Wednesday, April 1, 2020

Activity: AWS Security Best Practice

Note: This blog is for you to make your life easier. 
Don't make your life complicated, just enjoy the blog. ^_^
This is my first time to create Blog. Please pardon my simplicity of my own blog and look for the content. Enjoy reading! ^_^

Scenario

You are part of an organisation running a simple static website on AWS using Amazon S3 and Route 53 services.    
Using the https://labs.vocareum.com/main/

I will be having the service and security requirements for hosting a static website on AWS.

Lab 1: Introduction to AWS IAM
Accessing the AWS Management Console
  1. Click the START LAB at the upper right corner to launch lab.
  2. Wait until you see the message "Lab status: ready"
  3. Then click X to close the start lab panel.
  4. At the top of the instruction click AWS. (note: another browser will open, if not check if it is blocked then "allow pop ups."
  5. Arrange the AWS Management Console on the other window for your ready references.
Task 1: Explore the Users and Groups
Exploring the user and groups you created in IAM

1. In the AWS Management Console, on the Services menu, click IAM.

2. In the navigation pane on the left, click Users.
The following IAM Users have been created for you:
    • user-1
    • user-2
    • user-3
3. Click user-1.

This will bring to a summary page for user-1. The Permissions tab will be displayed.

Note: Name located in the right upper corner.


(Please note that I did not screenshot all the procedures down to number 31 because all of it are being seen obviously in the AWS application.)

4. Notice that user-1 does not have any permissions.

5. Click the Groups tab.
     user-1 also is not a member of any groups.

6. Click the Security credentials tab.
      user-1 is assigned a Console password

7. In the navigation pane on the left, click Groups.
      The following groups have already been created for you:
  • EC2-Admin
  • EC2-Support
  • S3-Support

8. Click the EC2-Support group.
        This will bring you to the summary page for the EC2-Support group.

9. Click the Permissions tab.
         This group has a Managed Policy associated with it, called AmazonEC2ReadOnlyAccess. Managed Policies are pre-built policies (built either by AWS or by your administrators) that can be attached to IAM Users and Groups. When the policy is updated, the changes to the policy are immediately apply against all Users and Groups that are attached to the policy.

10. Under Actions, click the Show Policy link.
         A policy defines what actions are allowed or denied for specific AWS resources. This policy is granting permission to List and Describe information about EC2, Elastic Load Balancing, CloudWatch and Auto Scaling. This ability to view resources, but not modify them, is ideal for assigning to a Support role.The basic structure of the statements in an IAM Policy is:
Effect says whether to Allow or Deny the permissions.
  • Action specifies the API calls that can be made against an AWS Service (eg cloudwatch:ListMetrics).
  • Resource defines the scope of entities covered by the policy rule (eg a specific Amazon S3 bucket or Amazon EC2 instance, or which means any resource*).
11. Close  the Show Policy window.

12. In the navigation pane on the left, click Groups.

13. Click the S3-Support group.
         The S3-Support group has the AmazonS3ReadOnlyAccess policy attached.

14. Below the Actions menu, click the Show Policy link.
         This policy has permissions to Get and List resources in Amazon S3.

15. Close  the Show Policy window.

16. In the navigation pane on the left, click Groups.

17. Click the EC2-Admin group.
         This Group is slightly different from the other two. Instead of a Managed Policy, it has  an Inline Policy, which is a policy assigned to just one User or Group. Inline Policies are typically used to apply permissions for one-off situations.

18. Under Actions, click Show Policy to view the policy.
         This policy grants permission to view (Describe) information about Amazon EC2 and also the ability to Start and Stop instances.

19. At the bottom of the screen, click Cancel to close the policy. 


Business Scenario
You will work with these Users and Groups to enable permissions supporting the following business scenario:
Your company is growing its use of Amazon Web Services, and is using many Amazon EC2 instances and a great deal of Amazon S3 storage. You wish to give access to new staff depending upon their job function:


Task 2: Add user to groups

  • You have recently hired user-1 into a role where they will provide support for Amazon S3. You will add them to the S3-Support group so that they inherit the necessary permissions via the attached AmazonS3ReadOnlyAccess policy.
  •  You can ignore any "not authorized" errors that appear during this task. They are caused by your lab account having limited permissions and will not impact your ability to complete the lab.

Add user-1 to the S3-Support Group
20. In the left navigation pane, click Groups.
21. Click the S3-Support group.
22. Click the Users tab.
23. In the Users tab, click Add Users to Group.
24. In the Add Users to Group window, configure the following:
  • Select  user-1.
  • At the bottom of the screen, click Add Users.
  • In the Users tab you will see that user-1 has been added to the group.




Add user-2 to the EC2-Support Group
You have hired user-2 into a role where they will provide support for Amazon EC2.

25. Using similar steps to the ones above, add user-2 to the EC2-Support group.
  • user-2 should now be part of the EC2-Support group.

Add user-3 to the EC2-Admin Group
26. Using similar steps to the ones above, add user-3 to the EC2-Admin group.
  • user-3 should now be part of the EC2-Admin group.
27. In the navigation pane on the left, click Groups.
  • Each Group should have a 1 in the Users column for the number of Users in each Group.
  • If you do not have a 1 beside each group, revisit the above instructions above to ensure that each user is assigned to a Group, as shown in the table in the Business Scenario section.


