|
|
| (37 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| − | '''Bold text''''''EDX Course'''<br>
| + | '''EDX Course'''<br> |
| − | Week 2 - Exercise 4 <br>
| + | |
| − | <source lang="text">
| + | |
| − | Create an AWS IAM policy
| + | |
| − | In the AWS Management Console, click Services, then click IAM to open the IAM dashboard.
| + | |
| − | In the left navigation menu, click Policies.
| + | |
| − | Click Create policy.
| + | |
| − | Click the JSON tab.
| + | |
| − | In the editor textbox, completely replace the sample policy with the following.
| + | |
| − | </source>
| + | |
| − | <source lang="text">
| + | |
| − | {
| + | |
| − | "Version": "2012-10-17",
| + | |
| − | "Statement": [
| + | |
| − | {
| + | |
| − | "Sid": "Sid1",
| + | |
| − | "Effect": "Allow",
| + | |
| − | "Action": [
| + | |
| − | "iam:*",
| + | |
| − | "rds:*",
| + | |
| − | "sns:*",
| + | |
| − | "cloudformation:*",
| + | |
| − | "rekognition:*",
| + | |
| − | "ec2:*",
| + | |
| − | "cognito-idp:*",
| + | |
| − | "sqs:*",
| + | |
| − | "xray:*",
| + | |
| − | "s3:*",
| + | |
| − | "elasticloadbalancing:*",
| + | |
| − | "cloud9:*",
| + | |
| − | "lambda:*",
| + | |
| − | "tag:GetResources",
| + | |
| − | "logs:*",
| + | |
| − | "kms:ListKeyPolicies",
| + | |
| − | "kms:GenerateRandom",
| + | |
| − | "kms:ListRetirableGrants",
| + | |
| − | "kms:GetKeyPolicy",
| + | |
| − | "kms:ListResourceTags",
| + | |
| − | "kms:ReEncryptFrom",
| + | |
| − | "kms:ListGrants",
| + | |
| − | "kms:GetParametersForImport",
| + | |
| − | "kms:ListKeys",
| + | |
| − | "kms:GetKeyRotationStatus",
| + | |
| − | "kms:ListAliases",
| + | |
| − | "kms:ReEncryptTo",
| + | |
| − | "kms:DescribeKey"
| + | |
| − | ],
| + | |
| − | "Resource": "*"
| + | |
| − | }
| + | |
| − | ]
| + | |
| − | }
| + | |
| − | </source>
| + | |
| − | <source lang="text">
| + | |
| − | Click Review Policy.
| + | |
| − | For Name, type edXProjectPolicy
| + | |
| − | Click Create policy.
| + | |
| | | | |
| − | You have successfully created an AWS IAM policy with full access to AWS IAM, Amazon EC2, Amazon S3,
| + | Week 1 - Exercise 2 <br> |
| − | Amazon RDS, Amazon SNS, Amazon SQS, Amazon Rekognition, AWS Lambda, Amazon Cognito, AWS Cloud9,
| + | [[ Launch an Amazon EC2 instance with a user data script. ]]<br> |
| − | AWS X-Ray, and AWS CloudFormation. When you create IAM policies, follow the standard security
| + | |
| − | advice of granting least privilege - that is, granting only the permissions required to perform a task.
| + | |
| − | Determine what users need to do and then craft policies for them that let the users perform only those tasks.
| + | |
| − | </source> | + | |
| − | Create IAMS User
| + | |
| − | <source lang="text">
| + | |
| − | Create an AWS IAM user, attach a policy to the user, and generate access keys.
| + | |
| | | | |
| − | In this section, you will create an AWS IAM user and attach the policy you just created to the user.
| + | Week 1 - Exercise 3 <br> |
| − | You will then generate the access keys for the user. Those access keys will be used to make
| + | [[ Launch an AWS CloudFormation template to create VPC and subnets. ]]<br> |
| − | programmatic calls to AWS services via AWS CLI or APIs. If you are familiar with AWS IAM users,
| + | [[ Step by step instructions ot launch a CloudFormation template ]]<br> |
| − | you may want to attempt to complete this section before reading the step-by-step instructions.
