Allow to use services by specific Region
Allows use of EC2 services only in Region Singapore
-
To manage costs you need to control AWS resource usage.
-
AWS offers multiple Regions, so depending on your business requirements, you can limit access to AWS services according to Region.
-
This can be used to ensure usage is only allowed in one or a few specific Regions, making it more cost-effective and minimizing usage and associated costs, e.g. data transfer fee.
-
For example, if the end user is in Vietnam, you will prioritize deploying the business’s system in Region Singapore (ap-southeast-1) where the distance is closer to Vietnam than other AWS Regions. remaining
-
Noted: you need at least 2 IAM Users to perform this lab, refer to the lab: ACCESS RIGHTS MANAGEMENT WITH AWS IAM (IDENTITY AND ACCESS MANAGEMENT)
-
Create Policy on User Admin
- In the AWS console, in the search box, enter
IAM - Select IAM service
- On the left side of the screen, select Policies
- Select Create policy
- Create policy in JSON data format instead of Visual. Select
JSON
- Scan the entire current code and press the Delete button
- Copy the following code into the Policy editor box, Scroll down and select Next
- Meaning: User only has full rights on EC2 service and only in Region Singapore
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-southeast-1" } } } ] }
- In the Policy name section, enter:
RegionRestrict - In the Description section, enter:
EC2 access in ap-southeast-1 only - Scroll to the bottom of the page and select Create policy
- In the AWS console, in the search box, enter
-
Create Group
- In IAM console, select User groups
- Select Create group
- In the User group name section, enter
CostTest
- In the Attach permissions policies - Optional section, enter into the search box
RegionRestrict(the policy you created in step 1) - Check the square icon to select policy RegionRestrict
- Select Create group
- Noted: if you pay attention to the type column, you will realize that our policy is of the Customer managed type, meaning the policy is created and managed by the customer.
- Otherwise, type AWS managed means policies are created and managed by AWS - and you cannot edit policies of this type
-
Create TestUser
- In IAM console, select User
- Select Create user
-
In the User name field, enter
TestUser -
Select Provide user access to the AWS Management Console - optional, meaning: allow this User to access the AWS account administration interface
-
Select I want to create an IAM user, meaning: you want to create an IAM user
-
Select Autogenerated password, meaning: AWS will automatically generate a password for you to log into the AWS account administration interface
-
Select Users must create a new password at next sign-in - Recommended, meaning: you must create a new password when using this User to access the AWS account administration interface - for the next login
-
Noted: In fact, in the role of cloud administrator, cloud admin, you should configure according to the steps above to ensure that you cannot know the password to access the IAMUser you create and hand over to team members.
- This requires team members to have responsibility for interacting with resources in the AWS account with least-privilege permissions, that the team member is given through IAMUser.
-
Select Next
- In the Permissions options section, select Add user to group
- In the User groups section, select group name: CostTest - that you created in step 2
- Select Next
- In the Review and create section, check the information and select Create user
- On the Retrieve Password page, select Download .csv file to download the necessary User login information.
- Noted: by adding User to Group, User has RegionRestrict rights. This applies according to Best Practice: centralized permission management by group instead of by user, avoiding policy omissions while adding or removing many permissions at the same time for a large number of users.
-
Test the EC2 permission of Policy RegionRestrict in the Singapore region
- Use the information you just downloaded to access the newly created User in step 2
- Because you selected the Users must create a new password at next sign-in - Recommended function in step 3, AWS requires a new password to be created.
- At the AWS console, check and make sure you are in Region Singapore. Select EC2
- Select Launch instance
- In the name field, enter
EC2singapore
- In the Key pair (login) section, select the triangle icon
- Select Proceed without a key pair
- Select Launch instance
- Noted:: in reality, to connect to EC2 - you need to select the function: create new key pair (create new key pair) or select existing keys in the list, however, in this lab, we only need to test the effectiveness of the policy so we do not need to log in to EC2.
- Result: EC2 was created successfully
-
Check the EC2 deny permission of Policy RegionRestrict in the Tokyo region
- Select Region Tokyo
- In the name field, enter
EC2tokyo
- In the Key pair (login) section, select the triangle icon
- Select Proceed without a key pair
- Select Launch instance
- Result: AWS cannot create EC2 -> you check in the interface and see reference information such as: AMI ID, instance type, VPC, subnet - all do not show the necessary values Let AWS create an instance based on that - because you are not authorized to perform the above actions
-
Check the S3 service deny permission of Policy RegionRestrict in the Singapore region
- Select Region Singapore
- In the search box, enter
s3, select S3
- Select the ☰ icon in the left corner of the screen
- Select Bucket
- Result: the system shows: you do not have permission to list existing buckets in S3
- Congratulations on completing the lab: using User admin to create a policy for User members who are only allowed to use EC2 service in Region Singapore