Lab complete!
Now that you have completed this lab, make sure to update your Well-Architected review if you have implemented these changes in your workload.
Click here to access the Well-Architected Tool
Extending cost optimization governance beyond compute instances will ensure overall higher levels of cost optimization. Similar to EC2 instances, there are different storage types. Governing the type of storage that can be created in an account can be effective to minimize cost.
We will create an IAM policy that denies operations that contain provisioned IOPS (io1) EBS volume types. This will not only restrict creating a volume, but all other actions that attempt to use this volume type.
NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.
Log on to the console as your regular user with the required permissions, go to the IAM service page:
Click on Policies on the left menu:
Click Create policy:
Click on the JSON tab:
Copy and paste the policy into the console:
Click on Review Policy:
Configure the following details:
You have successfully created an IAM policy to restrict EBS actions by volume type.
Click on Groups from the left menu:
Click on the CostTest group:
Click on Attach Policy:
Click on Policy Type, then click Customer Managed:
Select the checkbox next to EC2EBS_Restrict, and click Attach Policy:
You have successfully attached the policy to the CostTest group.
Log out from the console
Logon to the console as the TestUser1 user, click on Services then click EC2:
Try to launch an instance by clicking Launch Instance, select Launch Instance:
Click Select next to Amazon Linux 2…:
Select t3.nano (which is allowed as per our already applied policy, which we tested in the last exercise), click Next: Configure Instance Details:
Click Next Add Storage:
Click on Add New Volume, click on the dropdown, then select Provisioned IOPS SSD (io1):
Click Review and Launch:
Take note of the security group created, and click Launch:
Select Proceed without a key pair, and click I acknowledge that i will not be able to…, then click Launch Instances:
The launch will fail, as it contained an io1 volume. Click Back to Review Screen:
Scroll down and click Edit storage:
Click the dropdown and change it to General Purpose SSD(gp2), click Review and Launch:
Click Launch:
Select Proceed without a key pair, and click I acknowledge that i will not be able to…, then click Launch Instances:
It will now succeed, as it doesn’t contain an io1 volume type. Click on the instance ID and terminate the instance as above:
Log out of the console as TestUser1.
You have successfully implemented an IAM policy that denies operations if there is an EBS volume of type io1.
Now that you have completed this lab, make sure to update your Well-Architected review if you have implemented these changes in your workload.
Click here to access the Well-Architected Tool