Policy: AWS > EC2 > Permissions > Lockdown > Instance > Image

Configure whether lockdown policies are enabled to prohibit launching instance from unapproved AMIs. If enabled, instances will only be allowed to be launched if they are trusted, per the AMI IDs and/or Publishers sub-policies.

Resource Types

This policy targets the following resource types:

AWS > Account

Primary Policy

This policy is used with the following primary policy:

AWS > EC2 > Permissions > Lockdown > Instance

Policy Packs

This policy setting is used by the following policy packs:

Deny AWS EC2 Instances with Unapproved AMIs or Publisher Accounts

Policy Specification

Schema Type	`string`
Default	`Lockdown Disabled`
Valid Values [YAML]	`Lockdown Disabled` `Lockdown Enabled: Allow Image > AMI IDs only` `Lockdown Enabled: Allow Image > Publishers only` `Lockdown Enabled: Allow Image > AMI IDs or Image > Publishers` `Lockdown Enabled: Allow Image > AMI IDs from Image > Publishers`

Schema Type

string

Default

Lockdown Disabled

Valid Values [YAML]

Lockdown Disabled

Lockdown Enabled: Allow Image > AMI IDs only

Lockdown Enabled: Allow Image > Publishers only

Lockdown Enabled: Allow Image > AMI IDs or Image > Publishers

Lockdown Enabled: Allow Image > AMI IDs from Image > Publishers

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/iamPermissions

Policy Type URI

tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImage

GraphQL

query policyType(id: "tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImage") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImage'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImage'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImage"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-ec2#/policy/types/ec2PermissionsLockdownInstanceImage"