This document will assist in steps to implement cost and usage governance.
Goals:
Implement IAM Policies to control usage
The document provided: may contain errors but should not affect lab (document obtained from wellarchitectedlabs.com)
Intro Steps: Sign in to the management console under your root account. Once you are in the console navigate to the IAM services from the search bar or drop-down menu.
Step 1: From the IAM dashboard go to Groups on the left-hand side and create a group named “CostTest”, then hit NEXT step, then hit “create group”
Step 2: Back to the IAM dashboard navigate to the Users tab and create the username “TestUser”, with management access and an auto-generated password. You will be able to review the password in the next step. (not recommended best practice but copy and paste the password and link in a text editor- just for this example).
Step 2a: Add TestUser to the CostTest Group
NOTE: TestUser was already added to my group…so when you do this step *TestUser* will appear, make sure the box is checked (Sorry forgot to take a screenshot here :)
Step 3: Navigate back to the IAM dashboard and go to policies, create policy
Step 4:
Click on the JSON file and enter in your policy (NOTE: I made a mistake here entering in another policy that does not match this lab. The correct policy was obtained from the well-architected labs *Region Restrict* policy) My correction will be shown later.
Click on review policy
Step 5: Now we will attach the *Region Restrict Policy* to the group CostTest. Please enter the following details or to your liking.
Step 6: Now we will navigate back to the IAM dashboard and select the group CostTest. Under the group we will see TestUser, then click on the Permissions tab, attach policy, filter the results to customer-managed and select the *RegionRestrict* policy, and click attach.
Now we will verify if the policy is in effect (here is where I corrected my mistake of entering the wrong policy)
Switch Role to the TestUser by logging in as the test user. Change the region in the top right corner where you see N. Virginia or whatever region you are operating in and select US West (N. California). Navigate to the EC2 service and click on launch instance and you will notice you get an error
WHY? The RegionRestrict policy that we attached limits us to only launching certain resources in the us-east-1 region. So now change the region back to us-east-1 and attempt to launch an EC2 instance and you will see that it will let you proceed as you are now in the proper region in which the permissions allow you to provision an ec2 instance.
I chose a c5.large but you can choose the free tier eligible as we will be deleting this resource in a few steps. Click review and launch and notate the security group as we will need to delete it later. Proceed without using a keypair because we will not be using this ec2 but normally you would place whatever software you want to run on this instance. If you attached the wrong policy as I did and this does not work, log back into your root account and delete the RegionRestrict under policies in IAM and create a new policy with the correct details and attach to the CostTest group which will then attach it to the only user in the group
To delete your security groups navigate to the EC2 services. Scroll down on the left-hand side and click security groups, click the SG that you want to delete, then click actions and delete. If you are unable to delete the SG it is attached to an Ec2 instance that has not been terminated and needs to be terminated to delete the group.
YOU HAVE NOW ATTACHED A REGION SPECIFIC POLICY TO AN IAM GROUP CONTAINING ONE USER.