This lab is provided as part of AWS Innovate For Every Application Edition
Click here to explore the full list of hands-on labs.
âšī¸ You will run this lab in your own AWS account. Please follow directions at the end of the lab to remove resources to avoid future costs.
This hands-on lab will guide you through the steps to implement cost and usage governance. The skills you learn will help you control your cost and usage in alignment with your business requirements.
- Implement IAM Policies to control usage
- A small number of instances will be started & then immediately terminated
- Costs will be less than $5 if all steps including the teardown are performed
- The lab should take approximately 30 minutes to complete
This lab requires you to develop a restrictive IAM policy, then apply the policies to a group of users, then login as a user in that group and verify the policy. We will create this test group.
-
Configure the user as follows:
-
Record the logon link, the User and the Password for later use, click Close:
To manage costs you need to manage and control your usage. AWS offers multiple regions, so depending on your business requirements you can limit access to AWS services depending on the region. This can be used to ensure usage is only allowed in specific regions which are more cost effective, and minimize associated usage and cost, such as data transfer.
We will create a policy that allows all EC2, RDS and S3 access in a single region only. NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.
-
Copy and paste the policy into the console:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"rds:*",
"s3:*"
],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": "us-east-1"}}
}
]
}
-
Click Next:Tags and Next: Review:
-
Create the policy with the following details:
You have successfully created an IAM policy to restrict usage by region.
-
Click on Add permissions dropdown list and choose Attach Policies:
-
Select the checkbox next to RegionRestrict (created above) and click Add permissions:
You have successfully attached the policy to the CostTest group. Log out from the console
-
Logon to the console as the TestUser1 user, go to the EC2 Service dashboard:
-
Click the current region in the top right, and select US West (N.California):
-
Try to launch an instance by clicking Launch Instance, select Launch Instance:
-
Click on Select next to the Amazon Linux 2 AMI, You will receive an error when you select an AMI as you do not have permissions:
You have successfully verified that you cannot launch any instances outside of the N.Virginia region. We will now verify we have access in us-east-1 (N.Virginia):
-
Change the region by clicking the current region, and selecting US East (N.Virginia):
-
Now attempt to launch an instance, choose the Amazon Linux 2 AMI, leave 64-bit (x86) selected, click Select:
-
Scroll down and select a c5.large, and click Review and Launch:
-
Take note of the security group created (as you need to delete it), Click Launch:
-
Select Proceed without a key pair, and click I acknowledge.. checkbox, and click Launch Instances:
-
Ensure the correct instance is selected, click Actions, then Instance State, then Terminate:
-
Log out of the console as TestUser1.
You have successfully implemented an IAM policy that restricts all EC2, RDS and S3 operations to a single region. You have also successfully launched a c5 Instance Type.
AWS offers different instance families within EC2. Depending on your workload requirements - different types will be most cost effective. For non-specific environments such as testing or development, you can restrict the instance families in those accounts to the most cost effective generic types. It is also an effective way to increase Savings Plan or Reserved Instance utilization, by ensuring these accounts will consume any available commitment discounts.
We will create a policy that allows operations on specific instance families only. This will not only restrict launching an instance, but all other activities. NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.
-
Log on to the console as your regular user with the required permissions, Go to the IAM service page:
-
Copy and paste the policy into the console:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"ec2:InstanceType": [
"t3.*",
"a1.*",
"m5.*"
]
}
}
}
]
}
-
Enter the details:
You have successfully created an IAM policy to restrict usage by Instance Family.
-
We need to remove the RegionRestrict policy, as it permitted all EC2 actions. Click on Detach Policy for RegionRestrict:
-
Click on Detach:
You have successfully attached the policy to the CostTest group. Log out from the console
-
Logon to the console as the TestUser1 user, go to the EC2 Service dashboard:
-
Try to launch an instance by clicking Launch Instance, select Launch Instance:
-
We will select an instance we are not able to launch first, so select a c5.large instance, click Review and Launch:
-
Select Proceed without a key pair, and click I acknowledge that I will not be able to..., then click Launch Instances:
-
You will receive an error, notice the failed step was Initiating launches. Click Back to Review Screen:
-
We will select an instance type we can launch (t3, a1 or m5) select t3.micro, and click Review and Launch:
-
Select Yes, I want to continue with this instance type (t3.micro), click Next:
-
Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances:
-
You will receive a success message. Click on the Instance ID and terminate the instance as above:
-
Log out of the console as TestUser1.
