At some important times of the year, such as holidays, black Friday, audit time,… the system needs to operate effectively to ensure it serves the business’s goals. Therefore, as a cloud admin and criteria of zero trust, you need to ensure that there are no unexpected resource deletion incidents during the above times.
So we will practice this lab based on the time of October 20
Create IAM Policy
IAM
Policies
JSON
Copy the following code into the Policy editor box, scroll down and select Next
Noted: for example, during the October 20 holiday (Vietnamese Women’s Day), you are not allowed to delete any EC2 during the period from October 15 to October 22. With format yyyy-mm-dd and timezone as UTC, you need:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:*:148922931563:instance/*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2023-10-15"
},
"DateLessThan": {
"aws:CurrentTime": "2023-10-22"
}
}
}
]
}
Select next
In the Policy name section, enter: EC2_TimeRestrict
In the Description section, enter: Restrict terminate EC2 in one week
Scroll to the bottom of the page and select Create policy
Add policy EC2_TimeRestrict to group CostTest
EC2_TimeRestrict
.Check Permissions policies
EC2
In the Name section, enter EC2_Time
In the Architecture section, keep the value 64-bit (x86)
In the Instance type section, select the triangle symbol, enter t3.small
In the key pair name section, select the triangle symbol, select Proceed without a key pair (Not recommended)
Select launch instance
- The system reports an error as shown in the picture because you are not authorized to delete EC2. This demonstrates the success of your policy creation in step 1.
Check Permissions policies with a different time period