Level 200: Cost and Usage Governance

Authors

  • Nathan Besh, Cost Lead Well-Architected
  • Spencer Marley, Commercial Architect

Feedback

If you wish to provide feedback on this lab, there is an error, or you want to make a suggestion, please email: costoptimization@amazon.com

Table of Contents

  1. Create a group of users for testing
  2. Create an IAM Policy to restrict EC2 usage by region
  3. Create an IAM Policy to restirct EC2 usage by family
  4. Extend an IAM Policy to restrict EC2 usage by instance size
  5. Create an IAM policy to restrict EBS Volume creation by volume type
  6. Tear down
  7. Rate this Lab

1. Create a group of users for testing

This lab requires you to apply an IAM policy to a group of users, then login as a user in that group and verify the policy. We will create this test group.

  1. Go to the IAM service page: Images/AWSPolicy1.png

  2. Click on Groups, click Create New Group: Images/AWSCreateTest2.png

  3. Set the group name to CostTest and click Next Step: Images/AWSCreateTest3.png

  4. Click Next Step: Images/AWSCreateTest4.png

  5. Click Create Group: Images/AWSCreateTest5.png

  6. Click Users: Images/AWSCreateTest6.png

  7. Click Add user: Images/AWSCreateTest7.png

  8. Configure the user as follows:

    • Username: TestUser1
    • Access type: AWS Management Console access
    • Console password: Autogenerated password
    • Un-select Require password reset
    • Click Next: Permissions Images/AWSCreateTest8.png
  9. Select the CostTest group, and click Next: Tags: Images/AWSCreateTest9.png

  10. Click Next: Review: Images/AWSCreateTest10.png

  11. Review the details and click Create user: Images/AWSCreateTest11.png

  12. Record the logon link, the User and the Password for later use, click Close: Images/AWSCreateTest12.png

2. Create an IAM Policy to restrict service usage by region

To manage costs you need to manage and control your usage. AWS offers multiple regions, so depending on your business requirements you can limit access to AWS services depending on the region. This can be used to ensure usage is only allowed in specific regions which are more cost effective, and minimize associated usage and cost, such as data transfer.

We will create a policy that allows all EC2, RDS and S3 access in a single region only. NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.

2.1 Create the IAM Policy

  1. Go to the IAM service page: Images/AWSPolicy1.png

  2. Select Policies from the left menu: Images/AWSPolicy2.png

  3. Click Create Policy: Images/AWSPolicy3.png

  4. Click the JSON tab: Images/AWSPolicy4.png

  5. Open the following text file, copy and paste the policy into the console: NOTE Ensure you copy the entire policy, including the start '{' and end '}'
    ./Code/Region_Restrict

  6. Click Review policy: Images/AWSPolicy5.png

  7. Create the policy with the following details:

    • Name: RegionRestrict
    • Description: EC2, RDS, S3 access in us-east-1 only
    • Click Create policy: Images/AWSPolicy6.png

You have successfully created the Policy.

2.2 Apply it to a group

  1. Select Groups from the left menu: Images/AWSPolicy7.png

  2. Click on the CostTest group (created previously): Images/AWSPolicy8.png

  3. Select the Permissions tab: Images/AWSPolicy9.png

  4. Click Attach Policy: Images/AWSPolicy10.png

  5. Click Policy Type and select Customer Managed: Images/AWSPolicy12.png

  6. Select the checkbox next to Region_Restrict (created above) and click Attach Policy: Images/AWSPolicy13.png

You have successfully attached the policy to the CostTest group.

Log out from the console

2.3 Verify the policy is in effect

  1. Logon to the console as the TestUser1 user, go to the EC2 Service dashboard: Images/AWSPolicy14.png

  2. Click the current region in the top right, and select US West (N.California): Images/AWSPolicy15.png

  3. In the Old look EC2 console you will notice that there are authorization messages due to not having access in that region (the policy restricted EC2 usage to N. Virginia only), the new look EC2 console will not have errors: Images/AWSPolicy16.png

  4. Try to launch an instance by clicking Launch Instance: Images/AWSPolicy17.png

  5. Click on Select next to the Amazon Linux 2 AMI, You will receive an error when you select an AMI as you do not have permissions: Images/AWSPolicy18.png

