CCP Hands-on Labs
Introduction to AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) is a service that allows AWS customers to manage users' access and permissions to the AWS accounts and available APIs/Services within AWS. IAM can manage users, security credentials (such as API access keys), and allow users to access AWS resources. In this lab:
- We will be walking through the foundations of IAM.
- We'll focus on user and group management,
- How to assign access to specific resources using IAM managed policies
- We'll learn how to find the login URL where AWS users can log in to account,
- Explore this from a real-world use case perspective.
- Add the following users to their proper groups:
user-1should be in the
user-2should be in the
user-3should be in the
- Copy the IAM users sign-in link in the AWS console, open an incognito window, and sign in as either
user-3with the password set during user creation.
Creating a Basic VPC and Associated Components
Create a VPC
- Create a VPC from scratch (without using the VPC Wizard).
- Set the VPC CIDR to 172.16.0.0/16.
Create a Public and Private Subnet in Different Availability Zones using the following IP CIDR addresses:
Create Two Network Access Control Lists (NACLs), and Associate Each with the Proper Subnet
- Create a public NACL with inbound rules allowing HTTP and SSH traffic, as well as an outbound rule allowing traffic on port range 1024-65535.
- Associate the public NACL with the public subnet.
- Create a private NACL with an inbound rule allowing SSH traffic with a source of 172.16.1.0/24, as well as an outbound rule allowing traffic on port range 1024-65535.
- Associate the private NACL with the private subnet.
Create an Internet Gateway, and Connect It to the VPC
Create Two Route Tables, and Associate Them with the Correct Subnet
- Create two route tables:
- One for the public subnet with an internet gateway route
- One for the private subnet without an internet gateway route
- For the public route table, create a default route to the internet using the 0.0.0.0/0 CIDR notation.
Creating and Validating Connectivity for Amazon EC2 Instances in a Public and Private Subnet
Create an Amazon EC2 Instance in the Public Subnet, and Verify Connectivity Using SSH
- Verify the VPC configuration.
- Create an Amazon EC2 instance in the public subnet, and verify connectivity using SSH.
Create an Amazon EC2 Instance in the Private Subnet
- Create an Amazon EC2 instance in the private subnet.
- Identify what configuration for the instance and the VPC make the instance private.
Creating a Basic Amazon S3 Lifecycle Policy
Create an S3 Bucket and Upload an Object
Create a Lifecycle Policy
Create a lifecycle policy that moves objects to Glacier if they haven't been accessed in the last 30 days.
Creating Amazon S3 Buckets, Managing Objects, and Enabling Versioning
Create a Public and Private Amazon S3 Bucket
- Create a public Amazon S3 bucket.
- Enable public access, and then upload an object.
- Verify public access to the object.
- Create a private Amazon S3 bucket, but do not enable public access.
- Verify what happens when the object accessed does not have public permissions.
Enable Versioning on the Public Bucket and Validate Access to Different Versions of Files with the Same Name
- Enable versioning on the public bucket.
- Upload a file to the bucket.
- Upload a second file to the bucket with the same name.
- Verify that both versions of the file are accessible.
Assigning a FQDN (Fully Qualified Domain Name) to an EC2 Instance Using Route 53
Create an EC2 Instance
- Create an EC2 instance, select the T2 micro free tier eligible instance type.
- Make sure to enable Auto-assign Public IP.
- Once the EC2 instance is up and running, copy the public IP address to use later.
- Connect to the EC2 instance using SSH, and run the following commands:
- sudo yum update - y
- sudo yum install -y httpd
- sudo service httpd start
- sudo chkconfig http on
- Open a new browser tab, and paste in the copied public IP address to verify our web server is up and running.
Create Record Sets
- In Route 53, choose the provided hosted zones.
- Choose Create Record Set.
- Choose a name.
- Set the Type to A - IPv4 address.
- For Alias, accept the default of no.
- TTL can be 300 seconds.
- For Value, enter the public IP address we copied earlier from our EC2 instance.
- Choose Simple routing policy.
- Click Create.
- It will take a few minutes for this to populate to the DNS servers, but after a few minutes, open a new window and type in the domain names for both record sets we created to verify that we assigned a FQDN to our EC2 instance.
Monitoring and Notifications with CloudWatch Events and SNS
Create an SNS Topic and Subscribe an Email Address
- Create an SNS topic.
- Subscribe an email address.
- Confirm your subscription to the newly created SNS topic.
Create a CloudWatch Events Rule to Trigger the SNS Topic When There is a State Change to an EC2 Instance
Change the State of the EC2 Instance, and Verify the Receipt of the SNS Notification
- In the EC2 console, change the state of the EC2 instance to stop.
- Next, check your email to verify that you received the SNS notification that a state change has occurred to an EC2 instance.
Creating an Amazon Aurora RDS Database (MySQL Compatible)
Configure the Security Groups, Route Tables, and NACL
- Verify the NACL permits port 22 for SSH and port 3306 for MySQL/Aurora.
- Verify two route tables exist: one utilizing an internet gateway and another with no IGW/NAT routes.
- Verify the private subnet is associated with the route table that does not contain an internet gateway.
- Verify the public subnet is associated with the route table that does contain an internet gateway.
- Create a new security group containing rules to permit port 22 and 3306 from 0.0.0.0/0, and assign this security group to the EC2 bastion.
Set Up an EC2 Instance for SSH Tunneling
- Create an EC2 instance, ensuring you select the previously created security group with rules for ports 22 and 3306.
- During the instance creation process, download the
.pemkey file, as this will be used to establish a connection to the EC2 instance.
- Using your downloaded key, log in to your EC2 instance via SSH to verify connectivity.
Create an RDS Aurora Database
- Create a T2.small RDS Aurora database, ensuring the database is launched in a private subnet.
- Ensure the security group associated with the RDS Aurora database permits traffic on TCP 3306.
- Use MySQL Workbench to verify connectivity, ensuring the Connection Method is set to Standard TCP/IP over SSH, and SSH Key File is set to your previously downloaded