Infrastructure for the Rest of Us
The workshop should take approximately 90 minutes and consist of 3 Challenges. IAM Challenge, VPC Challenge and S3 Bucket Challenge
Problem
At school, your Computer Science instructor is accustomed to using local equipment for running classroom applications. The class gradebook and a web portal for the CS department’s swag are hosted on a dusty Unix box stored in a closet. This equipment is starting to show its age - the software needs upgrading, the machine crashes often which requires a reboot, plus it’s not very secure. Passwords don't get reset as needed, and have become widely shared amongst the students. In the French department, students hack into the server to gain access to other systems. Lately, they've been doing this with a high success rate! In addition, the CS department’s swag is so popular with more students ordering t-shirts and fidget spinners, the web portal has gotten slower and less reliable. The professor is fully aware that something needs to be done to lock down the classroom’s sensitive material while allowing more CS swag orders with no hassle, but how?
To solve the above pain point - This projects looks on how to move the infrastructure to cloud platform.
Get familiar with navigating the capabilities of cloud computing on AWS by creating resources using some of the available services.
Control access to the classroom environments with accounts and security controls that grant permission to individual users.
Build a virtual network in the Cloud and develop applications in isolation.
Use cloud storage for the classroom’s gradebook data or images for department swag sold on the web portal.
Lets get started.
Solution Architecture Diagram
AWS Price Estimate
Challenges
IAM Challenge :
Write an IAM policy statement that prevents the user account
student-user1from accessing gradebook data.
The policy statement should ensure that the user cannot access any gradebook files created by the Professors. Protecting access to grade data is a critical requirement, so file types or number of files is not important; ALL student info is confidential and should be stored in a location with restricted access!
The gradebook data will be stored in an S3 bucket (e.g.,
grdbk-data-fall-2024Professors have been approved to store data in the bucket to comply with the school's policy.Our objective from a security perspective is we want to prevent student-user1 from accessing data inside the bucket. Normally, this type of policy would apply to all students, but for simplicity we will focus on just a single user for the exercise.
Steps To follow
Create a file name
IAM-Student-custom-policy.jsonWrite the Policy
{ "Version": "2024-09-04", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::--:user/student-user1" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::grdbk-data-fall-2024", "arn:aws:s3:::grdbk-data-fall-2024/*" ] } ] }
Console Login: https://project50.signin.aws.amazon.com/console
Username: student-user1
Pasword :YWZ']g2?9b;f$uSX`#R>B)
- Create a policy that would apply to all students and should be added to the student Role
VPC Challenge
Configure the
public-subnetresource with the additional settings needed to make it publicly accessible.
At a high-level, the steps that need to be completed are:
create an internet gateway and attach it to the VPC
create a route table
add a route table entry to identify the traffic bound for to the internet
associate the route table with the public subnet
REMINDER: We only need to configure the 'public' subnet. Do not modify the private subnet.
S3 Bucket Challenge
At a high-level, the steps that need to be completed are:
create 2 X s3 buckets
Upload objects
Block access using the Bucket policy
Link to more step by step detail is here.