0.2 - PaulDuvall/aws-compliance-workshop GitHub Wiki

Setup Development Environment

In order to run all of the examples, you will need to need to run through the following steps:

Create or access an AWS Account and grant IAM privileges

  1. Go to the Amazon Web Services page.
  2. Select Create a Free Account.
  3. If you do not have an account with AWS, choose I'm a New User; Otherwise, select enter your credentials.
  4. Enter your login information, contact and billing information, and read/accept AWS terms. During the account creation process, you will need to enter a code into your phone for verification purposes.
  5. Once you have completed the registration process, you will be sent an email with further instructions. You can access the console at anytime by clicking the link here.
  6. Setup a new user and permissions using the IAM Console. For this course, ideally you'll want to have Administrators access. See Creating Your First IAM Admin User and Group for more information.

AWS Permissions

While you will ideally have Administrator access to your AWS account, if you do not, you will need permissions to the following AWS Services and Actions:

  • Amazon CloudWatch
  • Amazon SNS
  • Amazon SQS
  • Amazon S3
  • AWS Cloud9
  • AWS CloudFormation
  • AWS CodeBuild
  • AWS CodePipeline
  • AWS Config
  • AWS IAM
  • AWS Secrets Manager

For more information on setting IAM permissions, see Actions, Resources, and Condition Keys for AWS Services.

Setup AWS Cloud9

  1. Go to the AWS Cloud9 console and select Create environment.
  2. Enter a Name and Description.
  3. Select Next step.
  4. Select Create a new instance for environment (EC2).
  5. Select t2.micro.
  6. Leave the Cost-saving setting at the After 30-minute (default).
  7. Select Next step.
  8. Review best practices and select Create environment.
  9. Once your Cloud environment has been launched, open a new terminal in Cloud9.

Create a working area in Cloud9

For the examples in this course, you'll create a working folder by typing these commands in Cloud9:

mkdir ~/environment/ccoa

All of the lessons assume that you've created this directory.

Install and Configure Python on Cloud9

cd ~/environment
sudo yum -y update
python3 --version
sudo yum -y install python36
python3 --version
curl -O https://bootstrap.pypa.io/get-pip.py
python3 get-pip.py --user
sudo pip install --upgrade pip
vim .bash_profile
export PATH=~/.local/bin:$PATH
source ~/environment/.bash_profile

For more information, see Install Python, pip on Cloud9 and sample Python install

Create AWS CodeCommit repository

  1. Create a new CodeCommit repository called ccoa-codecommit
  2. Type the following from your AWS Cloud9 terminal:
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
git config --global user.name "Your Name"
git config --global user.email [email protected]

Generate HTTPS Git credentials for AWS CodeCommit

  1. Go to the IAM Console.
  2. Select the username for your IAM user.
  3. Click on the Security credentials tab and scroll down to HTTPS Git credentials for AWS CodeCommit and click the Generate button.
  4. Download the credentials and store them in a secure location.

Git clone test

cd ~/environment/ccoa/
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/ccoa-codecommit

If you are prompted to enter your username and password, use the ones you downloaded when generating your HTTPS Git credentials.

Create an S3 Bucket

Create a globally-unique S3 bucket based on AWS Resource Naming

aws s3 mb s3://ccoa-$(aws sts get-caller-identity --output text --query 'Account') --region $(aws configure get region --output text)

Take note of this bucket name as you'll be using it throughout the course.

Fork the aws-compliance-workshop GitHub repository (OPTIONAL)

  1. If you don't have a GitHub account, create a free one by going to GitHub Signup. Make a note of the userid you created (will refer to as YOURGITHUBUSERID)
  2. Login to your GitHub account.
  3. Go to the aws-compliance-workshop GitHub repository.
  4. Click the Fork button. A message will display "Where do you want to fork this to?".
  5. Click on the button that displays Fork to YOURGITHUBUSERID.
  6. The command for cloning the aws-compliance-workshop GitHub repository will look something like this - git clone https://github.com/YOURGITHUBUSERID/aws-compliance-workshop.git
  7. After cloning the repo locally, you can change your directory: cd aws-compliance-workshop

Create an OAuth token in GitHub (OPTIONAL)

To integrate with GitHub, AWS CodePipeline uses OAuth tokens. Go to GitHub's Token Settings to generate your token and ensure you enable the following two scopes.

  • admin:repo_hook, which is used to detect when you have committed and pushed changes to the repository
  • repo, which is used to read and pull artifacts from public and private repositories into a pipeline

Save username and password of git credentials locally (OPTIONAL)

To save your Git username and password (i.e. your token) in Cloud9, run the following commands:

git config credential.helper store
git push https://github.com/YOURGITHUBUSERID/aws-compliance-workshop.git
Username: <type your username>
Password: <type your password>

Cleanup

Throughout the lessons, you may be instructed to or wish to terminate AWS resources that are no longer in use. This section provides examples of deleting, terminating, and cleaning up these resources.

From your AWS Cloud9 terminal, type the following (replacing mybucket and REGIONCODE with the buckets you generated in the various exercises):

Remove S3 Buckets

S3 Console

Delete SNS Topics

SNS Console

CloudFormation Stacks

CloudFormation Console

Disable AWS Config

Config Console

aws s3 ls
aws s3 rb s3://ANYCONFIGBUCKETS --force
aws configservice describe-configuration-recorders
aws configservice delete-configuration-recorder --configuration-recorder-name CONFIGRECORDERNAME
aws configservice describe-delivery-channels
aws configservice delete-delivery-channel --delivery-channel-name DELIVERYCHANNELNAME

Delete CloudWatch Event Rules

CloudWatch Console

Delete IAM Roles and Permissions

IAM Console

Example Commands

aws s3 ls
aws configure get region --output text
aws s3 rb s3://ccoa-cloudtrail-$(aws sts get-caller-identity --output text --query 'Account') --force
aws s3 rb s3://ccoa-awsconfig-ccoa-config-cloudtrail-$(aws sts get-caller-identity --output text --query 'Account') --force
aws cloudformation delete-stack --stack-name ccoa-config-cloudtrail --region us-east-2
aws s3 rb s3://ccoa-6-s3-violation-$(aws sts get-caller-identity --output text --query 'Account')
aws iam delete-policy --policy-arn arn:aws:iam::$(aws sts get-caller-identity --output text --query 'Account'):policy/ccoa-6-s3-policy
aws lambda delete-function --function-name "ccoa-6-lambda-s3"
aws configservice delete-config-rule --config-rule-name ccoa-s3-write-rule
aws events list-targets-by-rule --rule "ccoa-s3-write-cwe"
aws events remove-targets --rule "ccoa-s3-write-cwe" --ids "TARGETIDSFROMABOVE"
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE
aws cloudformation delete-stack --stack-name cfn-example
aws cloudformation delete-stack --stack-name config-recorder-stack

NOTE

The examples assume you're using us-east-1 in order to provide examples with links. You can adapt the examples and the links as they'll work in most regions where the AWS services are available.