CCP Hands-on Labs

Introduction to AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) is a service that allows AWS customers to manage users' access and permissions to the AWS accounts and available APIs/Services within AWS. IAM can manage users, security credentials (such as API access keys), and allow users to access AWS resources. In this lab:

    • We will be walking through the foundations of IAM.
    • We'll focus on user and group management,
    • How to assign access to specific resources using IAM managed policies
    • We'll learn how to find the login URL where AWS users can log in to account,
    • Explore this from a real-world use case perspective.
  1. Add the following users to their proper groups:
    • user-1 should be in the S3-Support group
    • user-2 should be in the EC2-Support group
    • user-3 should be in the EC2-Admin group
  2. Copy the IAM users sign-in link in the AWS console, open an incognito window, and sign in as either user-1, user-2, or user-3 with the password set during user creation.

Creating a Basic VPC and Associated Components

Create a VPC

  1. Create a VPC from scratch (without using the VPC Wizard).
  2. Set the VPC CIDR to

Create a Public and Private Subnet in Different Availability Zones using the following IP CIDR addresses:

      • Public1 subnet in us-east-1a:
      • Private1 subnet in us-east-1b:

Create Two Network Access Control Lists (NACLs), and Associate Each with the Proper Subnet

    1. Create a public NACL with inbound rules allowing HTTP and SSH traffic, as well as an outbound rule allowing traffic on port range 1024-65535.
    2. Associate the public NACL with the public subnet.
    3. Create a private NACL with an inbound rule allowing SSH traffic with a source of, as well as an outbound rule allowing traffic on port range 1024-65535.
    4. Associate the private NACL with the private subnet.

Create an Internet Gateway, and Connect It to the VPC

Create Two Route Tables, and Associate Them with the Correct Subnet

    1. Create two route tables:
      • One for the public subnet with an internet gateway route
      • One for the private subnet without an internet gateway route
    2. For the public route table, create a default route to the internet using the CIDR notation.

Creating and Validating Connectivity for Amazon EC2 Instances in a Public and Private Subnet

Create an Amazon EC2 Instance in the Public Subnet, and Verify Connectivity Using SSH

    1. Verify the VPC configuration.
    2. Create an Amazon EC2 instance in the public subnet, and verify connectivity using SSH.

Create an Amazon EC2 Instance in the Private Subnet

  1. Create an Amazon EC2 instance in the private subnet.
  2. Identify what configuration for the instance and the VPC make the instance private.

Creating a Basic Amazon S3 Lifecycle Policy

Create an S3 Bucket and Upload an Object

Create a Lifecycle Policy

Create a lifecycle policy that moves objects to Glacier if they haven't been accessed in the last 30 days.

Creating Amazon S3 Buckets, Managing Objects, and Enabling Versioning

Create a Public and Private Amazon S3 Bucket

    1. Create a public Amazon S3 bucket.
    2. Enable public access, and then upload an object.
    3. Verify public access to the object.
    4. Create a private Amazon S3 bucket, but do not enable public access.
    5. Verify what happens when the object accessed does not have public permissions.

Enable Versioning on the Public Bucket and Validate Access to Different Versions of Files with the Same Name

    1. Enable versioning on the public bucket.
    2. Upload a file to the bucket.
    3. Upload a second file to the bucket with the same name.
      • Verify that both versions of the file are accessible.

Assigning a FQDN (Fully Qualified Domain Name) to an EC2 Instance Using Route 53

Create an EC2 Instance

  1. Create an EC2 instance, select the T2 micro free tier eligible instance type.
  2. Make sure to enable Auto-assign Public IP.
  3. Once the EC2 instance is up and running, copy the public IP address to use later.
  4. Connect to the EC2 instance using SSH, and run the following commands:
    1. sudo yum update - y
    2. sudo yum install -y httpd
    3. sudo service httpd start
    4. sudo chkconfig http on
  5. Open a new browser tab, and paste in the copied public IP address to verify our web server is up and running.

Create Record Sets

    1. In Route 53, choose the provided hosted zones.
    2. Choose Create Record Set.
    3. Choose a name.
    4. Set the Type to A - IPv4 address.
    5. For Alias, accept the default of no.
    6. TTL can be 300 seconds.
    7. For Value, enter the public IP address we copied earlier from our EC2 instance.
    8. Choose Simple routing policy.
    9. Click Create.
    10. It will take a few minutes for this to populate to the DNS servers, but after a few minutes, open a new window and type in the domain names for both record sets we created to verify that we assigned a FQDN to our EC2 instance.

Monitoring and Notifications with CloudWatch Events and SNS

Create an SNS Topic and Subscribe an Email Address

    1. Create an SNS topic.
    2. Subscribe an email address.
    3. Confirm your subscription to the newly created SNS topic.

Create a CloudWatch Events Rule to Trigger the SNS Topic When There is a State Change to an EC2 Instance

Change the State of the EC2 Instance, and Verify the Receipt of the SNS Notification

  1. In the EC2 console, change the state of the EC2 instance to stop.
  2. Next, check your email to verify that you received the SNS notification that a state change has occurred to an EC2 instance.

Creating an Amazon Aurora RDS Database (MySQL Compatible)

Configure the Security Groups, Route Tables, and NACL

    1. Verify the NACL permits port 22 for SSH and port 3306 for MySQL/Aurora.
    2. Verify two route tables exist: one utilizing an internet gateway and another with no IGW/NAT routes.
    3. Verify the private subnet is associated with the route table that does not contain an internet gateway.
    4. Verify the public subnet is associated with the route table that does contain an internet gateway.
    5. Create a new security group containing rules to permit port 22 and 3306 from, and assign this security group to the EC2 bastion.

Set Up an EC2 Instance for SSH Tunneling

    1. Create an EC2 instance, ensuring you select the previously created security group with rules for ports 22 and 3306.
    2. During the instance creation process, download the .pem key file, as this will be used to establish a connection to the EC2 instance.
    3. Using your downloaded key, log in to your EC2 instance via SSH to verify connectivity.

Create an RDS Aurora Database

    1. Create a T2.small RDS Aurora database, ensuring the database is launched in a private subnet.
    2. Ensure the security group associated with the RDS Aurora database permits traffic on TCP 3306.
    3. Use MySQL Workbench to verify connectivity, ensuring the Connection Method is set to Standard TCP/IP over SSH, and SSH Key File is set to your previously downloaded .pem key.