menu
arrow_back

Policy Creation Challenge

search share Dołącz Zaloguj się

Policy Creation Challenge

2 godz. Punkty: 10

© 2021 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

SPL-DD-300-SIIDPC-1 - Version 1.0.3

Lab overview

Understanding AWS Identity and Access Management (IAM) is vital to keeping your assets secure. IAM offers several advanced features to allow you to tailor access to meet your organization's needs. In this lab, you will look at conditional statements and how you can use them to limit access based on resource tagging.

Objectives

After completing this lab, you will be able to:

  • Create IAM policies, and groups
  • Attach policies to groups
  • Write conditional statements to limit user access to resources
  • Leverage tagging to enhance resource access

Duration

This lab requires approximately 120 minutes to complete.

Task 1: Understanding the architectures you are working with

In this lab, two different three-tier web applications are running in your environment: one production and an identical development stack. Each consists of an Application Load Balancer (ALB), an Auto Scaling group (ASG), and an Amazon Aurora database cluster that runs on Amazon Relational Database Service (Amazon RDS). Currently, you have three user accounts that all have administrative access. You want to use the principle of least privileges to restrict these users based on resource tags to ensure that developers cannot alter settings for the production environment. You are also planning for future growth by creating groups.

In this task, you explore the IAM users' current configuration and the production three-tier web applications.

  1. At the top of your screen, launch your lab by choosing Start Lab.

This starts the process of provisioning your lab resources. An estimated amount of time to provision your lab resources appears. You must wait for your resources to be provisioned before continuing.

If you are prompted for a token, use the one distributed to you (or credits you have purchased).

  1. Copy the ConsoleLoginLink value from the left side of the lab page, and paste it in a new browser tab.

  2. Sign in to the AWS Management Console using the following information:

  • Account ID: Copy the AccountId value from the left side of the lab page.
  • IAM user name: Copy the AdminUser value from the left side of the lab page.
  • Password: Copy the AdminUserPassword value from the left side of the lab page.
  1. Choose Sign in.

Do not change the Region unless instructed.

  1. In the AWS Management Console, choose Services and select IAM.

  2. In the left navigation menu, choose Users.

Several users have been created. In this lab, you will use the three users with user names that start with IAMUser or IAMAdminUser. Currently, they are all set up identically.

  1. Select the name of one of the IAMUser users.

On the Summary page, notice that the AdministratorAccess policy has been attached directly to the user. Verify that each user is set up identically by looking at the Summary page for each IAMUser.

Learn more Each IAMUser has a permission boundary attached to prevent users from modifying resources that are outside the scope of this lab. For more information, see Permission Boundaries for IAM Entities.

Explore the pre-created resources in your environment

Your lab environment has been pre-configured with two three-tier web applications each consisting of an Application Load Balancer, an Auto Scaling group, and an Amazon Aurora cluster. Use the diagram below as a guide to explore your lab environment.

AWS architecture diagram showing the prod and dev three-tier apps that have been deployed

If you already understand the resources created and tagging convention, you can skip this section.

  1. In the AWS Management Console, choose Services and select EC2.

  2. In the left navigation menu, choose Instances.

Two instances are running. Each instance is a member of an Auto Scaling group that sits behind the Application Load Balancer.

  1. Select the instance named Production web server.

  2. Choose the Tags tab.

There are several tags added to this instance. There is a tag with a Key named Team and a Value of Production. You will use this tag to control access to Amazon Elastic Compute Cloud (Amazon EC2) instances.

Review the tags for the Development web server instance, and note how they are different.

  1. In the left navigation menu, choose Security Groups.

There are several security groups. Note that there is one for the ALB, one for the ASG, and one for the RDS cluster.

  1. Select the ASG-SG security group.

  2. Choose the Inbound rules tab.

The inbound rules include both HTTP and HTTPS. Notice that the Source is a reference to the ALB security group.

  1. Choose the Tags tab.

Make a note of the tags applied to each security group.

  1. In the left navigation menu, choose Load Balancers.

  2. Select the load balancer with Prod in its Name.

The Description tab lists the important information about the load balancer, including the DNS name that you use to connect to the load balancer.

  1. Choose the Listeners tab.

The load balancer has one listener configured for port 80 that forwards to a target group.

Important This lab does not use HTTPS (port 443). Using HTTPS is best practice.

  1. In the left navigation menu, choose Target Groups.

  2. Choose the Name of the target group that contains Prod.

  3. Choose the Targets tab.

There is currently one instance listed as a target. This is the Production web server instance you inspected earlier.

  1. Choose the Tags tab.

Make a note of the tags applied to the target group.

  1. In the left navigation menu, choose Auto Scaling Groups.

  2. Select the Auto Scaling group with Prod in its Name.

  3. Scroll to the bottom of the Details tab.

On the Tags card, the tags listed mirror the tags you observed when you examined the EC2 instance. Again, a Key named Team with a Value of Production is listed and designated to be added to new instances. You will use this tag to control access to the EC2 instances.

  1. In the AWS Management Console, choose Services and select RDS.

  2. In the left navigation menu, choose Databases.

  3. Select the database with prodcluster in its DB identifier.

  4. Choose the Tags tab.

As with the EC2 instance and Auto Scaling group, there is a Team tag with a Value of Production that you will use to control access to the RDS instance.

After exploring all the created resources, you will start making corrective actions to secure the account.

Update IAM users to remove administrative privileges

  1. In the AWS Management Console, choose Services and select IAM.

  2. In the left navigation menu, choose Users.

  3. Choose the User name that matches the User1 name to the left of these instructions.

  4. In the Attached directly permissions section, choose the icon to the right of the AdministratorAccess policy.

  5. In the pop-up window, choose Detach.

This removes the AdministratorAccess policy from the user and leaves the user account with no access to any account resources.

  1. Repeat the same procedure to remove the AdministratorAccess policy from the User name that matches the User2 name to the left of these instructions.

Now that you have removed access for both users, you will create new restricted policies and apply them to groups.

Dołącz do Qwiklabs, aby zapoznać się z resztą tego modułu i innymi materiałami.

  • Uzyskaj tymczasowy dostęp do Amazon Web Services Console.
  • Ponad 200 modułów z poziomów od początkującego do zaawansowanego.
  • Podzielono na części, więc można uczyć się we własnym tempie.
Dołącz, aby rozpocząć ten moduł