Updated READMEs

AWSCookbook · Dec 7, 2021 · 6ef77fc · 6ef77fc
1 parent baa7ee1
commit 6ef77fc
Show file tree

Hide file tree

Showing 51 changed files with 1,401 additions and 2 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,32 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/recipe-request.md b/.github/ISSUE_TEMPLATE/recipe-request.md
@@ -0,0 +1,20 @@
+---
+name: Recipe request
+about: Suggest a recipe for this Chapter
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your recipe request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe what you'd like to learn**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/101-Creating-and-Assuming-an-IAM-Role/.gitignore b/101-Creating-and-Assuming-an-IAM-Role/.gitignore
@@ -0,0 +1 @@
+assume-role-policy.json
diff --git a/101-Creating-and-Assuming-an-IAM-Role/README.md b/101-Creating-and-Assuming-an-IAM-Role/README.md
@@ -0,0 +1,17 @@
+# Creating and Assuming an IAM Role for Developer Access
+## Clean up 
+### Detach the PowerUserAccess policy from the role:
+```
+aws iam detach-role-policy --role-name AWSCookbook101Role \
+--policy-arn arn:aws:iam::aws:policy/PowerUserAccess
+```
+
+### Delete the IAM role:
+
+`aws iam delete-role --role-name AWSCookbook101Role`
+
+### Unset your local variables:
+```
+unset ROLE_ARN
+unset PRINCIPAL_ARN
+```
diff --git a/101-Creating-and-Assuming-an-IAM-Role/assume-role-policy-template.json b/101-Creating-and-Assuming-an-IAM-Role/assume-role-policy-template.json
@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": { 
+                "AWS": "PRINCIPAL_ARN"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
diff --git a/102-Generate-Least-Privilege-IAM-Policy/README.md b/102-Generate-Least-Privilege-IAM-Policy/README.md
@@ -0,0 +1,4 @@
+# Generate a Least Privilege IAM Policy Based on Access Patterns
+
+## Clean up 
+### Delete the IAM policy that you created
diff --git a/103-Enforcing-IAM-User-Password-Policies/README.md b/103-Enforcing-IAM-User-Password-Policies/README.md
@@ -0,0 +1,38 @@
+# Enforcing IAM User Password Policies in Your AWS Account
+
+## Clean up 
+### Delete the login profiles that you created (including the validation step user):
+```
+aws iam delete-login-profile --user-name awscookbook103user
+aws iam delete-login-profile --user-name awscookbook103user2
+```
+
+### Remove the user from the group:
+```
+aws iam remove-user-from-group --user-name awscookbook103user \
+--group-name AWSCookbook103Group
+```
+
+### Detach the policy from the group:
+```
+aws iam detach-group-policy --group-name AWSCookbook103Group \
+--policy-arn arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess
+```
+
+### Delete the group:
+`aws iam delete-group --group-name AWSCookbook103Group`
+
+### Delete the users that you created (including the validation step user):
+```
+aws iam delete-user --user-name awscookbook103user
+aws iam delete-user --user-name awscookbook103user2
+```
+
+### Delete the account password policy that you configured:
+`aws iam delete-account-password-policy`
+
+### Unset the local variables you created:
+```
+unset RANDOM_STRING
+unset RANDOM_STRING2
+```
diff --git a/104-Testing-IAM-Policies-with-the-IAM-Policy-Simulator/README.md b/104-Testing-IAM-Policies-with-the-IAM-Policy-Simulator/README.md
@@ -0,0 +1,13 @@
+# Testing IAM Policies with the IAM Policy Simulator
+
+## Clean up 
+### Step Text
+Detach the AmazonEC2ReadOnlyAccess policy from the role:
+```
+aws iam detach-role-policy --role-name AWSCookbook104IamRole \
+--policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
+```
+
+Delete the IAM Role for the proxy: 
+
+`aws iam delete-role --role-name AWSCookbook104IamRole`
diff --git a/104-Testing-IAM-Policies-with-the-IAM-Policy-Simulator/assume-role-policy.json b/104-Testing-IAM-Policies-with-the-IAM-Policy-Simulator/assume-role-policy.json
@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "ec2.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+
diff --git a/105-Delegating-IAM-Administrative-Capabilities-Using-Permissions-Boundaries/.gitignore b/105-Delegating-IAM-Administrative-Capabilities-Using-Permissions-Boundaries/.gitignore
@@ -0,0 +1,3 @@
+assume-role-policy.json
+policy.json
+boundary-policy.json
diff --git a/...legating-IAM-Administrative-Capabilities-Using-Permissions-Boundaries/README.md b/...legating-IAM-Administrative-Capabilities-Using-Permissions-Boundaries/README.md
@@ -0,0 +1,56 @@
+# Delegating IAM Administrative Capabilities Using Permissions Boundaries
+
+## Clean up 
+
+### Unset the variables you set to assume the AWSCookbook105 role in your terminal:
+```
+unset AWS_ACCESS_KEY_ID
+unset AWS_SECRET_ACCESS_KEY
+unset AWS_SESSION_TOKEN
+```
+
+### Detach the AmazonDynamoDBFullAccess and CloudWatchFullAccess policy from the role:
+```
+aws iam detach-role-policy --role-name AWSCookbook105test1 \
+--policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
+
+aws iam detach-role-policy --role-name AWSCookbook105test1 \
+--policy-arn arn:aws:iam::aws:policy/CloudWatchFullAccess
+```
+
+### Delete the IAM Role you used to test:
+```
+aws iam delete-role --role-name AWSCookbook105test1
+```
+
+### Detach the Policy you created from the role:
+```
+aws iam detach-role-policy --role-name AWSCookbook105Role \
+--policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/AWSCookbook105Policy
+```
+
