2 Resources & Bastion Host Lab - deanbushmiller/aws-sec-e11 GitHub Wiki

Preparing for the future lab now

Some labs take a long time to initiate & they cost money Uf you jump to the Monitor lab - you will see these instructions again If you are going to do the Security Hub lab, you need to enable a few things now. Search and enable

AWS Config | 1-click enable | Confirm

enable resource recording in AWS Config - Dashboard view | settings | Confirm recorder is on AWS Security Hub | Go to Security Hub Enable AWS Foundational Security Best Practices v1.0.0 UNCHECK EVERYTHING ELSE Enable Security Hub

• After you enable Security Hub, it can take up to 2 hours to see the results from security checks for the newly enabled standards. Until then, the controls have a status of "No data".

Authentication

Prerequisite

• Phone with authenticator app or password manager capable of TOTP

EC2

• Create 3 SSH keys (you will copy the text of these keys to the interface)

Names: GuacUbn, WebLin, WebWin Choose defaults: RSA / pem or putty

• Create 1 Security group LABsg open 0.0.0.0/0 22,80,443,3389

EC2 host

• Deploy server Guac-Ubn

Search

ubuntu 24.04 amd 64-pro-server community Verified provider t2.small ( you need 2CPU/2GIG) Choose matching SSH key & Security group LABsg

• Deploy server WebLin

Search

WordPress Certified by Bitnami Subscribe | Launch t3a.small Choose matching SSH key & Security group LABsg

• Deploy server WebWin

Search

Top WordPress Tips On Windows Server 2012r2 Subscribe | Launch t3.small

• Test both WEB DNS resolution using Public ipv4 DNS name from ec2 dashboard = working
• You do not care about front end configuration for web servers
• Configure Guac-Ubn

Must copy public FQDN host name from EC2

looks like ec2-#-#-#-#.compute-1.amazonaws.com check instance | click connect in EC2 Instance Connect tab | click connect this will give you SSH terminal

• watch line wraps below is one command
• wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh

Installation Configuration GUAC server

• Use the name from above to configure Linux host name ( left of First FQDN dot)

ec2-#-#-#-#

• Use the name from above to configure LOCAL DNS SUFFIX

compute-1.amazonaws.com

MySQL setup options:

• SQL: Install MySQL locally? (For a REMOTE MySQL server select 'n') [y/n] [default y]: y
• SQL: Apply MySQL secure installation settings to LOCAL db? [y/n] [default y]: y
• SQL: Enter localhost's MySQL ROOT password:
• SQL: Enter localhost's MySQL guacamole_user password:
• SQL: Enter email address for SQL backup messages [Enter to skip]:

Guacamole authentication extension options:

• AUTH: Install TOTP? (choose 'n' if you want Duo) [y/n]? [default n]: y
• AUTH: Install LDAP? [y/n] [default n]: n

Guacamole console optional extras:

• EXTRAS: Install Quick Connect feature? [y/n] [default n]: n
• EXTRAS: Install History Recorded Storage feature [y/n] [default n]: n

Reverse Proxy & front end options:

• FRONT END: Protect Guacamole behind Nginx reverse proxy [y/n]? [default n]: y
• FRONT END: Enter proxy LOCAL DNS name? [Enter to use default]:
• FRONT END: Add self signed TLS support to Nginx? [y/n]? (choose 'n' for Let's Encrypt)[default n]: Y

Copy your configurations

• Normally, you would have a true FDQN and not worry about self-signed certificates
• you only need
• Self signed certificate configured for Nginx
• https://#######.compute-1.amazonaws.com - login user/pass: guacadmin/guacadmin

Graphical GUAC configuration

• You will need:

view SSH key WEBwin Ip addresses of both WEB user names: NIX = bitnami WIN = Administrator Password: WIN is revealed by EC2 check instance, click Connect | RDP Client tab | get password requires uploading web2 key file

At this point you might start wrecking you setup

• Former2 is a good tool to pull your infrastructure into a cloud formation template