You have successfully verified that you cannot launch any instances outside of the N.Virginia region. We will now verify we have access in us-east-1 (N.Virginia):

  1. Change the region by clicking the current region, and selecting US East (N.Virginia): Images/AWSPolicy19.png

  2. Now attempt to launch an instance, choose the Amazon Linux 2 AMI, leave 64-bit (x86) selected, click Select: Images/AWSPolicy20.png

  3. Scroll down and select a c5.large, and click Review and Launch: Images/AWSPolicy21.png

  4. Take note of the security group created (as you need to delete it), Click Launch: Images/AWSPolicy23.png

  5. Select Proceed without a key pair, and click I acknowledge.. checkbox, and click Launch Instances: Images/AWSPolicy24.png

  6. You will get a success message, click on the instance id: Images/AWSPolicy25.png

  7. Ensure the correct instance is selected, click Actions, then Instance State, then Terminate: Images/AWSPolicy26.png

  8. Confirm the instance ID is correct, click Yes, Terminate: Images/AWSPolicy27.png

You have successfully implemented an IAM policy that restricts all EC2, RDS and S3 operations to a single region.

Log out of the console as TestUser1.

3. Create an IAM Policy to restrict EC2 usage by family

AWS offers different instance families within EC2. Depending on your workload requirements - different types will be most cost effective. For non-specific environments such as testing or development, you can restrict the instance families in those accounts to the most cost effective generic types. It is also an effective way to increase RI utilization, by ensuring these accounts will consume any available Reserved Instances.

We will create a policy that allows operations on specific instance families only. This will not only restrict launching an instance, but all other activities. NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.

3.1 Create the IAM Policy

  1. Log on to the console as your regular user with the required permissions, Go to the IAM service page: Images/AWSFamilyRestrict0.png

  2. Select Policies from the left menu: Images/AWSFamilyRestrict1.png

  3. Click Create Policy: Images/AWSFamilyRestrict2.png

  4. Click on the JSON tab: Images/AWSFamilyRestrict3.png

  5. Open the following text file, copy and paste the policy into the console: NOTE Ensure you copy the entire policy, including the start '{' and end '}' ./Code/EC2Family_Restrict

  6. Click Review policy: Images/AWSFamilyRestrict4.png

  7. Enter the details:

    • Name: EC2_FamilyRestrict
    • Description: Restrict to t3, a1 and m5 families
    • Click on Create Policy: Images/AWSFamilyRestrict5.png

3.2 Attach the policy to the group

  1. Click on Groups from the left menu: Images/AWSFamilyRestrict6.png

  2. Click on the CostTest group (created previously): Images/AWSFamilyRestrict7.png

  3. We need to remove the RegionRestrict policy, as it permitted all EC2 actions. Click on Detach Policy for RegionRestrict: Images/AWSFamilyRestrict8.png

  4. Click on Detach: Images/AWSFamilyRestrict9.png

  5. Click on Attach Policy: Images/AWSFamilyRestrict10.png

  6. Click on Policy Type, then click Customer Managed: Images/AWSFamilyRestrict11.png

  7. Select the checkbox next to Ec2_FamilyRestrict, and click Attach Policy: Images/AWSFamilyRestrict12.png

Log out of the console

3.3 Verify the policy is in effect

  1. Logon to the console as the TestUser1 user, go to the EC2 Service dashboard: Images/AWSFamilyRestrict13.png

  2. Click on Launch Instance: Images/AWSFamilyRestrict14.png

  3. Click on Select next to the Amazon Linux 2 AMI: Images/AWSFamilyRestrict15.png

  4. We will select an instance we are not able to launch first, so select a c5.large instance, click Review and Launch: Images/AWSFamilyRestrict16.png

  5. Make note of the security group created, click Launch: Images/AWSFamilyRestrict17.png

  6. Select Proceed without a key pair, and click I acknowledge that I will not be able to..., then click Launch Instances: Images/AWSFamilyRestrict18.png

  7. You will receive an error, notice the failed step was Initiating launches. Click Back to Review Screen: Images/AWSFamilyRestrict19.png

  8. Click Edit instance type: Images/AWSFamilyRestrict20.png

  9. We will select an instance type we can launch (t3, a1 or m5) select t3.micro, and click Review and Launch: Images/AWSFamilyRestrict21.png

  10. Select Yes, I want to continue with this instance type (t3.micro), click Next: Images/AWSFamilyRestrict22.png

  11. Click Launch: Images/AWSFamilyRestrict23.png

  12. Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances: Images/AWSFamilyRestrict24.png

  13. You will receive a success message. Click on the Instance ID and terminate the instance as above: Images/AWSFamilyRestrict25.png

You have successfully implemented an IAM policy that restricts all EC2 actions to T3, A1 and M5 instance types.

