fbpx

Introduction

Spotinst uses the secure Cross-Account Role to access your AWS account. The role includes a restricted list of policy, you could further limit this policy list based on the AWS Resource and apply conditions to restrict it to a specific region or VPC or based on tags.

You can find Additional examples in AWS docs , as well as a simplified way right here: Easier way to control access to AWS regions using IAM policies.

 

The example for each case is stated below:

Example 1

In case you want to restrict the policy to a specific VPC you can add the following Condition:

{
  "Statement": [
    {
      "Sid": "ExampleForRestrictVPC",
      "Action": [
        "ec2:RequestSpotInstances"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
        }
      },
      "Effect": "Allow"
    }
  ],
  "Version": "2012-10-17"
}

 

Example 2

Restrict the policy based on Tags:

{
  "Statement": [
    {
      "Sid": "ExampleForRestrictTags",
      "Action": [
        "ec2:RequestSpotInstances"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "ForAllValues:StringLike": {
          "aws:TagKeys": [
            "foo",
            "bar"
          ]
        }
      },
      "Effect": "Allow"
    }
  ],
  "Version": "2012-10-17"
}

Example 3

Restrict the policy to a specific Region:

{
  "Statement": [
    {
      "Sid": "ExampleForRestrictRegion",
      "Action": [
        "ec2:RequestSpotInstances"
      ],
      "Resource": [
        "*"
      ],
     "Condition": {
        "StringEquals": {
          "ec2:Region": "us-west-1"
        }
      },
      "Effect": "Allow"
    }
  ],
  "Version": "2012-10-17"
}

 

Furthermore, you could use the above Condition statements to restrict a specific AWS resource as shown below:

1. Restrict the access to the EC2 instances in the N. Virginia region:

{
  "Statement": [
    {
      "Sid": "GeneralSpotInstancesAccess",
      "Action": [
        "ec2:RequestSpotInstances",
        "ec2:CancelSpotInstanceRequests",
        "ec2:CreateSpotDatafeedSubscription",
        "ec2:Describe*"
         ......
         ......
         ......
         ......
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:Region": "us-east-1"
        }
      }
    }
  ],
  "Version": "2012-10-17"
}

2. Restrict the access to ElasticBeanstalk environments in a particular VPC:

{
  "Statement": [
    {
    "Sid": "GeneralAccessElaticBeanstalk",
    "Action": [
      "elasticbeanstalk:Describe*",
      "elasticbeanstalk:RequestEnvironmentInfo",
      "elasticbeanstalk:RetrieveEnvironmentInfo",
      "elasticbeanstalk:ValidateConfigurationSettings",
      "elasticbeanstalk:UpdateEnvironment",
      "cloudformation:GetTemplate",
      "cloudformation:DescribeStackResources",
      "cloudformation:DescribeStackResource",
      "cloudformation:DescribeStacks",
      "cloudformation:ListStackResources",
      "cloudformation:UpdateStack",
      "cloudformation:DescribeStackEvent",
      "cloudformation:DescribeStackEvents",
      "logs:PutRetentionPolicy",
      "logs:createLogGroup"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
        }
      }
    }
  ],
  "Version": "2012-10-17"
}

 

Example 4

In case you only want to check how much you can Save using Spotinst, you could use only our Spot Analyzer and it requires the following policies:

{
  "Statement": [
    {
      "Sid": "SpotAnalyzer",
      "Action": [
                "ec2:Describe*",
                "ec2:MonitorInstances",
                "elasticloadbalancing:Describe*",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "iam:ListRoles",
                "iam:ListAccountAliases",
                "iam:GetPolicyVersion",
                "iam:ListPolicies",
                "elasticbeanstalk:Describe*",
                "autoscaling:Describe*",
                "ecs:List*",
                "ecs:Describe*"
                ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
      }
    ],
    "Version": "2012-10-17"
}

 

You may find additional information in AWS docs .