diff --git a/03-iam/exec.sh b/03-iam/exec.sh new file mode 100755 index 00000000..937f214a --- /dev/null +++ b/03-iam/exec.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +PROFILE="labmfa" +STACK_NAME="fidelisiam" +TEMPLATE="iam-3-3-1.yaml" +REGION="us-east-1" +POLICY_NAME="fidelisUsersts" +POLICY_DOC="file://user-policy.json" +POLICY_ARN="arn:aws:iam::324320755747:policy/fidelisUsersts" +USERNAME="fidelis.ogunsanmi.labs" +ROLE_ARN="arn:aws:iam::324320755747:role/fidelisRole" + + +# Lab 3.1.1: IAM Role +# aws cloudformation deploy --template-file $TEMPLATE \ +# --stack-name $STACK_NAME --profile $PROFILE \ +# --capabilities CAPABILITY_NAMED_IAM \ +# --region $REGION + +# aws iam list-roles \ +# --profile $PROFILE + +# aws iam list-roles --profile $PROFILE \ +# | jq -r '.Roles[] | select(.RoleName|match("fidelisRole")) | .Arn' + +# Lab 3.1.6: Clean Up + +# aws cloudformation delete-stack --stack-name $STACK_NAME \ +# --profile $PROFILE \ + +# Create the iam policy that gives access to assume role +# aws iam create-policy --policy-name $POLICY_NAME \ +# --policy-document $POLICY_DOC \ +# --profile $PROFILE + +# attach the policy to the fidelis.ogunsanmi.labs user +# aws iam attach-user-policy --user-name $USERNAME \ +# --policy-arn $POLICY_ARN \ +# --profile $PROFILE + +# assume the Role +# aws sts assume-role --role-arn $ROLE_ARN \ +# --role-session-name AWSCLI \ + + + + \ No newline at end of file diff --git a/03-iam/iam-3-1-4.yaml b/03-iam/iam-3-1-4.yaml new file mode 100644 index 00000000..4961604b --- /dev/null +++ b/03-iam/iam-3-1-4.yaml @@ -0,0 +1,55 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Cloudformation template to create IAM Role with inline policy + +Resources: + + myPolicy: + Type: 'AWS::IAM::ManagedPolicy' + Properties: + ManagedPolicyName: fidelisManagedPolicy + Description: Reusing same policy as attachment to Role2 + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - 'iam:Get*' + - 'iam:List*' + Resource: '*' + + myRole1: + Type: 'AWS::IAM::Role' + Properties: + RoleName: fidelisRole1 + AssumeRolePolicyDocument: # (required) only one trust policy with a role + Version: '2012-10-17' + Statement: + - + Effect: Allow + Principal: + Service: + - 'ec2.amazonaws.com' + Action: + - 'sts:AssumeRole' + ManagedPolicyArns: + - arn:aws:iam::aws:policy/IAMReadOnlyAccess + + myRole2: + Type: 'AWS::IAM::Role' + Properties: + RoleName: fidelisRole2 + AssumeRolePolicyDocument: # (required) only one trust policy with a role + Version: '2012-10-17' + Statement: + - + Effect: Allow + Principal: + Service: + - 'ec2.amazonaws.com' + Action: + - 'sts:AssumeRole' + ManagedPolicyArns: + - arn:aws:iam::aws:policy/IAMReadOnlyAccess + - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess + + diff --git a/03-iam/iam-3-2-1.yaml b/03-iam/iam-3-2-1.yaml new file mode 100644 index 00000000..e89aebb9 --- /dev/null +++ b/03-iam/iam-3-2-1.yaml @@ -0,0 +1,22 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Cloudformation template to create IAM Role with inline policy + +Resources: + + myRole321: + Type: 'AWS::IAM::Role' + Properties: + RoleName: fidelisRole2 + AssumeRolePolicyDocument: # (required) only one trust policy with a role + Version: '2012-10-17' + Statement: + - + Effect: Allow + Principal: + AWS: arn:aws:iam::324320755747:user/fidelis.ogunsanmi.labs + Action: + - 'sts:AssumeRole' + ManagedPolicyArns: + - arn:aws:iam::aws:policy/IAMReadOnlyAccess + - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess + \ No newline at end of file diff --git a/03-iam/iam-3-2-3.yaml b/03-iam/iam-3-2-3.yaml new file mode 100644 index 00000000..c031bc09 --- /dev/null +++ b/03-iam/iam-3-2-3.yaml @@ -0,0 +1,32 