Log out of the console as TestUser1.

4. Extend an IAM Policy to restrict EC2 usage by instance size

We can also restrict the size of instance that can be launched. This can be used to ensure only low cost instances can be created within an account. This is ideal for testing and development, where high capacity instances may not be required. We will extend the EC2 family policy above, and add restrictions by adding the sizes of instances allowed.

4.1 Extend the EC2Family_Restrict IAM Policy

  1. Log on to the console as your regular user with the required permissions, go to the IAM service page: Images/AWSFamilyUpdate0.png

  2. Click on Policies on the left menu: Images/AWSFamilyUpdate1.png

  3. Click on Filter policies, then select Customer managed: Images/AWSFamilyUpdate2.png

  4. Click on EC2_FamilyRestrict to modify it: Images/AWSFamilyUpdate3.png

  5. Click on Edit policy: Images/AWSFamilyUpdate4.png

  6. Click on the JSON tab: Images/AWSFamilyUpdate5.png

  7. Modify the policy by adding in the sizes, add in nano, medium, large, be careful not to change the syntax and not remove the quote characters. Click on Review policy: Images/AWSFamilyUpdate6.png

  8. Click on Save changes: Images/AWSFamilyUpdate7.png

4.2 Verify the policy is in effect

  1. Logon to the console as the TestUser1 user, click on Services and go to the EC2 dashboard: Images/AWSFamilyUpdate8.png

  2. Click on Launch Instance: Images/AWSFamilyUpdate9.png

  3. Click on Select next to the Amazon Linux 2 AMI: Images/AWSFamilyUpdate10.png

  4. We will attempt to launch a t3.micro which was successful before. Click on Review and Launch: Images/AWSFamilyUpdate11.png

  5. Review the configuration and take note of the security group created, click Launch: Images/AWSFamilyUpdate12.png

  6. Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances: Images/AWSFamilyUpdate13.png

  7. You will get a failure, as it wasn't a size we allowed in the policy. Click Back to Review Screen: Images/AWSFamilyUpdate14.png

  8. Click Edit instance type: Images/AWSFamilyUpdate15.png

  9. We will now select a t3.nano which will succeed. Click Review and Launch: Images/AWSFamilyUpdate16.png

  10. Select Yes, I want to continue with this instance type (t3.nano), and click Next: Images/AWSFamilyUpdate17.png

  11. Review the configuration and click Launch: Images/AWSFamilyUpdate18.png

  12. Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances: Images/AWSFamilyUpdate19.png

  13. It will succeed. Click on the Instance ID and terminate the instance as above: Images/AWSFamilyUpdate20.png

You have successfully implemented an IAM policy that restricts all EC2 instance operations by family and size.

Log out of the console as TestUser1.

5. Create an IAM policy to restrict EBS Volume creation by volume type

Extending cost optimization governance beyond compute instances will ensure overall higher levels of cost optimization. Similar to EC2 instances, there are different storage types. Governing the type of storage that can be created in an account can be effective to minimize cost.

We will create an IAM policy that denies operations that contain provisioned IOPS (io1) EBS volume types. This will not only restrict creating a volume, but all other actions that attempt to use this volume type. NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.

