witch/labs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More wip

Browse Source
This commit is contained in:
witch
2025-06-11 13:17:22 -07:00
parent 402a19248e
commit 0574727270
1 changed files with 57 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
lab-3/LAB-REPORT.md
View File

@ -10,7 +10,7 @@
- [x] Create & Connect to a Git*** repository - [x] Create & Connect to a Git*** repository
- [x] https://git.dropbear-minnow.ts.net/ - [x] https://git.dropbear-minnow.ts.net/
- [x] Modify and make a second commit - [x] Modify and make a second commit
![image of terminal](./assets/prep-console.png) ![image of terminal](./assets/prep-console.png)
- [x] Test to see if gitea actions works - [x] Test to see if gitea actions works
- [x] Have an existing s3 bucket - [x] Have an existing s3 bucket
@ -27,10 +27,56 @@
![permissions](./assets/permissions.jpg) ![permissions](./assets/permissions.jpg)
- [x] Attach the Role to your EC2 Instance - [x] Attach the Role to your EC2 Instance
- [x] Verify is3 access from the EC2 Instance - [x] Verify is3 access from the EC2 Instance
* HTTPS outbound was not set up
* I did not check outbound rules (even when the lab explicitly called this out)
because it mentioned lab 2, so my assumption was that it had already been set up
(it was not). When connection to s3 failed I double checked lab 3 instructions
![screenshot of listing s3 contents](./assets/s3-access-screenshot.jpg) ![screenshot of listing s3 contents](./assets/s3-access-screenshot.jpg)
### Stretch ### Stretch
- [ ] Create a bucket policy that blocks all public access but allows your IAM role - [ ] Create a bucket policy that blocks all public access but allows your IAM role
- [ ] **Experiment** with requiring MFA or VPC conditions.
- [ ] MFA conditions
* MFA did not work out of the box after setting it in the s3 bucket policy.
The ways I found you can configure MFA:
* [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
* via cli roles
* configuration via ~/.aws/credentials
* 1Password CLI with AWS Plugin
* I use bitwarden, which also has an AWS Plugin
* This is probably what I will gravitate towards for a more
long-term setup, because having all of these credentials
floating around in various areas on my computer/virtualbox
envs gets confusing. Not a fan.
* I've seen a lot more recommendations (TBH it's more like 2 vs 0)
for 1password for password credential setup. Wonder why?
* other apps that handle this
* I did not look into this because I didn't want to install
yet another specialized CLI that I didn't understand
- [ ] VPC
- [ ] **Host a static site**
- [ ] Enable a static website hosting (`index.html`)
- [ ] Configure route 53 alias or CNAME for `resume.<yourdomain>` to the bucket endpoint.
- [ ] Deploy CloudFront with ACM certificate for HTTPS
#### Private "Innvite-Only" Resume Hosting
1. **Pre-signed URLs**
`aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
2. **IAM-only access**
- [ ] Store under `private/`
- [ ] Write a bucket policy allowing only the role `EC2-S3-Access-Role-daphodell` to `GetObject`
3. **Restrict to IP address**
- [ ] copy pasta json into bucket policy
## Further Reading
- [ ]
- [ ]
- [ ]
## Reflection
* What I built
* Challenges
* Security concerns
On scale and security at scale
## Terms ## Terms
### Identity Access Management ### Identity Access Management
@ -43,9 +89,14 @@ graph LR
classDef aside fill:#fffbe6,stroke:#bbb,stroke-dasharray: 5 5,stroke-width:2px; classDef aside fill:#fffbe6,stroke:#bbb,stroke-dasharray: 5 5,stroke-width:2px;
``` ```
## Problems encountered
more carefully. Note to self: always double check.
## End lab ## End lab
- [ ] Clean up - [ ] On June 20, 2025, do the following:
- [ ] Custom roles - [ ] Clean up
- [ ] Custom policies - [ ] Custom roles
- [ ] Stop ec2 Instance - [ ] Custom policies
- [ ] Remove s3 bucket - [ ] Stop ec2 Instance
- [ ] Remove s3 bucket