update notes

2025-06-13 21:24:32 -07:00
parent 44fa26ba30
commit 134b13f5cc
5 changed files with 74 additions and 37 deletions
--- a/lab-3/LAB-REPORT.md
+++ b/lab-3/LAB-REPORT.md
@ -41,7 +41,7 @@

 ### Stretch
 - [x] Create a bucket policy that blocks all public access but allows your IAM role
-  - [ ] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/)
+  - [x] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/)

 <<<<<<< HEAD
 ![restrict to role](./assets/restrict-to-role.jpg)
@ -56,10 +56,10 @@
  * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
  * [official guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html)
  * [x] via cli roles - I set up a new set of role-trust relationships.
-      Update s3 Role: 
-        Update action: sts:assumerole 
-        Update principle (for user -- could not target group)
-        Add condition (MFA bool must be true)
+    * Update s3 Role: 
+      * Update action: sts:assumerole 
+      * Update principle (for user -- could not target group)
+      * Add condition (MFA bool must be true)
  * Commands referenced: I set up a script that looks like this

 ```bash
@ -109,23 +109,56 @@ aws s3 ls s3://witch-lab-3
 =======
    * Cloudflare Edge Certificate -> Cloudfront -> S3 Bucket
    * In this step, I disabled "static website hosting" on the s3 bucket
+    * This was actually maddening to set up. For reasons I can't understand even
+      after Google Searching and ChatGPTing, my s3 bucket is under us-east-2
+      and Cloudfront kept redirecting me to the us-east-1 for some reason. I don't like
+      switching up regions under AWS because this way it's easy to forget what region 
+      you created a specific service in because they're hidden depending on what
+      region is active at the moment.
+
 **Private "Invite-Only" Resume Hosting**
-1. [x] **Pre-signed URLs**
+
+- [x] **Pre-signed URLs**
 `aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
+(see: presigned url screenshot)

 ![presigned url](./assets/create-presigned-url.jpg)
 >>>>>>> 1437cee (Add resume pdf & html)

 ### Further Exploration
-1. [ ] Snapshots & AMIs
+- [ ] Snapshots & AMIs
  - [ ] Create an EBS snapshot of `/dev/xvda`
  - [ ] Register/create an AMI from that snapshot
-    - [ ] How do you "version" a server with snapshots? Why is this useful?
+    - [x] How do you "version" a server with snapshots? Why is this useful?
+      **Cattle, not pets**
+      This is useful for following the concept for treating your servers as 
+      "cattle, not pets". Being able to keep versioned snapshots of your machines
+      means there's nothing special about your currently running server.
+      If it goes down (or you need to shoot it down), you can restore it on 
+      another machine from an older snapshot.
+
+      Or if you needed to suddenly scale your operation from 1 machine to many,
+      where each machine needed the exact same configuration set as the other
+      (all need fail2ban installed, etc. etc,) -- you can do that with
+      an AMI image.
  - [ ] Launch a new instance from your AMI
-2. [ ] Linux & Security Tooling
-3. [ ] Scripting & Automation
+- [ ] Linux & Security Tooling
+  - [ ] `ss -tulpn`, `lsof`, `auditctl` to inspect services and audit
+  - [ ] Install & run:
+    - [ ] nmap localhost
+    - [ ] tcpdump - c 20 -ni eth0
+    - [ ] lynis audit system
+    - [ ] fail2ban-client status
+    - [ ] OSSEC/Wazuh or ClamAV
+- [ ] Scripting & Automation
  - [ ] Bash: report world-writable files
  - [ ] Python with boto3: list snapshots, start/stop instances
+- [ ] Convert to terraform
+  - [ ] IAM Role
+  - [ ] IAM Policy
+  - [ ] IAM Group
+  - [ ] EC2 Instance
+  - [ ] S3 Bucket

 ## Further Reading
 - [ ]
@ -134,14 +167,21 @@ aws s3 ls s3://witch-lab-3

 ## Reflection
 * What I built
+  * A secured s3 bucket for secure content that can only be accessed via multi-factor authentication
+    Good for storing particularly sensitive information.
+  * A minimal HTML website served from an S3 bucket 
 * Challenges
-  * Groups cannot be used as the principal in a trust relationship
  * The stretch goal for setting up s3 + mfa was a bit of a pain:
-    * The earlier lab had me set up a trust relationship on the role to allow EC2 as a principal
-      on the role
-      When I later updated IAM permissions to include MFA, I promptly forgot about this detail
-      and had chatgpt help me with troubleshooting. It was pretty good at helping me figure out
-      the issue
+    * Groups cannot be used as the principal in a trust relationship, breaking my mental model
+      of the ideal way to onboard/offboard engineers by simply removing them from groups
+      (although I may have set up the IAM permissions in an inefficient way. I ended up having to 
+      assign a user as the principal of the trust relationship for my s3 role.)
+  * Issues between setting up Cloudflare -> CloudFront -> s3 bucket
+    * I think adding an extra service (Cloudflare, where I host my domain) added a little bit of complexity, though
+      my main issue was figuring out how to set up the ACM cert -> CloudFront distribution -> S3.
+      Most of the instructions I was able to parse through with ChatGPT -- I have to say I had a much 
+      better reading through those instructions than with the official AWS docs, which led me through
+      nested links (understandably, because there seem to be multiple ways of doing everything).
    
 * Security concerns
  On scale and security at scale
@ -156,9 +196,4 @@ graph LR
 classDef aside stroke-dasharray: 5 5, stroke-width:2px;
 ```

-## End lab
- [ ] On June 20, 2025, do the following:
-  - [ ] Clean up
-    - [ ] Custom roles
-    - [ ] Custom policies
-  - [ ] Shut down ec2 Instance
+![Identity Access Management](./assets/mermaid.jpg)
--- a/lab-3/assets/mermaid.jpg
+++ b/lab-3/assets/mermaid.jpg
--- a/resources/RESOURCES.md
+++ b/resources/RESOURCES.md
@ -5,3 +5,5 @@
 ## Read
 - [ ] [Debugging Zine](https://jvns.ca/debugging-zine.pdf)
 - [ ] [The 5 Cybersecurity roles that will disappear first](./assets/The%205%20Cybersecurity%20Roles%20That%20Will%20Disappear%20First%20_%20by%20Taimur%20Ijlal%20_%20Jun,%202025%20_%20Medium-1.pdf)
+- [ ] Cloud Security For Beginners
+- [ ] Sandworm
--- a/utilities/pdf_make/Dockerfile
+++ b/utilities/pdf_make/Dockerfile
@ -1,5 +1,5 @@
-# pdf_make/Dockerfile
-FROM pandoc/latex:2.19
+# Use the official Pandoc image as base
+FROM pandoc/latex:latest

 WORKDIR /app

--- a/utilities/pdf_make/generate_reports.sh
+++ b/utilities/pdf_make/generate_reports.sh
@ -21,7 +21,7 @@ find . -maxdepth 1 -type d -name "lab-*" | while read lab_dir; do
            # Generate PDF using pandoc
            # Make sure 'pandoc' command is available in the image, which it is for pandoc/latex
            image_dir="$lab_dir"
-            pandoc "$markdown_file" -s -o "$pdf_file" --pdf-engine=pdflatex --resource-path "$image_dir" -V geometry:margin=0.5in
+            pandoc "$markdown_file" -s -o "$pdf_file" --pdf-engine=xelatex --resource-path "$image_dir" -V geometry:margin=0.5in

            if [ $? -eq 0 ]; then
                echo "Successfully generated $pdf_file"