AWS IAM EC2 policy limited to originating instance

Question

I\'m working on a setup where I need to terminate AWS instances because of inactivity (i.e. nothing new in web-server access logs since a period of time). Those instances ar

Answer 1

You were close with your condition. The trick is to compare instance ARN with ec2:sourceInstanceARN:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:TerminateInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

Clearly for testing purposes I allowed my instances with this policy to tag and stop themselves.