You have successfully implemented an IAM policy that restricts all EC2 actions to T3, A1 and M5 instance types.
We can also restrict the size of instance that can be launched. This can be used to ensure only low cost instances can be created within an account. This is ideal for testing and development, where high capacity instances may not be required. We will extend the EC2 family policy above, and add restrictions by adding the sizes of instances allowed.
-
Log on to the console as your regular user with the required permissions, go to the IAM service page:
-
Modify the policy by adding in the sizes, add in nano, medium, large, be careful not to change the syntax and not remove the quote characters. Click on Review policy:
-
Log out from the console
You have successfully modified the policy to restrict usage by instance size.
-
Logon to the console as the TestUser1 user, click on Services and go to the EC2 dashboard:
-
Try to launch an instance by clicking Launch Instance, select Launch Instance:
-
We will attempt to launch a t3.micro which was successful before. Click on Review and Launch:
-
Review the configuration and take note of the security group created, click Launch:
-
Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances:
-
You will get a failure, as it wasn't a size we allowed in the policy. Click Back to Review Screen:
-
We will now select a t3.nano which will succeed. Click Review and Launch:
-
Select Yes, I want to continue with this instance type (t3.nano), and click Next:
-
Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances:
-
It will succeed. Click on the Instance ID and terminate the instance as above:
-
Log out of the console as TestUser1.
You have successfully implemented an IAM policy that restricts all EC2 instance operations by family and size.
Extending cost optimization governance beyond compute instances will ensure overall higher levels of cost optimization. Similar to EC2 instances, there are different storage types. Governing the type of storage that can be created in an account can be effective to minimize cost.
We will create an IAM policy that denies operations that contain provisioned IOPS (io1) EBS volume types. This will not only restrict creating a volume, but all other actions that attempt to use this volume type.
NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.
-
Log on to the console as your regular user with the required permissions, go to the IAM service page:
-
Copy and paste the policy into the console:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:VolumeType": "io1"
}
}
}
]
}
-
Configure the following details:
You have successfully created an IAM policy to restrict EBS actions by volume type.
You have successfully attached the policy to the CostTest group. Log out from the console
-
Logon to the console as the TestUser1 user, click on Services then click EC2:
-
Try to launch an instance by clicking Launch Instance, select Launch Instance:
-
Select t3.nano (which is allowed as per our already applied policy, which we tested in the last exercise), click Next: Configure Instance Details:
-
Click on Add New Volume, click on the dropdown, then select Provisioned IOPS SSD (io1):
-
Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances:
-
The launch will fail, as it contained an io1 volume. Click Back to Review Screen:
-
Click the dropdown and change it to General Purpose SSD(gp2), click Review and Launch:
-
Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances:
-
It will now succeed, as it doesn't contain an io1 volume type. Click on the instance ID and terminate the instance as above:
-
Log out of the console as TestUser1.
You have successfully implemented an IAM policy that denies operations if there is an EBS volume of type io1.
Log onto the console as your regular user with the required permissions.
We will delete the IAM policies created, as they are no longer applied to any groups.
-
Log on to the console as your regular user with the required permissions, go to the IAM service page:
3.Click on Filter Policies and select Customer managed:
-
Perform the same steps above to delete the Ec2_FamilyRestrict and EC2EBS_Restrict policies.
-
Select the CostTest group, click Group Actions, click Delete Group:
-
Select the security groups you took note of, ensure you have the correct groups that were created. Click Actions, select Delete Security Groups:
-
Triple check they are the groups you wrote down, and click Yes, Delete:
-
Confirm there are no io1 unattached EBS volumes, go to the EC2 dashboard, click on Elastic Block Store, click Volumes. You can sort by the Created column to help identify volumes that were not terminated as part of this lab.
Let us know what you thought of this lab and how we can improve the experience for you in the future by completing this poll. Participants who complete the surveys from AWS Innovate Online Conference will receive a gift code for USD25 in AWS credits 1, 2 & 3. AWS credits will be sent via email by September 30, 2022.
Note: Only registrants of AWS Innovate Online Conference who complete the surveys will receive a gift code for USD25 in AWS credits via email.
- AWS Promotional Credits Terms and conditions apply: https://aws.amazon.com/awscredits/
- Limited to 1 x USD25 AWS credits per participant.
- Participants will be required to provide their business email addresses to receive the gift code for AWS credits.