witch/labs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update notes

Browse Source
This commit is contained in:
witch
2025-06-13 21:24:32 -07:00
parent 44fa26ba30
commit 134b13f5cc
5 changed files with 74 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
lab-3/LAB-REPORT.md
View File

@ -41,7 +41,7 @@
### Stretch ### Stretch
- [x] Create a bucket policy that blocks all public access but allows your IAM role - [x] Create a bucket policy that blocks all public access but allows your IAM role
- [ ] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/) - [x] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/)
<<<<<<< HEAD <<<<<<< HEAD
![restrict to role](./assets/restrict-to-role.jpg) ![restrict to role](./assets/restrict-to-role.jpg)
@ -56,10 +56,10 @@
* [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli) * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
* [official guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) * [official guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html)
* [x] via cli roles - I set up a new set of role-trust relationships. * [x] via cli roles - I set up a new set of role-trust relationships.
Update s3 Role: * Update s3 Role:
Update action: sts:assumerole * Update action: sts:assumerole
Update principle (for user -- could not target group) * Update principle (for user -- could not target group)
Add condition (MFA bool must be true) * Add condition (MFA bool must be true)
* Commands referenced: I set up a script that looks like this * Commands referenced: I set up a script that looks like this
```bash ```bash
@ -91,8 +91,8 @@ export AWS_SECRET_ACCESS_KEY=$(echo "$SESSION_OUTPUT" | jq '.Credentials.SecretA
aws s3 ls s3://witch-lab-3 aws s3 ls s3://witch-lab-3
``` ```
* configuration via ~/.aws/credentials * configuration via ~/.aws/credentials
* 1Password CLI with AWS Plugin * 1Password CLI with AWS Plugin
* I use bitwarden, which also has an AWS Plugin * I use bitwarden, which also has an AWS Plugin
* I've seen a lot more recommendations (TBH it's more like 2 vs 0) * I've seen a lot more recommendations (TBH it's more like 2 vs 0)
for 1password for password credential setup. Wonder why? for 1password for password credential setup. Wonder why?
@ -109,23 +109,56 @@ aws s3 ls s3://witch-lab-3
======= =======
* Cloudflare Edge Certificate -> Cloudfront -> S3 Bucket * Cloudflare Edge Certificate -> Cloudfront -> S3 Bucket
* In this step, I disabled "static website hosting" on the s3 bucket * In this step, I disabled "static website hosting" on the s3 bucket
* This was actually maddening to set up. For reasons I can't understand even
after Google Searching and ChatGPTing, my s3 bucket is under us-east-2
and Cloudfront kept redirecting me to the us-east-1 for some reason. I don't like
switching up regions under AWS because this way it's easy to forget what region
you created a specific service in because they're hidden depending on what
region is active at the moment.
**Private "Invite-Only" Resume Hosting** **Private "Invite-Only" Resume Hosting**
1. [x] **Pre-signed URLs**
`aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600` - [x] **Pre-signed URLs**
`aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
(see: presigned url screenshot)
![presigned url](./assets/create-presigned-url.jpg) ![presigned url](./assets/create-presigned-url.jpg)
>>>>>>> 1437cee (Add resume pdf & html) >>>>>>> 1437cee (Add resume pdf & html)
### Further Exploration ### Further Exploration
1. [ ] Snapshots & AMIs - [ ] Snapshots & AMIs
- [ ] Create an EBS snapshot of `/dev/xvda` - [ ] Create an EBS snapshot of `/dev/xvda`
- [ ] Register/create an AMI from that snapshot - [ ] Register/create an AMI from that snapshot
- [ ] How do you "version" a server with snapshots? Why is this useful? - [x] How do you "version" a server with snapshots? Why is this useful?
**Cattle, not pets**
This is useful for following the concept for treating your servers as
"cattle, not pets". Being able to keep versioned snapshots of your machines
means there's nothing special about your currently running server.
If it goes down (or you need to shoot it down), you can restore it on
another machine from an older snapshot.
Or if you needed to suddenly scale your operation from 1 machine to many,
where each machine needed the exact same configuration set as the other
(all need fail2ban installed, etc. etc,) -- you can do that with
an AMI image.
