This is the first of a few related posts on the subject of the importance of controlling and constraining your AWS account resource creation abilities particularly in terms of IAM accounts.
A recent lesson learned caused us to research the area of unexpected resource usage in an AWS account. Trying out the AWS Batch service inadvertently resulted in the launch of an EC2 c4.large instance which ran for a day before we noticed that it was running. This was a surprise because the launch was not explicit, nor was the instance tagged with a descriptive name. After terminating the instance we realized that with this particular account only a limited set of instance types should ever be run and the AWS Config service can be used to detect things outside of normal operational expectations.
AWS Config can be set up using rules that are evaluated and a report generated for anything that fails the rule checks. In this case a rule was created listing the 3 instance types that would be expected to be found for this account. When the Config rules are checked any instance not falling in that list will be reported as non compliant. Note that this service does not prevent the launch of out of norm types but only reports on them so you have to take the action to correct the issue. A subsequent post will cover how IAM policies can be used to prevent a launch in the first place.