write down instructions

lab-3/LAB-REPORT.md

@@ -34,26 +34,29 @@
   ![screenshot of listing s3 contents](./assets/s3-access-screenshot.jpg)
 
 ### Stretch
-- [ ] Create a bucket policy that blocks all public access but allows your IAM role
+- [x] Create a bucket policy that blocks all public access but allows your IAM role
+  - [ ] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/)
+  ![restrict to role](./assets/restrict-to-role.jpg)
 - [ ] **Experiment** with requiring MFA or VPC conditions.
   - [ ] MFA conditions
     * MFA did not work out of the box after setting it in the s3 bucket policy. 
       The ways I found you can configure MFA:
       * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
-        * via cli roles
-        * configuration via ~/.aws/credentials
-        * 1Password CLI with AWS Plugin
-          * I use bitwarden, which also has an AWS Plugin
-          * This is probably what I will gravitate towards for a more 
-            long-term setup, because having all of these credentials
-            floating around in various areas on my computer/virtualbox
-            envs gets confusing. Not a fan.
-          * I've seen a lot more recommendations (TBH it's more like 2 vs 0)
-            for 1password for password credential setup. Wonder why?
-        * other apps that handle this
-          * I did not look into this because I didn't want to install
-            yet another specialized CLI that I didn't understand
+      * via cli roles
+      * configuration via ~/.aws/credentials
+      * 1Password CLI with AWS Plugin
+        * I use bitwarden, which also has an AWS Plugin
+        * This is probably what I will gravitate towards for a more 
+          long-term setup, because having all of these credentials
+          floating around in various areas on my computer/virtualbox
+          envs gets confusing. Not a fan.
+        * I've seen a lot more recommendations (TBH it's more like 2 vs 0)
+          for 1password for password credential setup. Wonder why?
+      * other apps that handle this
+        * I did not look into this because I didn't want to install
+          yet another specialized CLI that I didn't understand
   - [ ] VPC
+
 - [ ] **Host a static site**
   - [ ] Enable a static website hosting (`index.html`)
   - [ ] Configure route 53 alias or CNAME for `resume.<yourdomain>` to the bucket endpoint.
@@ -67,6 +70,18 @@
   3. **Restrict to IP address**
     - [ ] copy pasta json into bucket policy
 
+### Further Exploration
+1. [ ] Snapshots & AMIs
+  - [ ] Create an EBS snapshot of `/dev/xvda`
+  - [ ] Register/create an AMI from that snapshot
+    - [ ] How do you "version" a server with snapshots? Why is this useful?
+  - [ ] Launch a new instance from your AMI
+2. [ ] Linux & Security Tooling
+3. [ ] Scripting & Automation
+  - [ ] Bash: report world-writable files
+  - [ ] Python with boto3: list snapshots, start/stop instances
+
+
 ## Further Reading
 - [ ]
 - [ ]