0

I would like to make an IAM user which was access to the AWS Lightsail CreateInstances API, but only if they make a request where bundleId is nano_2_0.

I am aware of condition keys in AWS, but according to the documentation on that, only tag-related condition keys are available.

However, I was hoping that a more generic version of a condition key was available or something similar, which would allow for the above scenario - perhaps a condition key that would work for any API call.

Is that possible in any way, perhaps with small modifications?

Mathias Lykkegaard Lorenzen
  • 341
  • 2
  • 4
  • 10
  • 1
    You could write a lambda script to terminate anything non-compliant rather than being preventative. It's not ideal, but it should work. Cloud Custodian might be able to help, not sure, but it's a useful tool. – Tim May 25 '20 at 08:30
  • The problem with that approach is that I started getting billed as soon as people provision a server via that request. – Mathias Lykkegaard Lorenzen May 25 '20 at 09:15
  • 1
    Yep, agree, but since you can't restrict with IAM according to your needs it's an option. Maybe it's better to prevent people starting instances and having them ask an administrator to do it. – Tim May 25 '20 at 18:15

0 Answers0