+### Delete the policy:
+```
+aws iam delete-policy --policy-arn \
+arn:aws:iam::$AWS_ACCOUNT_ID:policy/AWSCookbook105Policy
+```
+
+### Delete the permissions boundary:
+```
+aws iam delete-policy --policy-arn \
+arn:aws:iam::$AWS_ACCOUNT_ID:policy/AWSCookbook105PB
+```
+
+### Delete the IAM Role:
+```
+aws iam delete-role --role-name AWSCookbook105Role
+```
+
+### Unset the variables you set:
+```
+unset PRINCIPAL_ARN
+unset ROLE_ARN
+unset TEST_ROLE_1
+unset creds
+```
+
diff --git a/...Administrative-Capabilities-Using-Permissions-Boundaries/assume-role-policy-template.json b/...Administrative-Capabilities-Using-Permissions-Boundaries/assume-role-policy-template.json
@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": { 
+                "AWS": "PRINCIPAL_ARN"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
diff --git a/...AM-Administrative-Capabilities-Using-Permissions-Boundaries/boundary-policy-template.json b/...AM-Administrative-Capabilities-Using-Permissions-Boundaries/boundary-policy-template.json
@@ -0,0 +1,39 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CreateLogGroup",
+            "Effect": "Allow",
+            "Action": "logs:CreateLogGroup",
+            "Resource": "arn:aws:logs:*:AWS_ACCOUNT_ID:*"
+        },
+        {
+            "Sid": "CreateLogStreamandEvents",
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "arn:aws:logs:*:AWS_ACCOUNT_ID:*"
+        },
+        {
+            "Sid": "DynamoDBPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "dynamodb:PutItem",
+                "dynamodb:UpdateItem",
+                "dynamodb:DeleteItem"
+            ],
+            "Resource": "arn:aws:dynamodb:*:AWS_ACCOUNT_ID:table/AWSCookbook*"
+        },
+        {
+            "Sid": "S3Permissions",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:PutObject"
+            ],
+            "Resource": "arn:aws:s3:::AWSCookbook*/*"
+        }
+    ]
+}
diff --git a/...M-Administrative-Capabilities-Using-Permissions-Boundaries/lambda-assume-role-policy.json b/...M-Administrative-Capabilities-Using-Permissions-Boundaries/lambda-assume-role-policy.json
@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "lambda.amazonaws.com"
+        },
+        "Action": "sts:AssumeRole"
+      }
+    ]
+  }
+
diff --git a/...elegating-IAM-Administrative-Capabilities-Using-Permissions-Boundaries/lambda_function.py b/...elegating-IAM-Administrative-Capabilities-Using-Permissions-Boundaries/lambda_function.py
@@ -0,0 +1,10 @@
+import json
+import os
+import sys
+
+def lambda_handler(event, context):
+
+   return {
+      'statusCode': 200,
+      'body': json.dumps('Hello AWSCookbook Reader!')
+   }
diff --git a/...egating-IAM-Administrative-Capabilities-Using-Permissions-Boundaries/policy-template.json b/...egating-IAM-Administrative-Capabilities-Using-Permissions-Boundaries/policy-template.json
@@ -0,0 +1,88 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DenyPBDelete",
+            "Effect": "Deny",
+            "Action": "iam:DeleteRolePermissionsBoundary",
+            "Resource": "*"
+        },
+        {
+            "Sid": "IAMRead",
+            "Effect": "Allow",
+            "Action": [
+                "iam:Get*",
+                "iam:List*"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "IAMPolicies",
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreatePolicy",
+                "iam:DeletePolicy",
+                "iam:CreatePolicyVersion",
+                "iam:DeletePolicyVersion",
+                "iam:SetDefaultPolicyVersion"
+            ],
+            "Resource": "arn:aws:iam::AWS_ACCOUNT_ID:policy/AWSCookbook*"
+        },
+        {
+            "Sid": "IAMRolesWithBoundary",
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateRole",
+                "iam:DeleteRole",
+                "iam:PutRolePolicy",
+                "iam:DeleteRolePolicy",
+                "iam:AttachRolePolicy",
+                "iam:DetachRolePolicy"
+            ],
+            "Resource": [
+                "arn:aws:iam::AWS_ACCOUNT_ID:role/AWSCookbook*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "iam:PermissionsBoundary": "arn:aws:iam::AWS_ACCOUNT_ID:policy/AWSCookbook105PB"
+                }
+            }
+        },
+        {
+            "Sid": "ServerlessFullAccess",
+            "Effect": "Allow",
+            "Action": [
+                "lambda:*",
+                "logs:*",
+                "dynamodb:*",
+                "s3:*"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "PassRole",
+            "Effect": "Allow",
+            "Action": "iam:PassRole",
+            "Resource": "arn:aws:iam::AWS_ACCOUNT_ID:role/AWSCookbook*",
+            "Condition": {
+                "StringLikeIfExists": {
+                    "iam:PassedToService": "lambda.amazonaws.com"
+                }
+            }
+        },
+        {
+            "Sid": "ProtectPB",
+            "Effect": "Deny",
+            "Action": [
+                "iam:CreatePolicyVersion",
+                "iam:DeletePolicy",
+                "iam:DeletePolicyVersion",
+                "iam:SetDefaultPolicyVersion"
+            ],
+            "Resource": [
+                "arn:aws:iam::AWS_ACCOUNT_ID:policy/AWSCookbook105PB",
+                "arn:aws:iam::AWS_ACCOUNT_ID:policy/AWSCookbook105Policy"
+            ]
+        }
+    ]
+}