# Lab 3

## Prep
- [x] Gitea set up
- [x] MFA set up
- [x] Add git ignore
- [x] Secrets/Token Management
    - [x] Consider secret-scanning
      - [x] Added git-leaks on pre-commit hook
- [x] Create & Connect to a Git*** repository
  - [x] https://git.dropbear-minnow.ts.net/
- [x] Modify and make a second commit
![image of terminal](./assets/prep-console.png)
- [x] Test to see if gitea actions works
- [x] Have an existing s3 bucket

## Resources
- [x] [Capital One Data Breach](./assets/Capital%20One%20Data%20Breach%20—%202019.%20Introduction%20_%20by%20Tanner%20Jones%20_%20Nerd%20For%20Tech%20_%20Medium.pdf)
- [x] [Grant IAM User Access to Only One S3 Bucket](./assets/Grant%20IAM%20User%20Access%20to%20Only%20One%20S3%20Bucket%20_%20Medium.pdf)
- [ ] [IAM Bucket Policies](./assets/From%20IAM%20to%20Bucket%20Policies_%20A%20Comprehensive%20Guide%20to%20S3%20Access%20Control%20with%20Console,%20CLI,%20and%20Terraform%20_%20by%20Mohasina%20Clt%20_%20Medium.pdf)
- [ ] [Dumping S3 Buckets!](https://www.youtube.com/watch?v=ITSZ8743MUk)

## Lab
- [x] create a custom IAM Policy
- [x] create an IAM Role for EC2
  ![trust relationships](./assets/trust-relationships.jpg)
  ![permissions](./assets/permissions.jpg)
- [x] Attach the Role to your EC2 Instance
- [x] Verify is3 access from the EC2 Instance
  ![screenshot of listing s3 contents](./assets/s3-access-screenshot.jpg)

### Stretch
- [ ] Create a bucket policy that blocks all public access but allows your IAM role

## Terms
### Identity Access Management
```mermaid
graph LR
  IAMPolicy -- attaches to --> IAMIdentity
  ExplainIAMIdentity[users, groups of users, roles, AWS resources]:::aside
  ExplainIAMIdentity -.-> IAMIdentity
  
  classDef aside fill:#fffbe6,stroke:#bbb,stroke-dasharray: 5 5,stroke-width:2px;
```

## End lab
- [ ] Clean up
  - [ ] Custom roles
  - [ ] Custom policies
- [ ] Stop ec2 Instance
- [ ] Remove s3 bucket