:us-west-1:<accountId>:instance/*"],"Effect": "Allow"}
In the example above, this snippet would be added to the policy of the role Worker, and will allow Worker to terminate any target with instance profile Web.
Make sure to change your account region, account id, and <Web> with the target instance profile you'd like to terminate.
Do you let instances terminate other instances, and if so, how? I'd be interested to know. Please comment below or
find me on Twitter.