diff --git a/lab-3/LAB-REPORT.md b/lab-3/LAB-REPORT.md index 517d97e..c0d835a 100644 --- a/lab-3/LAB-REPORT.md +++ b/lab-3/LAB-REPORT.md @@ -34,26 +34,29 @@ ![screenshot of listing s3 contents](./assets/s3-access-screenshot.jpg) ### Stretch -- [ ] Create a bucket policy that blocks all public access but allows your IAM role +- [x] Create a bucket policy that blocks all public access but allows your IAM role + - [ ] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/) + ![restrict to role](./assets/restrict-to-role.jpg) - [ ] **Experiment** with requiring MFA or VPC conditions. - [ ] MFA conditions * MFA did not work out of the box after setting it in the s3 bucket policy. The ways I found you can configure MFA: * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli) - * via cli roles - * configuration via ~/.aws/credentials - * 1Password CLI with AWS Plugin - * I use bitwarden, which also has an AWS Plugin - * This is probably what I will gravitate towards for a more - long-term setup, because having all of these credentials - floating around in various areas on my computer/virtualbox - envs gets confusing. Not a fan. - * I've seen a lot more recommendations (TBH it's more like 2 vs 0) - for 1password for password credential setup. Wonder why? - * other apps that handle this - * I did not look into this because I didn't want to install - yet another specialized CLI that I didn't understand + * via cli roles + * configuration via ~/.aws/credentials + * 1Password CLI with AWS Plugin + * I use bitwarden, which also has an AWS Plugin + * This is probably what I will gravitate towards for a more + long-term setup, because having all of these credentials + floating around in various areas on my computer/virtualbox + envs gets confusing. Not a fan. + * I've seen a lot more recommendations (TBH it's more like 2 vs 0) + for 1password for password credential setup. Wonder why? + * other apps that handle this + * I did not look into this because I didn't want to install + yet another specialized CLI that I didn't understand - [ ] VPC + - [ ] **Host a static site** - [ ] Enable a static website hosting (`index.html`) - [ ] Configure route 53 alias or CNAME for `resume.` to the bucket endpoint. @@ -67,6 +70,18 @@ 3. **Restrict to IP address** - [ ] copy pasta json into bucket policy +### Further Exploration +1. [ ] Snapshots & AMIs + - [ ] Create an EBS snapshot of `/dev/xvda` + - [ ] Register/create an AMI from that snapshot + - [ ] How do you "version" a server with snapshots? Why is this useful? + - [ ] Launch a new instance from your AMI +2. [ ] Linux & Security Tooling +3. [ ] Scripting & Automation + - [ ] Bash: report world-writable files + - [ ] Python with boto3: list snapshots, start/stop instances + + ## Further Reading - [ ] - [ ] diff --git a/lab-3/assets/restrict-to-role.jpg b/lab-3/assets/restrict-to-role.jpg new file mode 100644 index 0000000..010512c Binary files /dev/null and b/lab-3/assets/restrict-to-role.jpg differ