Limit permission to delete resources by time period
Limit EC2 delete permissions by time period
-
At some important times of the year, such as holidays, black Friday, audit time,… the system needs to operate effectively to ensure it serves the business’s goals. Therefore, as a cloud admin and criteria of zero trust, you need to ensure that there are no unexpected resource deletion incidents during the above times.
-
So we will practice this lab based on the time of October 20
-
Create IAM Policy
- In the AWS console, in the search box, enter
IAM - Select IAM service
- On the left side of the screen, select
Policies - Select Create policy
- Create policy in JSON data format instead of Visual. Select
JSON
- Scan the entire current code and press the Delete button
-
Copy the following code into the Policy editor box, scroll down and select Next
-
Noted: for example, during the October 20 holiday (Vietnamese Women’s Day), you are not allowed to delete any EC2 during the period from October 15 to October 22. With format yyyy-mm-dd and timezone as UTC, you need:
- Change the value in the DateGreaterThan line to 2023-10-15
- Change the value in the DateLessThan line to 2023-10-22
- -> You must change the timelines above to correspond to the time you are doing the lab to achieve the desired results.
- In the AWS console, in the search box, enter
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:*:148922931563:instance/*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2023-10-15"
},
"DateLessThan": {
"aws:CurrentTime": "2023-10-22"
}
}
}
]
}
-
Select next
-
In the Policy name section, enter:
EC2_TimeRestrict -
In the Description section, enter:
Restrict terminate EC2 in one week -
Scroll to the bottom of the page and select Create policy
-
Add policy EC2_TimeRestrict to group CostTest
- At IAM Console, left section - select User groups
- Select CostTest
- Select Permissions
- Select Add permissions, select Attach policies
- In the search box 🔍, enter
EC2_TimeRestrict. - Check the box symbol □ to select a policy, select Attach policies
- Check Permissions policies
- Now in the CostTest group there is policy EC2_TimeRestrict, policy IP_Restrict and policy EC2_InstanceTypeRestrict that you created in lab 8.3
-
Check Permissions policies
- Log in to TestUser with the information you created in lab 8.1, step 4
- Make sure you are in Region Singapore
- In the search box 🔍, enter
EC2
- At the EC2 interface, in the middle of the page, select Launch instance
-
In the Name section, enter
EC2_Time -
In the Architecture section, keep the value 64-bit (x86)
-
In the Instance type section, select the triangle symbol, enter
t3.small -
In the key pair name section, select the triangle symbol, select Proceed without a key pair (Not recommended)
-
Select launch instance
- Select Instance ID that has just been successfully created
- Check the box symbol to select EC2 instance
- Select Instance state
- Select Terminate instance
- Select Terminate
- The system reports an error as shown in the picture because you are not authorized to delete EC2. This demonstrates the success of your policy creation in step 1.
-
Check Permissions policies with a different time period
- In the IAM interface, select Policies
- In the search box, enter EC2_TimeRestrict
- Select EC2_TimeRestrict
- Select Edit
- With format yyyy-mm-dd and time zone UTC, you need:
- Change the value in the DateGreaterThan line to 2023-12-15
- Change the value in the DateLessThan line to 2023-12-22
- -> You move from October to December
- Select Next
- Select Save changes
- Return to the EC2 interface
- Check the box symbol to select the EC2 instance you created in step 3
- Select Instance state
- Select Terminate instance
- Select Terminate
- Congratulations, you have successfully deleted EC2 when changing the time period.
- In reality, we just need to remove this policy from the group to delete EC2 and when you need, just edit it again in time and add it to IAM User Group.