To manage costs you need to control AWS resource usage.
AWS offers multiple Regions, so depending on your business requirements, you can limit access to AWS services according to Region.
This can be used to ensure usage is only allowed in one or a few specific Regions, making it more cost-effective and minimizing usage and associated costs, e.g. data transfer fee.
For example, if the end user is in Vietnam, you will prioritize deploying the business’s system in Region Singapore (ap-southeast-1) where the distance is closer to Vietnam than other AWS Regions. remaining
Noted: you need at least 2 IAM Users to perform this lab, refer to the lab: ACCESS RIGHTS MANAGEMENT WITH AWS IAM (IDENTITY AND ACCESS MANAGEMENT)
Create Policy on User Admin
IAM
JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ap-southeast-1"
}
}
}
]
}
RegionRestrict
EC2 access in ap-southeast-1 only
Create Group
CostTest
RegionRestrict
(the policy you created in step 1)Create TestUser
In the User name field, enter TestUser
Select Provide user access to the AWS Management Console - optional, meaning: allow this User to access the AWS account administration interface
Select I want to create an IAM user, meaning: you want to create an IAM user
Select Autogenerated password, meaning: AWS will automatically generate a password for you to log into the AWS account administration interface
Select Users must create a new password at next sign-in - Recommended, meaning: you must create a new password when using this User to access the AWS account administration interface - for the next login
Noted: In fact, in the role of cloud administrator, cloud admin, you should configure according to the steps above to ensure that you cannot know the password to access the IAMUser you create and hand over to team members.
Select Next
Test the EC2 permission of Policy RegionRestrict in the Singapore region
EC2singapore
Check the EC2 deny permission of Policy RegionRestrict in the Tokyo region
EC2tokyo
Check the S3 service deny permission of Policy RegionRestrict in the Singapore region
s3
, select S3