labs/lab-3/LAB-REPORT.md

# Lab 3

## Prep
- [x] Gitea set up
- [x] MFA set up
- [x] Add git ignore
- [x] Secrets/Token Management
    - [x] Consider secret-scanning
      - [x] Added git-leaks on pre-commit hook
- [x] Create & Connect to a Git*** repository
  - [x] https://git.dropbear-minnow.ts.net/
- [x] Modify and make a second commit
    ![image of terminal](./assets/prep-console.png)
- [x] Test to see if gitea actions works
- [x] Have an existing s3 bucket

## Resources
- [x] [Capital One Data Breach](./assets/Capital%20One%20Data%20Breach%20—%202019.%20Introduction%20_%20by%20Tanner%20Jones%20_%20Nerd%20For%20Tech%20_%20Medium.pdf)
- [x] [Grant IAM User Access to Only One S3 Bucket](./assets/Grant%20IAM%20User%20Access%20to%20Only%20One%20S3%20Bucket%20_%20Medium.pdf)
- [ ] [IAM Bucket Policies](./assets/From%20IAM%20to%20Bucket%20Policies_%20A%20Comprehensive%20Guide%20to%20S3%20Access%20Control%20with%20Console,%20CLI,%20and%20Terraform%20_%20by%20Mohasina%20Clt%20_%20Medium.pdf)
- [ ] [Dumping S3 Buckets!](https://www.youtube.com/watch?v=ITSZ8743MUk)

## Lab
- [x] create a custom IAM Policy
- [x] create an IAM Role for EC2
  ![trust relationships](./assets/trust-relationships.jpg)
  ![permissions](./assets/permissions.jpg)
- [x] Attach the Role to your EC2 Instance
- [x] Verify is3 access from the EC2 Instance
  * HTTPS outbound was not set up
    * I did not check outbound rules (even when the lab explicitly called this out)
      because it mentioned lab 2, so my assumption was that it had already been set up
      (it was not). When connection to s3 failed I double checked lab 3 instructions
  ![screenshot of listing s3 contents](./assets/s3-access-screenshot.jpg)

### Stretch
- [ ] Create a bucket policy that blocks all public access but allows your IAM role
- [ ] **Experiment** with requiring MFA or VPC conditions.
  - [ ] MFA conditions
    * MFA did not work out of the box after setting it in the s3 bucket policy. 
      The ways I found you can configure MFA:
      * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
        * via cli roles
        * configuration via ~/.aws/credentials
        * 1Password CLI with AWS Plugin
          * I use bitwarden, which also has an AWS Plugin
          * This is probably what I will gravitate towards for a more 
            long-term setup, because having all of these credentials
            floating around in various areas on my computer/virtualbox
            envs gets confusing. Not a fan.
          * I've seen a lot more recommendations (TBH it's more like 2 vs 0)
            for 1password for password credential setup. Wonder why?
        * other apps that handle this
          * I did not look into this because I didn't want to install
            yet another specialized CLI that I didn't understand
  - [ ] VPC
- [ ] **Host a static site**
  - [ ] Enable a static website hosting (`index.html`)
  - [ ] Configure route 53 alias or CNAME for `resume.<yourdomain>` to the bucket endpoint.
  - [ ] Deploy CloudFront with ACM certificate for HTTPS
  #### Private "Innvite-Only" Resume Hosting
  1. **Pre-signed URLs**
    `aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
  2. **IAM-only access**
    - [ ] Store under `private/`
    - [ ] Write a bucket policy allowing only the role `EC2-S3-Access-Role-daphodell` to `GetObject`
  3. **Restrict to IP address**
    - [ ] copy pasta json into bucket policy

## Further Reading
- [ ]
- [ ] 
- [ ] 

## Reflection
* What I built
* Challenges
* Security concerns
  On scale and security at scale

## Terms
### Identity Access Management
```mermaid
graph LR
  IAMPolicy -- attaches to --> IAMIdentity
  ExplainIAMIdentity[users, groups of users, roles, AWS resources]:::aside
  ExplainIAMIdentity -.-> IAMIdentity
  
  classDef aside fill:#fffbe6,stroke:#bbb,stroke-dasharray: 5 5,stroke-width:2px;
```

## Problems encountered

    more carefully. Note to self: always double check.

## End lab
- [ ] On June 20, 2025, do the following:
  - [ ] Clean up
    - [ ] Custom roles
    - [ ] Custom policies
  - [ ] Stop ec2 Instance
  - [ ] Remove s3 bucket
Initial commit 2025-06-07 14:04:07 -07:00			`# Lab 3`

