Managing EBS Volume Storage Types

Implementing EBS Volume Type Restrictions for Cost Optimization

EBS volume type restriction implementation

ℹ️ Information: Amazon Elastic Block Store (Amazon EBS) provides highly available, durable block-level storage volumes for EC2 instances with 99.999% availability. These persistent storage volumes can be attached to any EC2 instance in the same Availability Zone.

Understanding EBS Volume Types

AWS offers several EBS volume types optimized for different workload requirements:

  • General Purpose SSD (gp2, gp3): Balance of price and performance
  • Provisioned IOPS SSD (io1, io2): High-performance for I/O-intensive workloads
  • Throughput Optimized HDD (st1): Low-cost for frequently accessed, throughput-intensive workloads
  • Cold HDD (sc1): Lowest cost for less frequently accessed workloads

EBS volume types comparison

💡 Pro Tip: For development environments, the newer gp3 volumes offer significant cost advantages over gp2 volumes. With gp3, you get 3,000 baseline IOPS at only $9.60/100GB, which is $2.40/100GB cheaper than gp2 volumes that provide only 300 baseline IOPS.

EBS pricing comparison

Implementation Steps

  1. Create an IAM Policy to Restrict EBS Volume Types

    • Navigate to the IAM console by entering IAM in the AWS Management Console search box
    • Select IAM service

    Accessing the IAM console

    • In the navigation pane, select Policies
    • In the search box 🔍, enter EC2_InstanceTypeRestrict, then select the policy

    Locating the existing policy

    • Click Edit

    Editing the policy

    • Delete the existing policy content

    Clearing the policy editor

    • Copy and paste the following policy document, then click Next:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:148922931563:volume/*",
            "Condition": {
                "StringNotLike": {
                    "ec2:VolumeType": "gp3"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:148922931563:instance/*",
            "Condition": {
                "StringNotLike": {
                    "ec2:VolumeType": "gp3",
                    "ec2:InstanceType": [
                        "t3.small",
                        "t3.large"
                    ]
                }
            }
        }
    ]
}

Policy JSON editor

  • Click Save changes

Saving policy changes

ℹ️ Information: This policy allows users to create EC2 instances only with t3.small or t3.large instance types and only with gp3 EBS volumes, enforcing both cost efficiency and performance standards.

  1. Verify Policy Enforcement: Allowed Configuration (t3.small with gp3)

    • Log in as TestUser (created in lab 8.1)
    • Ensure you’re in the Singapore Region
    • In the search box 🔍, enter EC2
    • On the EC2 dashboard, click Launch instance
    • For Name, enter EC2_t3.small_gp3

    Naming EC2

    • Keep the default 64-bit (x86) architecture
    • For Instance type, select t3.small
    • For Key pair, select Proceed without a key pair

    Selecting instance type and key pair

    • In the Configure storage section, ensure gp3 is selected
    • Click Launch instance
    • Note that the IOPS value is 3000, which is the baseline for gp3 volumes

    Configuring storage with gp3

    • Click the newly created Instance ID

    Selecting the new instance

    • Select the Storage tab, then click the Volume ID

    Successful instance creation

    • Verify that you’ve successfully created an EC2 instance with a t3.small instance type and gp3 EBS volume

    Volume details confirmation

  2. Verify Policy Enforcement: Denied Configuration (t3.small with gp2)

    • Navigate back to the EC2 dashboard
    • Click Launch instance
    • For Name, enter EC2_t3.small_gp2

    Launching another instance

    • Keep the default 64-bit (x86) architecture
    • For Instance type, select t3.small
    • For Key pair, select Proceed without a key pair

    Selecting instance configuration

    • In the Configure storage section, change the volume type to gp2
    • Click Advanced to review detail volume

    Selecting gp2 volume type

    • Note that gp2 volumes offer only 100 baseline IOPS (with bursting capability up to 3000)
    • Click Launch instance

    Launch attempt with gp2

    • You’ll receive an Instance launch failed error message, confirming that the IAM policy is correctly preventing the use of non-gp3 volume types

    Launch failure confirmation

⚠️ Warning: The policy will similarly block attempts to launch instances with other volume types like io1 or io2, even though they offer higher performance, as they are significantly more expensive than gp3 volumes.

  1. Additional Testing (Optional)

    You can further verify the policy effectiveness by attempting to launch EC2 instances with:

    • t3.small instance type with io1/io2 volumes (should be denied)
    • Other instance types with gp3 volumes (should be denied if not t3.small or t3.large)
    • t3.large instance type with gp3 volumes (should be allowed)

🔒 Security Note: This IAM policy implementation demonstrates the principle of least privilege by allowing only the most cost-effective resources needed for development work, preventing accidental provisioning of more expensive resources.