I want to allow users only to create t2.micro/small/medium for development and allow them to use only spot instances. Have created IAM policy to restrict type/size of instances. In addition I want to put restriction on "on-demand" instances (team MUST opt for spot instances only). What is the cleaner way of achieving it?
allow full access with the account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "limitedSize",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"cloudwatch:DescribeAlarms"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"t3.*",
"t2.*"
]
}
}
}
]
}