- [ ] Launch a new instance from your AMI - [ ] Launch a new instance from your AMI
2. [ ] Linux & Security Tooling - [ ] Linux & Security Tooling
3. [ ] Scripting & Automation - [ ] `ss -tulpn`, `lsof`, `auditctl` to inspect services and audit
- [ ] Install & run:
- [ ] nmap localhost
- [ ] tcpdump - c 20 -ni eth0
- [ ] lynis audit system
- [ ] fail2ban-client status
- [ ] OSSEC/Wazuh or ClamAV
- [ ] Scripting & Automation
- [ ] Bash: report world-writable files - [ ] Bash: report world-writable files
- [ ] Python with boto3: list snapshots, start/stop instances - [ ] Python with boto3: list snapshots, start/stop instances
- [ ] Convert to terraform
- [ ] IAM Role
- [ ] IAM Policy
- [ ] IAM Group
- [ ] EC2 Instance
- [ ] S3 Bucket
## Further Reading ## Further Reading
- [ ] - [ ]
@ -134,14 +167,21 @@ aws s3 ls s3://witch-lab-3
## Reflection ## Reflection
* What I built * What I built
* A secured s3 bucket for secure content that can only be accessed via multi-factor authentication
Good for storing particularly sensitive information.
* A minimal HTML website served from an S3 bucket
* Challenges * Challenges
* Groups cannot be used as the principal in a trust relationship
* The stretch goal for setting up s3 + mfa was a bit of a pain: * The stretch goal for setting up s3 + mfa was a bit of a pain:
* The earlier lab had me set up a trust relationship on the role to allow EC2 as a principal * Groups cannot be used as the principal in a trust relationship, breaking my mental model
on the role of the ideal way to onboard/offboard engineers by simply removing them from groups
When I later updated IAM permissions to include MFA, I promptly forgot about this detail (although I may have set up the IAM permissions in an inefficient way. I ended up having to
and had chatgpt help me with troubleshooting. It was pretty good at helping me figure out assign a user as the principal of the trust relationship for my s3 role.)
the issue * Issues between setting up Cloudflare -> CloudFront -> s3 bucket
* I think adding an extra service (Cloudflare, where I host my domain) added a little bit of complexity, though
my main issue was figuring out how to set up the ACM cert -> CloudFront distribution -> S3.
Most of the instructions I was able to parse through with ChatGPT -- I have to say I had a much
better reading through those instructions than with the official AWS docs, which led me through
nested links (understandably, because there seem to be multiple ways of doing everything).
* Security concerns * Security concerns
On scale and security at scale On scale and security at scale
@ -156,9 +196,4 @@ graph LR
classDef aside stroke-dasharray: 5 5, stroke-width:2px; classDef aside stroke-dasharray: 5 5, stroke-width:2px;
``` ```
## End lab ![Identity Access Management](./assets/mermaid.jpg)
- [ ] On June 20, 2025, do the following:
- [ ] Clean up
- [ ] Custom roles
- [ ] Custom policies
- [ ] Shut down ec2 Instance

BIN
lab-3/assets/mermaid.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

2
resources/RESOURCES.md
View File

@ -5,3 +5,5 @@
## Read ## Read
- [ ] [Debugging Zine](https://jvns.ca/debugging-zine.pdf) - [ ] [Debugging Zine](https://jvns.ca/debugging-zine.pdf)
- [ ] [The 5 Cybersecurity roles that will disappear first](./assets/The%205%20Cybersecurity%20Roles%20That%20Will%20Disappear%20First%20_%20by%20Taimur%20Ijlal%20_%20Jun,%202025%20_%20Medium-1.pdf) - [ ] [The 5 Cybersecurity roles that will disappear first](./assets/The%205%20Cybersecurity%20Roles%20That%20Will%20Disappear%20First%20_%20by%20Taimur%20Ijlal%20_%20Jun,%202025%20_%20Medium-1.pdf)
- [ ] Cloud Security For Beginners
- [ ] Sandworm

4
utilities/pdf_make/Dockerfile
View File

@ -1,5 +1,5 @@
# pdf_make/Dockerfile # Use the official Pandoc image as base
FROM pandoc/latex:2.19 FROM pandoc/latex:latest
WORKDIR /app WORKDIR /app

2
utilities/pdf_make/generate_reports.sh
View File

@ -21,7 +21,7 @@ find . -maxdepth 1 -type d -name "lab-*" | while read lab_dir; do
# Generate PDF using pandoc # Generate PDF using pandoc
# Make sure 'pandoc' command is available in the image, which it is for pandoc/latex # Make sure 'pandoc' command is available in the image, which it is for pandoc/latex
image_dir="$lab_dir" image_dir="$lab_dir"
pandoc "$markdown_file" -s -o "$pdf_file" --pdf-engine=pdflatex --resource-path "$image_dir" -V geometry:margin=0.5in pandoc "$markdown_file" -s -o "$pdf_file" --pdf-engine=xelatex --resource-path "$image_dir" -V geometry:margin=0.5in
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "Successfully generated $pdf_file" echo "Successfully generated $pdf_file"