Can someone explain why Roles were designed by AWS to have a Principal like entire service (EC2, Lambda etc.) i.e. without the ability to associate/restrict to be assumable by a specific EC2 Instance type or a specific Lambda function - Am I missing a key AWS design concept here?
If I want to restrict a particular role to be assumable only by t2.micro EC2 instances (& no other EC2 instance family type), is this achievable in AWS? If this can be done, which permissions policy would this restriction be written?
Tried adding Condition section below to the 'Trusted Identity' policy of role but this does not work i.e. other instance types example t2.large is also able to perform actions say create a bucket (using CLI).
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.micro"
]} }
No, it is not possible to put limitations in the Trust Policy.
If you only want certain IAM Roles to be used on particular instances, you would need to enforce that through the use of iam:PassRole. This is the permission that determines whether somebody has permission to pass a particular role to a service (such as an EC2 instance). Put simply: You can limit who is allowed to select an IAM Role and then trust that they know when to use it correctly.