Limited use of EBS volume storage type
Limit usage of EBS volume storage type
-
Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for EC2 instances, making it possible to run your applications with persistent block volumes that offer 99.999% availability.
-
AWS provides SSDs and HDDs for volumes: General Purpose SSD volumes, Provisioned IOPS SSD volumes, Throughput Optimized HDD volumes, Cold HDD volumes. Learn more through the documentation: Amazon EBS volume types
- Suppose the dev team, with the need for versatile use, General Purpose SSD volumes are frequently used with two types: gp3 and gp2. In which the new gp3 baseline IOPS is 3000 with a cost of only 9.6 USD/100GB, 2.4 USD/100GB cheaper than gp2 whose baseline IOPS is only 300. AWS Pricing Calculator
-
Create an IAM Policy that only allows users to initialize EC2 with EBS volume: gp3
- In the AWS console, in the search box, enter
IAM - Select IAM service
- On the left side of the screen, select Policies
- In the search box 🔍, enter
EC2_InstanceTypeRestrict, Select EC2_InstanceTypeRestrict
- Select Edit
- Scan the entire current code and press the Delete button
- Copy the following code into the Policy editor box, scroll down and select Next
- Meaning: User has the right to create EC2 with instance type: t3.small, t3.large with EBS volume gp3
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }, { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:148922931563:volume/*", "Condition": { "StringNotLike": { "ec2:VolumeType": "gp3" } } }, { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:148922931563:instance/*", "Condition": { "StringNotLike": { "ec2:VolumeType": "gp3", "ec2:InstanceType": [ "t3.small", "t3.large" ] } } } ] }
- In the AWS console, in the search box, enter
-
Select Save changes
-
Check Permissions policies for Instance Type: t3.small and EBS volume gp3
- Log in to TestUser with the information you created in lab 8.1, step 4
- Make sure you are in Region Singapore
- In the search box 🔍, enter
EC2
- At the EC2 interface, in the middle of the page, select Launch instance
-
In the Name section, enter
EC2_t3.small_gp3 -
In the Architecture section, keep the value 64-bit (x86)
-
In the Instance type section, select the triangle symbol, enter
t3.small -
In the key pair name section, select the triangle symbol, select Proceed without a key pair (Not recommended)
- In the Configure storage section, select gp3
- Select launch instance
- Noted: you can see the IOPS is 3000
- where IOPS is a unit of measurement representing input/output operations per second
- Select Instance ID that has just been successfully created
Select Storage, select volume ID
- Congratulations, you have successfully created EC2 with instance type t3.small and EBS volume: gp3
-
Check Permissions policies for Instance Type: t3.small and EBS volume gp2
- In the search box 🔍, enter
EC2
- At the EC2 interface, in the middle of the page, select Launch instance
-
In the Name section, enter
EC2_t3.small_gp2 -
In the Architecture section, keep the value 64-bit (x86)
-
In the Instance type section, select the triangle symbol, enter
t3.small -
In the key pair name section, select the triangle symbol, select Proceed without a key pair (Not recommended)
-
In the Configure storage section, select the triangle symbol, select gp2
-
Select launch instance
-
Noted: you can see the IOPS is 100/3000
- which IOPS is a unit of measurement representing input/output operations per second
- You received the response Instance launch failed - because you are not authorized. This satisfies the permission policy: EC2_InstanceTypeRestrict that you changed in step 1.
- In the search box 🔍, enter
-
You can proceed to step 3 again, creating EC2 with instance type t3.small and EBS volume: io1, io2. To check the effectiveness of permission policy: EC2_InstanceTypeRestrict