Create A Restriction Policy

Updated on 10 Sep 2024
4 Minutes to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

An Access Control Policy is used by a cloud provider to limit the resources that can be provisioned within the Resource Group. This prevents additional cloud costs by preventing users from creating resources that are not relevant to the content or outside the scope of the Lab Profile.

In Skillable Studio , ACPs are attached to a resource group. To add an ACP to a Lab Profile, you will need to create a resource template and configure a resource group first.

Finding an Existing ACP

Skillable Studio has a library of existing ACPs to make building common cloud labs easier and more secure. To find publicly accessible ACPs:

From the Admin page, in the Cloud Services tile, select Access Control Policies.
Add the filter Organization Name, select Does Equal, and enter Skillable Studio Managed
You can narrow your search further by filtering for the desired Cloud Platform and whether or not the ACP requires a Security Review:

Skillable Studio Find Access Control Policy search

These ACPs are created, maintained, and publicly available by Skillable, to all developers. While the resources allowed on these ACPs will not change, the syntax is subject to change depending on cloud security best practices.

You can also search your own Organization's existing ACPs by following the same process and changing the Organization filter to your desired Organization.

Creating an Access Control Policy in Skillable Studio

Navigate to the Cloud Services tile, on the Skillable Studio Admin page.
Click Access Control Policies.
Click Create Access Control Policy in the upper-right corner of the page.

Enter the following values into the Create an Access Control Policy form:

Tab	Field Name	Field Value
Basic Information	Name	A name of your choosing.
	Description	Describe the intentions and goals of the Access Control Policy .
	Organizaton	Select the organization that the Access Control Policy will be available to.
	Access Control Policy	Enter the Access Control Policy here, in JSON format.
	Enabled	Check the box to enable this Access Control Policy for use.

ACP Examples

Azure

By default, Azure allows all resources to be provisioned, unless they denied by an access control policy.

This example policy below will deny any resources from being provisioned unless it is a "standard_DS3_v2" virtual machine:

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
            },
            {
                "not": {
                    "field": "Microsoft.Compute/virtualMachines/sku.name",
                    "in": [
                        "Standard_DS3_v2"
                    ]
                }
            }
        ]
    },
    "then": {
        "effect": "Deny"
    }
}

AWS

By default, AWS denies all resources from bring provisioned, unless they are allowed by an access control policy.

The access control policy below will allow all EC2 resources except Virtual Machines. Other AWS services that are not defined will not be available for deployment.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "ec2:*",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Effect": "Deny"
    }
  ]
}

ACP Authoring Resources

For more in-depth information on how to create your own custom ACPs, our Lab developer GitHub provides examples of various ACPs, as well as guidance on how to create your own.

Azure: For more information about the items that can be used in an Azure policy, see Microsoft Azure Access Control Policy Templates.

AWS: To quickly generate a JSON policy for AWS, check out Amazon's AWS Policy Generator.

Adding an Access Control Policy to a Cloud Slice Lab

Navigate to the Lab Profile to which you are adding the ACP.
You can search for your lab profile by doing the following:
1. Return to the Skillable Studio Administration page.
2. Select Find Lab Profiles to find your lab profile.
3. Enter the name of the lab profile into the Name field, and change the operator drop down adjacent to it to Equal.
4. Select Search to find your lab profile.
5. In the search results, click the Name of your lab profile to open the Lab Profile details view.
Click Edit Profile to open the edit view.
Select the Cloud tab.
Scroll down to your resource group, then click Add Policy below the Access Control Policies heading.
Enter the name you gave your Access Control Policy into the Name field (see Creating an ACP).
Click Search to find your Access Control Policy (see Finding an Existing ACP).
Select your Access Control Policy in the list of results, then click OK.
Click Save to save the updated lab profile.

With this Access Control Policy in place, lab users will be restricted to creating resources that are defined in the ACP in their Cloud Slice lab.

Additional Information

Changing the ACP on a Lab Profile or making changes to an ACP itself will invalidate a security review. To learn more about the security review process, check out our Cloud Security Review Documentation.
Or go back to Cloud Security Home.

Was this article helpful?

What's Next

Access Control Policies Best Practices

Table of contents

Finding an Existing ACP
Creating an Access Control Policy in Skillable Studio
ACP Examples
ACP Authoring Resources
Adding an Access Control Policy to a Cloud Slice Lab
Additional Information