Create an IAM policy to restrict EBS Volume creation by volume type

Extending cost optimization governance beyond compute instances will ensure overall higher levels of cost optimization. Similar to EC2 instances, there are different storage types. Governing the type of storage that can be created in an account can be effective to minimize cost.

We will create an IAM policy that denies operations that contain provisioned IOPS (io1) EBS volume types. This will not only restrict creating a volume, but all other actions that attempt to use this volume type.

NOTE: it is best practice to provide only the minimum access required, the policy used here is for brevity and simplicity, and should only be implemented as a demonstration before being removed.

Create the EBS type restrictive IAM Policy

  1. Log on to the console as your regular user with the required permissions, go to the IAM service page: Images/AWSEBSPolicy0.png

  2. Click on Policies on the left menu: Images/AWSEBSPolicy1.png

  3. Click Create policy: Images/AWSEBSPolicy2.png

  4. Click on the JSON tab: Images/AWSEBSPolicy3.png

  5. Copy and paste the policy into the console:

    IAM Policy

  6. Click on Review Policy: Images/AWSEBSPolicy4.png

  7. Configure the following details:

    • Name: EC2EBS_Restrict
    • Description: Dont allow EBS io1 volumes
    • Click Create policy: Images/AWSEBSPolicy5.png

You have successfully created an IAM policy to restrict EBS actions by volume type.

Apply the policy to your test group

  1. Click on Groups from the left menu: Images/AWSEBSPolicy6.png

  2. Click on the CostTest group: Images/AWSEBSPolicy7.png

  3. Click on Attach Policy: Images/AWSEBSPolicy8.png

  4. Click on Policy Type, then click Customer Managed: Images/AWSEBSPolicy9.png

  5. Select the checkbox next to EC2EBS_Restrict, and click Attach Policy: Images/AWSEBSPolicy10.png

You have successfully attached the policy to the CostTest group.

Log out from the console

Verify the policy is in effect

  1. Logon to the console as the TestUser1 user, click on Services then click EC2: Images/AWSEBSPolicy11.png

  2. Try to launch an instance by clicking Launch Instance, select Launch Instance: Images/AWSPolicy17.png

  3. Click Select next to Amazon Linux 2…: Images/AWSEBSPolicy13.png

  4. Select t3.nano (which is allowed as per our already applied policy, which we tested in the last exercise), click Next: Configure Instance Details: Images/AWSEBSPolicy14.png

  5. Click Next Add Storage: Images/AWSEBSPolicy15.png

  6. Click on Add New Volume, click on the dropdown, then select Provisioned IOPS SSD (io1): Images/AWSEBSPolicy16.png

  7. Click Review and Launch: Images/AWSEBSPolicy17.png

  8. Take note of the security group created, and click Launch: Images/AWSEBSPolicy18.png

  9. Select Proceed without a key pair, and click I acknowledge that i will not be able to…, then click Launch Instances: Images/AWSEBSPolicy19.png

  10. The launch will fail, as it contained an io1 volume. Click Back to Review Screen: Images/AWSEBSPolicy20.png

  11. Scroll down and click Edit storage: Images/AWSEBSPolicy21.png

  12. Click the dropdown and change it to General Purpose SSD(gp2), click Review and Launch: Images/AWSEBSPolicy22.png

  13. Click Launch: Images/AWSEBSPolicy18.png

  14. Select Proceed without a key pair, and click I acknowledge that i will not be able to…, then click Launch Instances: Images/AWSEBSPolicy23.png

  15. It will now succeed, as it doesn’t contain an io1 volume type. Click on the instance ID and terminate the instance as above: Images/AWSEBSPolicy24.png

  16. Log out of the console as TestUser1.

You have successfully implemented an IAM policy that denies operations if there is an EBS volume of type io1.