Task 3: Sign-In and Test Users

In this task, you will test the permissions of each IAM User.
28. In the navigation pane on the left, click Dashboard.
  • An IAM users sign-in link is displayed It will look similar to: https://123456789012.signin.aws.amazon.com/console
  • This link can be used to sign-in to the AWS Account you are currently using.
29. Copy the IAM users sign-in link to a text editor.

30. Open a private window.
         Mozilla Firefox

32.                   
o   Click the menu bars  at the top-right of the screen
o   Select New Private Window
Google Chrome
o   Click the ellipsis  at the top-right of the screen
o   Click New incognito window
Microsoft Edge
o   Click the ellipsis  at the top-right of the screen
o   Click New InPrivate window
Microsoft Internet Explorer
o   Click the Tools menu option
o   Click InPrivate Browsing
31. Paste the IAM users sign-in link into your private window and press Enter.
  • You will now sign-in as user-1, who has been hired as your Amazon S3 storage support staff
32. Sign-in with:
  • IAM user name: user-1
  • Password: lab-password

33. In the Services menu, click S3.

34. Click the name of one of your buckets and browse the contents.
  • Since your user is part of the S3-Support Group in IAM, they have permission to view a list of Amazon S3 buckets and their contents.
  • Now, test whether they have access to Amazon EC2
35. In the Services menu, click EC2.



36. In the left navigation pane, click Instances.

  • You cannot see any instances! Instead, it says An error occurred fetching instance data: You are not authorized to perform this operation.. This is because your user has not been assigned any permissions to use Amazon EC2.
  • You will now sign-in as user-2, who has been hired as your Amazon EC2 support person



37. Sign user-1 out of the AWS Management Console by configuring the following:
  • At the top of the screen, click user-1
  • Click Sign Out





38. Paste the IAM users sign-in link into your private window and press Enter.
  • This links should be in your text editor.

39. Sign-in with:
  • IAM user name: user-2
  • Password: lab-password




40. In the Services menu, click EC2.

41. In the navigation pane on the left, click Instances.
  • You are now able to see an Amazon EC2 instance because you have Read Only permissions. However, you will not be able to make any changes to Amazon EC2 resources.
  •  If you cannot see an Amazon EC2 instance, then your Region may be incorrect. In the top-right of the screen, pull-down the Region menu and select the region that you noted at the start of the lab (e.g., N. Virginia).



  • Your EC2 instance should be selected . If it is not selected, select it. 



42. In the Actions menu, click Instance State > Stop.

43. In the Stop Instances window, click Yes, Stop.
Sample error:

You will receive an error stating You are not authorized to perform this operation. This demonstrates that the policy only allows you to information, without making changes


Actual error:



44. At the Stop Instances window, click Cancel.
  • Next, check if user-2 can access Amazon S3


45. In the Services, click S3.

You will receive an  Error Access Denied because user-2 does not permission to use Amazon S3.
You will now sign-in as user-3, who has been hired as your Amazon EC2 administrator




46. Sign user-2 out of the AWS Management Console by configuring the following:
  • At the top of the screen, click user-2
  • Click Sign Out





47. Paste the IAM users sign-in link into your private window and press Enter.


48. Paste the sign-in link into your web browser address bar again. If it is not in your clipboard, retrieve it from the text editor where you stored it earlier. 


49. Sign-in with:
32.  
    • IAM user name: user-3
    • Password: lab-password



50. In the Services menu, click EC2.


51. In the navigation pane on the left, click Instances.
  • As an EC2 Administrator, you should now have permissions to Stop the Amazon EC2 instance.
  • Your EC2 instance should be selected . If it is not, please select  it.

 If you cannot see an Amazon EC2 instance, then your Region may be incorrect. In the top-right of the screen, pull-down the Region menu and select the region that you noted at the start of the lab (eg Oregon)




52. In the Actions menu, click Instance State > Stop.

53. In the Stop Instances window, click Yes, Stop.
  • The instance will enter the stopping state and will shutdown
54. Close your private window.


Lab Complete
Congratulations! You have completed the lab

55. Click End Lab at the top of this page and then click Yes to confirm that you want to end the lab. 
  • A panel will appear, indicating that "DELETE has been initiated... You may close this message box now."

56. Click the X in the top right corner to close the panel


Identities (Users, Groups, and Roles)

Users:
An IAM user is an entity that you create in AWS. The IAM user represents the person or service who uses the IAM user to interact with AWS. A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI. A user in AWS consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI. When you create an IAM user, you grant it permissions by making it a member of a group that has appropriate permission policies attached (recommended), or by directly attaching policies to the user. You can also clone the permissions of an existing IAM user, which automatically makes the new user a member of the same groups and attaches all the same policies.

Groups:
An IAM group is a collection of IAM users. You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user's permissions, you can remove him or her from the old groups and add him or her to the appropriate new groups. Note that a group is not truly an identity because it cannot be identified as a Principal in a resource-based or trust policy. It is only a way to attach policies to multiple users at one time.

Roles:
An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task. A role can be assigned to a federated user who signs in by using an external identity provider instead of IAM. AWS uses details passed by the identity provider to determine which role is mapped to the federated user.






Thanks for visiting my blog.

Email me at: aileen-pacia@live.nmit.ac.nz
“I can do all things through Christ who strengthens me.”
Philippians 4:13

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)