			`## Prep`
			`- [x] Gitea set up`
			`- [x] MFA set up`
			`- [x] Add git ignore`
			`- [x] Secrets/Token Management`
			`- [x] Consider secret-scanning`
			`- [x] Added git-leaks on pre-commit hook`
Add screenshots 2025-06-11 11:02:42 -07:00			`- [x] Create & Connect to a Git*** repository`
Initial commit 2025-06-07 14:04:07 -07:00			`- [x] https://git.dropbear-minnow.ts.net/`
test actions 2025-06-07 14:38:38 -07:00			`- [x] Modify and make a second commit`
More wip 2025-06-11 13:17:22 -07:00			`![image of terminal](./assets/prep-console.png)`
Add lab 3 WIP 2025-06-09 21:31:41 -07:00			`- [x] Test to see if gitea actions works`
Add wip lab 3 2025-06-10 10:54:13 -07:00			`- [x] Have an existing s3 bucket`
Add lab 3 WIP 2025-06-09 21:31:41 -07:00
			`## Resources`
			`- [x] [Capital One Data Breach](./assets/Capital%20One%20Data%20Breach%20—%202019.%20Introduction%20_%20by%20Tanner%20Jones%20_%20Nerd%20For%20Tech%20_%20Medium.pdf)`
Add wip lab 3 2025-06-10 10:54:13 -07:00			`- [x] [Grant IAM User Access to Only One S3 Bucket](./assets/Grant%20IAM%20User%20Access%20to%20Only%20One%20S3%20Bucket%20_%20Medium.pdf)`
Add lab 3 WIP 2025-06-09 21:31:41 -07:00			`- [ ] [IAM Bucket Policies](./assets/From%20IAM%20to%20Bucket%20Policies_%20A%20Comprehensive%20Guide%20to%20S3%20Access%20Control%20with%20Console,%20CLI,%20and%20Terraform%20_%20by%20Mohasina%20Clt%20_%20Medium.pdf)`
			`- [ ] [Dumping S3 Buckets!](https://www.youtube.com/watch?v=ITSZ8743MUk)`

			`## Lab`
Add screenshots 2025-06-11 11:02:42 -07:00			`- [x] create a custom IAM Policy`
			`- [x] create an IAM Role for EC2`
			`![trust relationships](./assets/trust-relationships.jpg)`
			`![permissions](./assets/permissions.jpg)`
			`- [x] Attach the Role to your EC2 Instance`
			`- [x] Verify is3 access from the EC2 Instance`
More wip 2025-06-11 13:17:22 -07:00			`* HTTPS outbound was not set up`
			`* I did not check outbound rules (even when the lab explicitly called this out)`
			`because it mentioned lab 2, so my assumption was that it had already been set up`
			`(it was not). When connection to s3 failed I double checked lab 3 instructions`
Add screenshots 2025-06-11 11:02:42 -07:00			`![screenshot of listing s3 contents](./assets/s3-access-screenshot.jpg)`
Add lab 3 WIP 2025-06-09 21:31:41 -07:00
Add screenshots 2025-06-11 11:02:42 -07:00			`### Stretch`
			`- [ ] Create a bucket policy that blocks all public access but allows your IAM role`
More wip 2025-06-11 13:17:22 -07:00			`- [ ] Experiment with requiring MFA or VPC conditions.`
			`- [ ] MFA conditions`
			`* MFA did not work out of the box after setting it in the s3 bucket policy.`
			`The ways I found you can configure MFA:`
			`* [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)`
			`* via cli roles`
			`* configuration via ~/.aws/credentials`
			`* 1Password CLI with AWS Plugin`
			`* I use bitwarden, which also has an AWS Plugin`
			`* This is probably what I will gravitate towards for a more`
			`long-term setup, because having all of these credentials`
			`floating around in various areas on my computer/virtualbox`
			`envs gets confusing. Not a fan.`
			`* I've seen a lot more recommendations (TBH it's more like 2 vs 0)`
			`for 1password for password credential setup. Wonder why?`
			`* other apps that handle this`
			`* I did not look into this because I didn't want to install`
			`yet another specialized CLI that I didn't understand`
			`- [ ] VPC`
			`- [ ] Host a static site`
			- [ ] Enable a static website hosting (`index.html`)
			- [ ] Configure route 53 alias or CNAME for `resume.<yourdomain>` to the bucket endpoint.
			`- [ ] Deploy CloudFront with ACM certificate for HTTPS`
			`#### Private "Innvite-Only" Resume Hosting`
			`1. Pre-signed URLs`
			`aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
			`2. IAM-only access`
			- [ ] Store under `private/`
			- [ ] Write a bucket policy allowing only the role `EC2-S3-Access-Role-daphodell` to `GetObject`
			`3. Restrict to IP address`
			`- [ ] copy pasta json into bucket policy`

			`## Further Reading`
			`- [ ]`
			`- [ ]`
			`- [ ]`

			`## Reflection`
			`* What I built`
			`* Challenges`
			`* Security concerns`
			`On scale and security at scale`
Add screenshots 2025-06-11 11:02:42 -07:00
			`## Terms`
Add lab 3 WIP 2025-06-09 21:31:41 -07:00			`### Identity Access Management`
			```mermaid
			`graph LR`
			`IAMPolicy -- attaches to --> IAMIdentity`
			`ExplainIAMIdentity[users, groups of users, roles, AWS resources]:::aside`
			`ExplainIAMIdentity -.-> IAMIdentity`

			`classDef aside fill:#fffbe6,stroke:#bbb,stroke-dasharray: 5 5,stroke-width:2px;`
Add screenshots 2025-06-11 11:02:42 -07:00			```

More wip 2025-06-11 13:17:22 -07:00			`## Problems encountered`

			`more carefully. Note to self: always double check.`

Add screenshots 2025-06-11 11:02:42 -07:00			`## End lab`
More wip 2025-06-11 13:17:22 -07:00			`- [ ] On June 20, 2025, do the following:`
			`- [ ] Clean up`
			`- [ ] Custom roles`
			`- [ ] Custom policies`
			`- [ ] Stop ec2 Instance`
			`- [ ] Remove s3 bucket`