| + | [[ Launch an Amazon EC2 instance with a user data script in a VPC ]]<br> |
| | + | [[ Step by step - Launch an Amazon EC2 instance with a user data script in a VPC ]]<br> |
| | | | |
| − | AWS IAM user name: edXProjectUser
| + | Week 2 - Exercise 4 <br> |
| − | Access type: Programmatic access and AWS Management Console access
| + | [[ Create an AWS IAM policy ]]<br> |
| − | Policy: edXProjectPolicy
| + | [[ Create and IAMS user ]]<br> |
| − | Important: Download the .csv file with the access keys after creating the user. Also, make sure to click
| + | [[ Create an IAMS user in step by step ]] |
| − | the Send email link to get the email instructions for signing in to the AWS Management Console as edXProjectUser.
| + | [[ Create an Amazon EC2 instance and configure AWS CLI with the access keys of the AWS IAM user ]]<br> |
| − | | + | [[ Create an Amazon EC2 instance and configure AWS CLI step by step ]]<br> |
| − | Reminder! Be sure to protect your AWS account access keys like you would your credit card numbers
| + | [[ Connect to the instance using SSH. ]] |
| − | or any other sensitive secret.
| + | |
| − | | + | |
| − | At the end of this exercise, you will not be using the access keys again. It is a security best practice
| + | |
| − | to remove IAM user credentials that are not needed. After this exercise, make sure to remove the access
| + | |
| − | keys only (not the AWS Console password) for the IAM user - edXProjectUser. See more IAM Best Practices.
| + | |
| − | </source> | + | |
| − | Create an IAMS user in detail | + | |
| − | <source lang="text"> | + | |
| − | | + | |
| − | In the AWS Console, click Services, then click IAM to go to the IAM dashboard.
| + | |
| − | In the left navigation menu, click Users.
| + | |
| − | Click Add user.
| + | |
| − | In the User name text box, type edXProjectUser
| + | |
| − | For Access type, select Programmatic access and AWS Management Console access.
| + | |
| − | For Console password, you may choose either Autogenerated password or Custom password. If you choose Autogenerated, you will be prompted to change your console password when you log in to the AWS Console as the edXProjectUser user. Make sure you take a note of the password created.
| + | |
| − | Click Next: Permissions.
| + | |
| − | Under Set permissions for edXProjectUser section, click Attach existing policies directly.
| + | |
| − | In the search text box for Filter, type edXProjectPolicy. Select edXProjectPolicy from the filtered list.
| + | |
| − | Click Next: Review.
| + | |
| − | Review the information and click Create user. You should see a success message.
| + | |
| − | Click Download .csv to download the access key ID and secret access key.
| + | |
| − | Note: This is your only chance to download these credentials.
| + | |
| − | In the Email login instructions column, click Send email. You can send an email to an email address of your choice. This email contains the instructions to sign in to your AWS account with the edXProjectUser AWS IAM user credentials.
| + | |
| − | Click Close to return to the console.
| + | |
| − | In the left navigation menu, click Dashboard.
| + | |
| − | Note the IAM users sign-in link. This is a special URL for IAM users, which includes your account ID. You will see the same URL in the email you just created.
| + | |
| − | Sign out of the console, and follow the instructions provided in the email you just received to sign in to the AWS Console as the edXProjectUser AWS IAM user.
| + | |
| − | | + | |
| − | | + | |
| − | </source>
| + | |
| − | Create an Amazon EC2 instance and configure AWS CLI with the access keys of the AWS IAM user edXProjectUser | + | |
| − | <source lang="text"> | + | |
| − | | + | |
| − | Sign-in to your AWS account as the edXProjectUser AWS IAM user.
| + | |
| − | Create an Amazon EC2 instance using the properties below. If you are familiar with Amazon EC2, you may
| + | |
| − | want to attempt to complete this portion before reading the step-by-step instructions.