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Cloudformation template to create IAM Role with inline policy + +Parameters: + BucketName: + Type: String + Description: The name of the S3 Bucket to create + Default: stelligent-u-fidelisogunsanmi + +Resources: + + myRole321: + Type: 'AWS::IAM::Role' + Properties: + RoleName: fidelisRole2 + AssumeRolePolicyDocument: # (required) only one trust policy with a role + Version: '2012-10-17' + Statement: + - + Effect: Allow + Principal: + AWS: arn:aws:iam::324320755747:user/fidelis.ogunsanmi.labs + Action: + - 'sts:AssumeRole' + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AmazonS3FullAccess + + myS3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: !Join [ '-', [ !Ref AWS::StackName, !Ref BucketName ] ] + \ No newline at end of file diff --git a/03-iam/iam-3-3-1.yaml b/03-iam/iam-3-3-1.yaml new file mode 100644 index 00000000..b3d4bfe2 --- /dev/null +++ b/03-iam/iam-3-3-1.yaml @@ -0,0 +1,42 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Cloudformation template to create IAM Role with inline policy + +Parameters: + BucketName1: + Type: String + Description: The name of the S3 Bucket to create + Default: stelligent-u-fidelisogunsanmi-1 + + BucketName2: + Type: String + Description: The name of the S3 Bucket to create + Default: stelligent-u-fidelisogunsanmi-2 + + +Resources: + + myRole321: + Type: 'AWS::IAM::Role' + Properties: + RoleName: fidelisRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - + Effect: Allow + Principal: + AWS: arn:aws:iam::324320755747:user/fidelis.ogunsanmi.labs + Action: + - 'sts:AssumeRole' + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AmazonS3FullAccess + + myS3Bucket1: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: !Join [ '-', [ !Ref AWS::StackName, !Ref BucketName1 ] ] + + myS3Bucket2: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: !Join [ '-', [ !Ref AWS::StackName, !Ref BucketName2 ] ] \ No newline at end of file diff --git a/03-iam/iam.yaml b/03-iam/iam.yaml new file mode 100644 index 00000000..6708f4cb --- /dev/null +++ b/03-iam/iam.yaml @@ -0,0 +1,62 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Cloudformation template to create IAM Role with inline policy + +Resources: + + myPolicy: + Type: 'AWS::IAM::ManagedPolicy' + Properties: + ManagedPolicyName: fidelisManagedPolicy + Description: Reusing same policy as attachment to Role2 + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - 'iam:Get*' + - 'iam:List*' + Resource: '*' + + myRole1: + Type: 'AWS::IAM::Role' + Properties: + RoleName: fidelisRole1 + AssumeRolePolicyDocument: # (required) only one trust policy with a role + Version: '2012-10-17' + Statement: + - + Effect: Allow + Principal: + Service: + - 'ec2.amazonaws.com' + Action: + - 'sts:AssumeRole' + Policies: + - PolicyName: FidelisIAMRO + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - 'iam:Get*' + - 'iam:List*' + Resource: '*' + + myRole2: + Type: 'AWS::IAM::Role' + Properties: + RoleName: fidelisRole2 + AssumeRolePolicyDocument: # (required) only one trust policy with a role + Version: '2012-10-17' + Statement: + - + Effect: Allow + Principal: + Service: + - 'ec2.amazonaws.com' + Action: + - 'sts:AssumeRole' + ManagedPolicyArns: + - !Ref myPolicy + + diff --git a/03-iam/myREADMe.md b/03-iam/myREADMe.md new file mode 100644 index 00000000..877a5fba --- /dev/null +++ b/03-iam/myREADMe.md @@ -0,0 +1,3 @@ +# IAM MODULE + +## Practice 3.1 diff --git a/03-iam/user-policy.json b/03-iam/user-policy.json new file mode 100644 index 00000000..10257074 --- /dev/null +++ b/03-iam/user-policy.json @@ -0,0 +1,8 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::324320755747:role/fidelisRole2" + } +} \ No newline at end of file