Denying point & click EC2s within AWS Accounts

Prevent the EC2 Launch Wizard from being used to provision insecure resources

Table Of Contents

Today I Explained

When spinning up an EC2, the AWS Web Console offers an interface wizard, known as Launch Wizard. This wizard offers a guided workflow for configuring & starting an EC2 within an AWS Region. Yet sometimes you may be prevented or strongly discouraged from making use of this wizard when wishing to provision an EC2. Why?

There are a couple of reasons one might want to push someone to avoid making use of the launch wizard. The first is organization policy, being that an organization might have adopted the policy that Infrastructure as Code should be applied for provisioning. Although it can seem easy to spin up an instance & set it up, it creates more work in the long term. As you’ll then need to retrace your steps to provision the instance using infrastructure as code.

This can cause especially notable problems as you’ll be in a position in which the original setup was using interactive sessions to install. It will be necessary to shift your commands to make use of non-interactive prompts, and have them avoid conflicts.

The more often pushed reason is one of security concerns. The launch wizard has the possibility to create many insecure by default configurations, such as creating security groups with 0.0.0.0/0, also known as “Open to the Internet”. Creating a new instance which you haven’t yet had the time to review/audit/setup to the internet, means you haven’t yet had the opportunity to ensure that no exploitable vectors exist with the EC2.

To address these concerns, an organization may adopt aggressive Service Control Policies built with the intent to try to discourage EC2 create actions that are not done by authorized users. More likely you’ll find that the IAM identity used within the web console is restricted from creating security groups, or creating new instances.