| + | |
| − | | + | |
| − | Region: Oregon (us-west-2)
| + | |
| − | Amazon Machine Image (AMI): Amazon Linux AMI (Do not use the Amazon Linux 2 AMI)
| + | |
| − | Instance Type: t2.micro
| + | |
| − | Network VPC: edx-build-aws-vpc
| + | |
| − | Subnet: edx-subnet-public-a
| + | |
| − | Tag: Ex4WebServer
| + | |
| − | Security group name: Use the security group created in the third exercise, exercise3-sg.
| + | |
| − | Key Pair: Use the key pair created in the third exercise.
| + | |
| − | | + | |
| − | </source>
| + | |
| − | | + | |
| − | '''Step by step instructions'''
| + | |
| − | <source lang="tezt">
| + | |
| − | | + | |
| − | In the AWS Console, click Services, then click EC2 to go to the EC2 dashboard.
| + | |
| − | Make sure you are in the Oregon region.
| + | |
| − | From the EC2 dashboard, click Launch Instance.
| + | |
| − | On the Choose an Amazon Machine Image (AMI) page, select the Amazon Linux AMI. This AMI is free-tier eligible.
| + | |
| − | Note: Do not select the Amazon Linux 2 AMI option.
| + | |
| − | On the Choose an Instance Type page, select t2.micro.
| + | |
| − | Click Next: Configure Instance Details.
| + | |
| − | For Network, select edx-build-aws-vpc.
| + | |
| − | For Subnet, select edx-subnet-public-a in the us-west-2a availability zone.
| + | |
| − | Click Next: Add Storage. Skip through this page and click Next: Add Tags.
| + | |
| − | Click Add Tag.
| + | |
| − | In the Key textbox, type Name.
| + | |
| − | In the Value textbox, type Ex4WebServer.
| + | |
| − | Click Next: Configure Security Group. Select the Select an existing security group option.
| + | |
| − | From the list of security groups, select exercise3-sg.
| + | |
| − | Click Review and Launch.
| + | |
| − | On the Review Instance Launch page, review the details and click Launch.
| + | |
| − | When prompted for a key pair, select Choose an existing key pair, and then choose the key pair you created in the third exercise.
| + | |
| − | Select the acknowledgement check box, and then click Launch Instances.
| + | |
| − | Click View Instances to return to the instances page.
| + | |
| − | On the Instances page, you can view the status of the launch. It can take a few minutes for the instance to be ready so that you can connect to it. Check that your instance has passed its status checks. You can view this information in the Status Checks column.
| + | |
| − | Once the instance is ready, select the instance and note down the IPv4 Public IP found in the Descriptions tab at the bottom.
| + | |
| − | | + | |
| − | | + | |
| − | </source>
| + | |
| − | | + | |
| − | | + | |
| − | <source lang="text">
| + | |
| − | | + | |
| − | Connect to the instance using SSH. You may refer to the instructions in the third exercise for connecting
| + | |
| − | to the instance.
| + | |
| − | Open the credentials.csv file that you downloaded earlier. Find the entry for edXProjectUser, and note
| + | |
| − | the values for Access Key Id and Secret Access Key.
| + | |
| − | On the instance terminal, type the below command.
| + | |
| − | | + | |
| − | aws configure
| + | |
| − | | + | |
| − | Follow the prompts on the screen and paste in the values for Access Key Id and Secret Access Key.
| + | |
| − | For Region, type us-west-2.
| + | |
| − | For Default output format, press ENTER.
| + | |
| − | You have now configured the AWS CLI so that any CLI calls will operate with the credentials of the AWS IAM user edXProjectUser.
| + | |
| − | Now query the information about the Amazon EC2 instances in your account. Type the command below.
| + | |
| − | | + | |
| − | aws ec2 describe-instances
| + | |
| − | | + | |
| − | You should see a JSON output with all the information of the Amazon EC2 instances in your account.
| + | |
| − | This means that you were able to successfully execute the AWS CLI command with the permissions attached
| + | |
| − | to the edXProjectUser.
| + | |
| − | | + | |
| − | </source>
| + | |
