SEC545 Resources

Bonus Material

Lab Resources

Lab 1.1 Billing Alarms

This CloudFormation Template creates four billing alarms to alert you if your account is accruing charges beyond what is expected for this class.

Lab 2.2 VPC CloudFormation

Like learning long division in grade school, we do it the hard way before doing it the easy way. This CloudFormation Template has all the components needed to build a two-tier, three AZ VPC for the class.

Lab 3.1 Bonus Commands

CLI Method to create the IAM User, Group and Roles:

aws iam create-user --user-name sec545-day3
aws iam create-login-profile --user-name sec545-day3 --password Passw0rd
aws iam attach-user-policy --user-name sec545-day3 --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam create-group --group-name s3-lab
aws iam add-user-to-group --user-name sec545-day3 --group-name s3-lab

Easy way to put files into your bucket:

aws s3 mb s3://sec545-3.1-YOURNAME
aws s3 sync s3://sec545-labs/Materials/lab3.1/bucket-contents/ s3://sec545-3.1-YOURNAME

Grant user access to finance folder:

aws iam put-group-policy --group-name s3-lab --policy-name finance --policy-document https://sec545-labs.s3.amazonaws.com/Materials/lab3.1/FinanceTeam.json

JSON for above Finance Access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::*"]
    },
    {
      "Sid": "AllowFinanceLevelListingOfBucket",
      "Action": ["s3:ListBucket*"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::sec545-3.1-jcf"],
      "Condition": {
        "StringEquals": {
          "s3:prefix": ["Finance/"]
        }
      }
    }
  ]
}

Lab 3.2 Bonus Commands

Demo that we’re using the role:

aws sts get-caller-identity

MetaData hack:

role_name=$( curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ ) && echo $role_name
### All Your Creds Are Belong to Us!
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${role_name}

Lab 5.1

Commands as standalone:

# This is not a bash script, but you can cut-n-paste from this

#
# Create a New Security Group
#

# Step 1: Navigate to the VPC Console and get your VPC ID or run the following command:
aws ec2 describe-vpcs --filter "Name=isDefault,Values=true" --query Vpcs[].VpcId --output table

aws ec2 describe-vpcs --filter "Name=isDefault,Values=true" --query Vpcs[].VpcId --output text
# The output of this is VPCID

# Step 2: Create a new security group with the CLI (replace the VPC ID with your own).
aws ec2 create-security-group --group-name SEC545-CLILAB --description "Basic SEC545 securitygroup" --vpc-id <VPCID>
# The output of this is GROUPID


aws ec2 describe-security-groups --group-ids --query 'SecurityGroups[?GroupName==`SEC545-CLILAB`].GroupId' --output text

# Step 3: The following command creates a rule in your security group to allow traffic in on port 22.
aws ec2 authorize-security-group-ingress --group-name SEC545-CLILAB --protocol tcp --port 22 --cidr 0.0.0.0/0

# Step 4: The following command creates a rule in your security group to allow traffic in on port 443.
aws ec2 authorize-security-group-ingress --group-name SEC545-CLILAB --protocol tcp --port 443 --cidr 0.0.0.0/0

# Step 5: Run the following command to query your security group details:
aws ec2 describe-security-groups --group-ids <GROUPID> --output table

#
# Create a New AWS EC2 Keypair (SSH Key)
#

# Step 1: Run the following command in the console to create an AWS keypair to use with EC2 instances.
aws ec2 create-key-pair --key-name SANS545Lab51 --query "KeyMaterial" --output text > SANS545Lab51.pem
chmod 600 SANS545Lab51.pem

#
# Create an EC2 Instance to Use Your New AWS EC2 Keypair
#

# Step 1: Retrieve the latest AWS EC2 Linux AMI.
aws ec2 describe-images --owners amazon --filters 'Name=description,Values=Amazon Linux AMI ????.??.? x86_64*' --query 'sort_by(Images,&CreationDate)[-1].ImageId' --output text
# Output of this is IMAGEID

# Step 2: Create an EC2 instance. Replace <SG ID> with your security group ID and <AMI ID> with the AMI ID.
aws ec2 run-instances --image-id <IMAGEID> --security-group-ids <GROUPID> --count 1 --instance-type t2.micro --key-name SANS545Lab51 --query "Instances[0].InstanceId" --output text
# Output of this is INSTANCE
aws ec2 describe-instances --instance-ids <INSTANCE>

# Step 3: Run the following command to get the public IP address, replacing <your instance ID>.
aws ec2 describe-instances --instance-ids <INSTANCE> --query "Reservations[0].Instances[0].PublicIpAddress" --output text

