https://github.com/rbilleci/aws-costcontrol-policies
https://github.com/rbilleci/aws-costcontrol-policies
aws cloudformation cost-control
Last synced: 6 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/rbilleci/aws-costcontrol-policies
- Owner: rbilleci
- Created: 2021-06-29T11:04:14.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-06-29T15:02:13.000Z (over 4 years ago)
- Last Synced: 2024-09-06T15:27:07.826Z (about 1 year ago)
- Topics: aws, cloudformation, cost-control
- Homepage:
- Size: 2.93 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Overview
The project is a collection of AWS Security Control Policies that can be used to control costs on accounts.
The policies:
1. restrict use of expensive instance types for EC2 and Amazon SageMaker
2. restrict use of expensive RDS instance types
3. restrict access to specified regions
4. restrict access to certain services, such as Amazon Redshift
### Restrict SageMaker Studio Instance Types
This policy applies to SageMaker Studio Apps, and will limit the types of instances that can be used.
You can customize the `sagemkaer:InstanceTypes` array in the condition property to control the allowed instance types.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictSageMakerStudioInstanceTypes",
"Effect": "Deny",
"Action": [
"sagemaker:CreateApp"
],
"Condition": {
"ForAnyValue:StringNotLike": {
"sagemaker:InstanceTypes": [
"default",
"system",
"*.medium",
"*.large",
"*.xlarge",
"*.2xlarge"
]
}
},
"Resource": [
"*"
]
}
]
}
```
### Restrict SageMaker Studio Notebook Instance Types
This policy restricts the instance types that may be used for SageMaker Notebooks.
You can customize the `sagemkaer:InstanceTypes` array in the condition property to control the allowed instance types.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictSageMakerNotebookInstanceTypes",
"Effect": "Deny",
"Action": [
"sagemaker:CreateNotebookInstance"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"sagemaker:InstanceTypes": [
"u*.*",
"z*.*",
"i*.*",
"h*.*",
"d*.*",
"x*.*",
"*.metal",
"*.4xlarge",
"*.6xlarge",
"*.8xlarge",
"*.9xlarge",
"*.10xlarge",
"*.12xlarge",
"*.16xlarge",
"*.18xlarge",
"*.24xlarge",
"*.32xlarge"
]
}
}
}
]
}
```
### Restrict Instance Types for Training and Processing Jobs
This policy restricts the instance types that may be used for SageMaker training and processing jobs.
You can customize the `sagemkaer:InstanceTypes` array in the condition property to control the allowed instance types.
###
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictSageMakerJobInstanceTypes",
"Effect": "Deny",
"Action": [
"sagemaker:CreateProcessingJob",
"sagemaker:CreateTrainingJob"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"sagemaker:InstanceTypes": [
"u*.*",
"z*.*",
"i*.*",
"h*.*",
"d*.*",
"x*.*",
"*.metal",
"*.6xlarge",
"*.8xlarge",
"*.9xlarge",
"*.10xlarge",
"*.12xlarge",
"*.16xlarge",
"*.18xlarge",
"*.24xlarge",
"*.32xlarge"
]
}
}
}
]
}
```
### Restrict EC2 Instance Types
This policy restricts the instance types a user may start.
You can customize the `ec2:InstanceType` array in the condition property to control the allowed instance types.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictEC2InstanceTypes",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Condition": {
"ForAnyValue:StringLike": {
"ec2:InstanceType": [
"u*.*",
"z*.*",
"i*.*",
"h*.*",
"d*.*",
"x*.*",
"*.metal",
"*.4xlarge",
"*.6xlarge",
"*.8xlarge",
"*.9xlarge",
"*.10xlarge",
"*.12xlarge",
"*.16xlarge",
"*.18xlarge",
"*.24xlarge",
"*.32xlarge"
]
}
},
"Resource": "arn:aws:ec2:*:*:instance/*"
}
]
}
```
### Restrict RDS Instance Types
This policy restricts the RDS Database Classes a user may create.
You can customize the `rds:DatabaseClass` array in the condition property to control the allowed instance types.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRDSDatabaseClass",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBCluster"
],
"Condition": {
"ForAnyValue:StringLike": {
"rds:DatabaseClass": [
"*.2xlarge",
"*.4xlarge",
"*.8xlarge",
"*.12xlarge",
"*.16xlarge",
"*.24xlarge"
]
}
},
"Resource": "*"
}
]
}
```
### Regional Access policy
This policy restricts access to AWS services to specified regions, except for an exclusion list of global services.
You can customize the `aws:RequestionRegion` array in the condition property to control the allowed regions.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRegionAccess",
"Effect": "Deny",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"eu-west-1"
]
}
},
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
],
"Resource": "*"
}
]
}
```
### Restrict access to specific services
This policy restricts access certain AWS Services
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictServices",
"Effect": "Deny",
"Action": [
"acm-pca:*",
"braket:*",
"cloudhsm:*",
"directconnect:*",
"outposts:*",
"redshift:*",
"snowball:*"
],
"Resource": "*"
}
]
}
```