Coder Social home page Coder Social logo

ijbhxhu / awstpeworkshop-20180823-iam-role-s3-cw-sns Goto Github PK

View Code? Open in Web Editor NEW

This project forked from awshktsa/awstpeworkshop-20180823-iam-role-s3-cw-sns

0.0 2.0 0.0 84 KB

AWS Startup Workshop (200+), IAM/Role/AKSK/Event/Notification, which will help new landing user know about how to setup IAM user properly, and also know about the different between IAM Role and User.

awstpeworkshop-20180823-iam-role-s3-cw-sns's Introduction

Startup Workshop Series (2018-08-23) IAM-Role-S3-CW-SNS

Today we mainly will talked about the IAM related concept. We will talk about the user, role, policy, which is most fundamental part before we start to build any workload on AWS.

We will introduce the IAM users, how to create policy and make sure the lease privilege you grant to your team crew. And we will show you what's the different way to get your

We pick these region becase later we will deploy the whole stack, with correct AMI support.

Step 1:

Switch Region on the AWS console, a drag down menu near right-up corner. For example, we pick N. Viginia(us-east-1) for our lab practice.

Step 2:

  • Create a new IAM User
  • AWS Console > IAM > Create User
  • Create a user, with proper user name, with password, choose both programmic and console usage.
  • Attach existing policies directly, and pick AmazonEC2FullAccess and AmazonS3FullAccess
  • After review, then create the user
  • At the last page, please remeber to download the credential csv, or copy the Access Key ID and Secrect Access Key on the page.

Step 3:

  • Make sure you set each account with MFA
  • AWS console > IAM > users, and click the user name you just created
  • Pick the Security credentials tab, you can see the link Assigned MFA device
  • Click and pick A virtual MFA device, with download mobile app, you could enable the Multi-Factor-Authentication to protect your account. For more detail, please check the document (https://aws.amazon.com/iam/details/mfa/)

Step 4:

  • Check if you already have a EC2 Key pair in your selected region.

  • If not, create one through AWS Console > EC2 > Key Pairs > Create Key Pair.

  • Remember to download the private key(.pem) and well saved.

  • In usual, we will move it into ~/.ssh/ sub-folder in your home directory.

  • To make it secure, remeber to change the privilege with command chmod 0400 XXXXX.pem

  • If you are windows user, and you should download putty.exe and puttygen.exe from Here. And also check the document Here if you don't know how to convert .pem to .ppk

Step 5 (optional):

  • Check your web service stack
  • You will find an Application Load Balancer, A web server and a backend server, and also a S3 bucket.
  • In this practice, you can see how to create resource for our basic practice. You can try to understand how we design the network topology, how we devide AZ and subnet.
  • Also, we talked about the security group. By default, all the network routing rule has been pre-defined, you don't need to do anything. In this empty stack, you can see what we showed in the first diagram.

Step 6:

  • Now find the bucket policy file in (AWSWorkshop-20180823-IAM-Role-S3-CW-SNS/policies/bucket-policy.json)
  • Copy it, and paste to your S3 bucket policy: AWS Console > S3 > YOURBUCKET > Permission > bucket policy
  • Paste it and save. (You have to change the aws-user-id from 1111111111 to your own id.)
  • Now compare with different access method, try to use awscli from bastion, on your laptop (if you skip step5).
  • Try to access the bucket, with and without MFA.
  • The command with MFA delete will like this: aws s3api delete-object --bucket nctu-aws-workshop --key test.py --mfa "arn:aws:iam::111111111111:mfa/$YOURUSER 123456"

AWS Workshop Series - BUCKETPOLICYROLEMFA

Step 7(Advanced Challenge):

  • This will Activate CloudTrail Service, and create a new Trail, new SNS, and also put the email address into subscription
  • Now we go back to S3 bucket you created in Step 5 > Properties > Object-level logging
  • select the Trail you just create, and check the read/write event, to make sure you send out all the log to CloudTrail.
  • Now we goto Cloudwatch, and create a new rule AWS Console > CloudWatch > Rules > Create Rule
  • Check Event Pattern
  • Build event pattern to match events by service
  • Service Name will be S3
  • Event Type will be All Events
  • And Add Target, pick SNS topic, and make sure you send it to the right topic.
  • After you give it a name, it's done now.
  • Now, try to put some file into your bucket, modify and delete, you will get email notification.

AWS Workshop Series - S3OBJCTCWSNS

For the whole notification flow will look like this, S3 bucket will send the log to CloudTrail, and trigger the event to target SNS. If you have more subscriber in the SNS topic, all of them will get notified.

After Workshop

  1. Go to Cloudformation, select your stack and delete stack.
  2. Remember to delete all the stack above with reversed sequence. (step 7 > step 5)

awstpeworkshop-20180823-iam-role-s3-cw-sns's People

Contributors

awshkt avatar juntinyeh avatar

Watchers

 avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.