# Step 5: To generate a sample JSON file to create instances, try the following:
aws ec2 run-instances --generate-cli-skeleton > RunInstances.json

#
# Query EC2 Instances
#
# Step 1: Run a query to list t2.micro instances. We should have one running.
aws ec2 describe-instances --filters "Name=instance-type,Values=t2.micro"

# Step 2: Now add a tag to your running instance – Key: Quarantine, Value: Yes
aws ec2 create-tags --resources <INSTANCE> --tags 'Key=Quarantine,Value=Yes'

# Step 3: Run a filter query looking for only the Quarantine tag in place.
aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine"
aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine" --query "Reservations[].Instances[].InstanceId" --output text

# Step 4: Find instances running on the xen hypervisor.
aws ec2 describe-instances --filters "Name=hypervisor,Values=xen" --query "Reservations[].Instances[].InstanceId" --output text

Commands as Bash:

# This is not a bash script, but you can cut-n-paste from this

#
# Create a New Security Group
#

# Step 1: Navigate to the VPC Console and get your VPC ID or run the following command:
aws ec2 describe-vpcs --filter "Name=isDefault,Values=true" --query Vpcs[].VpcId --output table

VPCID=`aws ec2 describe-vpcs --filter "Name=isDefault,Values=true" --query Vpcs[].VpcId --output text`

# Step 2: Create a new security group with the CLI (replace the VPC ID with your own).
aws ec2 create-security-group --group-name SEC545-CLILAB --description "Basic SEC545 securitygroup" --vpc-id $VPCID

GROUPID=$(aws ec2 describe-security-groups --group-ids --query 'SecurityGroups[?GroupName==`SEC545-CLILAB`].GroupId'  --output text) && echo $GROUPID

# Step 3: The following command creates a rule in your security group to allow traffic in on port 22.
aws ec2 authorize-security-group-ingress --group-name SEC545-CLILAB --protocol tcp --port 22 --cidr 0.0.0.0/0

# Step 4: The following command creates a rule in your security group to allow traffic in on port 443.
aws ec2 authorize-security-group-ingress --group-name SEC545-CLILAB --protocol tcp --port 443 --cidr 0.0.0.0/0

# Step 5: Run the following command to query your security group details:
aws ec2 describe-security-groups --group-ids $GROUPID --output table

#
# Create a New AWS EC2 Keypair (SSH Key)
#

# Step 1: Run the following command in the console to create an AWS keypair to use with EC2 instances.
aws ec2 create-key-pair --key-name SANS545Lab51 --query "KeyMaterial" --output text > SANS545Lab51.pem
chmod 600 SANS545Lab51.pem

#
# Create an EC2 Instance to Use Your New AWS EC2 Keypair
#

# Step 1: Retrieve the latest AWS EC2 Linux AMI.
IMAGEID=`aws ec2 describe-images --owners amazon --filters 'Name=description,Values=Amazon Linux AMI ????.??.? x86_64*' --query 'sort_by(Images,&CreationDate)[-1].ImageId' --output text ` && echo $IMAGEID

# Step 2: Create an EC2 instance. Replace <SG ID> with your security group ID and <AMI ID> with the AMI ID.
INSTANCE=`aws ec2 run-instances --image-id $IMAGEID --security-group-ids $GROUPID --count 1 --instance-type t2.micro --key-name SANS545Lab51 --query "Instances[0].InstanceId" --output text` && echo $INSTANCE
aws ec2 describe-instances --instance-ids $INSTANCE

# Step 3: Run the following command to get the public IP address, replacing <your instance ID>.
aws ec2 describe-instances --instance-ids $INSTANCE --query "Reservations[0].Instances[0].PublicIpAddress" --output text

# Step 5: To generate a sample JSON file to create instances, try the following:
aws ec2 run-instances --generate-cli-skeleton > RunInstances.json

#
# Query EC2 Instances
#
# Step 1: Run a query to list t2.micro instances. We should have one running.
aws ec2 describe-instances --filters "Name=instance-type,Values=t2.micro"

# Step 2: Now add a tag to your running instance – Key: Quarantine, Value: Yes
aws ec2 create-tags --resources $INSTANCE --tags 'Key=Quarantine,Value=Yes'

# Step 3: Run a filter query looking for only the Quarantine tag in place.
aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine"
aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine" --query "Reservations[].Instances[].InstanceId" --output text

# Step 4: Find instances running on the xen hypervisor.
aws ec2 describe-instances --filters "Name=hypervisor,Values=xen" --query "Reservations[].Instances[].InstanceId" --output text

Lab 5.4