5.1 Create the IAM Policy

  1. Log on to the console as your regular user with the required permissions, go to the IAM service page: Images/AWSEBSPolicy0.png

  2. Click on Policies on the left menu: Images/AWSEBSPolicy1.png

  3. Click Create policy: Images/AWSEBSPolicy2.png

  4. Click on the JSON tab: Images/AWSEBSPolicy3.png

  5. Open the following text file, copy and paste the policy into the console: NOTE Ensure you copy the entire policy, including the start '{' and end '}' ./Code/EC2EBS_Restrict

  6. Click on Review Policy: Images/AWSEBSPolicy4.png

  7. Configure the following details:

    • Name: EC2EBS_Restrict
    • Description: Dont allow EBS io1 volumes
    • Click Create policy: Images/AWSEBSPolicy5.png

5.2 Attach the policy to the Cost Optimization group

  1. Click on Groups from the left menu: Images/AWSEBSPolicy6.png

  2. Click on the CostTest group: Images/AWSEBSPolicy7.png

  3. Click on Attach Policy: Images/AWSEBSPolicy8.png

  4. Click on Policy Type, then click Customer Managed: Images/AWSEBSPolicy9.png

  5. Select the checkbox next to EC2EBS_Restrict, and click Attach Policy: Images/AWSEBSPolicy10.png

Log out from the console

5.3 Verify the policy is in effect

  1. Logon to the console as the TestUser1 user, click on Services then click EC2: Images/AWSEBSPolicy11.png

  2. Click Launch Instance: Images/AWSEBSPolicy12.png

  3. Click Select next to Amazon Linux 2...: Images/AWSEBSPolicy13.png

  4. Select t3.nano (which is allowed as per our already applied policy, which we tested in the last exercise), click Next: Configure Instance Details: Images/AWSEBSPolicy14.png

  5. Click Next Add Storage: Images/AWSEBSPolicy15.png

  6. Click on Add New Volume, click on the dropdown, then select Provisioned IOPS SSD (io1): Images/AWSEBSPolicy16.png

  7. Click Review and Launch: Images/AWSEBSPolicy17.png

  8. Take note of the security group created, and click Launch: Images/AWSEBSPolicy18.png

  9. Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances: Images/AWSEBSPolicy19.png

  10. The launch will fail, as it contained an io1 volume. Click Back to Review Screen: Images/AWSEBSPolicy20.png

  11. Scroll down and click Edit storage: Images/AWSEBSPolicy21.png

  12. Click the dropdown and change it to General Purpose SSD(gp2), click Review and Launch: Images/AWSEBSPolicy22.png

  13. Click Launch: Images/AWSEBSPolicy18.png

  14. Select Proceed without a key pair, and click I acknowledge that i will not be able to..., then click Launch Instances: Images/AWSEBSPolicy23.png

  15. It will now succeed, as it doesn't contain an io1 volume type. Click on the instance ID and terminate the instance as above: Images/AWSEBSPolicy24.png

You have successfully implemented an IAM policy that denies operations if there is an EBS volume of type io1.

Log out of the console as TestUser1.

6. Tear down

Log onto the console as your regular user with the required permissions.

Delete a policy

We will delete the IAM policies created above, as they are no longer applied to any groups.

  1. Go to the IAM Console: Images/AWSPolicy1.png

  2. Click on Policies on the left: Images/AWSPolicy2.png

3.Click on Filter Policies and select Customer managed: Images/AWSTeardown11.png

  1. Select the policy you want to delete Region_Restrict: Images/AWSTeardown12.png

  2. Click on Policy actions, and select Delete: Images/AWSTeardown13.png

  3. Click on Delete: Images/AWSTeardown14.png

  4. Perform the same steps above to delete the Ec2_FamilyRestrict and EC2EBS_Restrict policies.

  5. Click on Groups: Images/AWSTeardown15.png

  6. Select the CostTest group, click Group Actions, click Delete Group: Images/AWSTeardown16.png

  7. Click Yes, Delete: Images/AWSTeardown17.png

  8. Click Users: Images/AWSTeardown18.png

  9. Select TestUser1, and click Delete user: Images/AWSTeardown19.png

  10. Click Yes, delete: Images/AWSTeardown20.png

  11. Go to the EC2 dashboard: Images/AWSTeardown21.png

  12. Click Security Groups on the left: Images/AWSTeardown22.png

  13. Select the security groups you took note of, ensure you have the correct groups that were created. Click Actions, select Delete Security Groups: Images/AWSTeardown23.png

  14. Triple check they are the groups you wrote down, and click Yes, Delete: Images/AWSTeardown24.png

  15. Confirm there are no unattached EBS volumes, go to the EC2 dashboard, click on Elastic Block Store, click Volumes. You can sort by the Created column to help identify volumes that were not terminated as part of this lab.

7. Rate this lab

1 Star 2 star 3 star 4 star 5 star