Skip to main content

Restricting EC2 Instance Types to Limit Costs

Policy Overview

This AWS Service Control Policy (SCP) is designed to limit costs by restricting the EC2 instance types that can be launched. By allowing only specific, cost-effective instance types, the organization can control expenses and ensure that instances are appropriate for low-cost use cases. This policy should be applied to the Root OU to enforce these restrictions across all accounts.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:*:ec2:*:*:instance/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t2.micro",
            "t4g.nano",
            "t4g.micro",
            "t3a.nano",
            "t3a.micro"
          ]
        }
      }
    }
  ]
}

Explanation

Policy Elements

  • Version: Specifies the version of the policy language.
  • Statement: Contains the individual statement that defines the policy.
Statement: RequireInstanceType
  • Sid: RequireInstanceType
    • A unique identifier for this statement.
  • Effect: Deny
    • This statement denies the specified action if the condition is not met.
  • Action: "ec2:RunInstances"
    • This action is related to launching new EC2 instances.
  • Resource: ["arn:*:ec2:*:*:instance/*"]
    • The policy applies to all EC2 instances.
  • Condition:
    • StringNotEquals: Denies the action unless the ec2:InstanceType matches one of the specified values.
    • ec2:InstanceType: Lists the allowed instance types.

Conditions and Restrictions

  • The StringNotEquals condition ensures that the ec2:RunInstances action is denied unless the instance type is one of the specified low-cost options.

When to Use This Policy

  • Use Case: Apply this policy to control costs by restricting the EC2 instance types that can be launched to only the most cost-effective options.
  • Ideal For: Organizations that need to enforce strict cost management practices and ensure that only specific, low-cost EC2 instances are used.

Benefits

  • Cost Control: Prevents the use of expensive EC2 instance types, helping to manage and reduce costs.
  • Operational Efficiency: Ensures that instances are appropriate for low-cost, lightweight workloads.
  • Simplified Management: Reduces the complexity of managing a wide variety of instance types.

Potential Drawbacks

  • Limited Flexibility: Restricting instance types may limit the ability to run workloads that require more powerful instances.
  • Operational Constraints: Teams might find it challenging to run specific applications that require higher specifications not covered by the allowed instance types.

Conclusion

Implementing this Service Control Policy helps organizations manage and limit their AWS costs by restricting the types of EC2 instances that can be launched. This ensures that only the most cost-effective instance types are used, promoting better cost management and operational efficiency. Regular review and updates of the instance types specified in the policy are recommended to adapt to changing requirements and to incorporate new instance types that may become available.

Sources