module 3 changes

03-iam/exec.sh

@@ -0,0 +1,47 @@
+#!/bin/bash 
+
+PROFILE="labmfa"
+STACK_NAME="fidelisiam"
+TEMPLATE="iam-3-3-1.yaml"
+REGION="us-east-1"
+POLICY_NAME="fidelisUsersts"
+POLICY_DOC="file://user-policy.json"
+POLICY_ARN="arn:aws:iam::324320755747:policy/fidelisUsersts"
+USERNAME="fidelis.ogunsanmi.labs"
+ROLE_ARN="arn:aws:iam::324320755747:role/fidelisRole"
+
+
+# Lab 3.1.1: IAM Role
+# aws cloudformation deploy --template-file $TEMPLATE \
+#      --stack-name $STACK_NAME --profile $PROFILE \
+#        --capabilities CAPABILITY_NAMED_IAM \
+#          --region $REGION
+
+# aws iam list-roles \
+#   --profile $PROFILE 
+
+# aws iam list-roles --profile $PROFILE  \
+#      | jq -r '.Roles[] | select(.RoleName|match("fidelisRole")) | .Arn' 
+
+# Lab 3.1.6: Clean Up
+
+# aws cloudformation delete-stack --stack-name $STACK_NAME \
+#      --profile $PROFILE \
+
+# Create the iam policy that gives access to assume role 
+# aws iam create-policy --policy-name $POLICY_NAME \
+#     --policy-document $POLICY_DOC \
+#        --profile $PROFILE 
+
+# attach the policy to the fidelis.ogunsanmi.labs user 
+# aws iam attach-user-policy --user-name $USERNAME \
+#   --policy-arn $POLICY_ARN \
+#     --profile $PROFILE 
+
+# assume the Role 
+# aws sts assume-role --role-arn $ROLE_ARN \
+#    --role-session-name AWSCLI \
+
+
+
+

03-iam/iam-3-1-4.yaml

@@ -0,0 +1,55 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Cloudformation template to create IAM Role with inline policy 
+
+Resources:
+
+  myPolicy:
+      Type: 'AWS::IAM::ManagedPolicy'
+      Properties:
+        ManagedPolicyName: fidelisManagedPolicy
+        Description: Reusing same policy as attachment to Role2 
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+              - Effect: Allow
+                Action:
+                 - 'iam:Get*'
+                 - 'iam:List*'
+                Resource: '*'
+
+  myRole1:
+    Type: 'AWS::IAM::Role'
+    Properties: 
+      RoleName: fidelisRole1
+      AssumeRolePolicyDocument: # (required) only one trust policy with a role
+        Version: '2012-10-17'
+        Statement: 
+          - 
+            Effect: Allow
+            Principal: 
+              Service: 
+                - 'ec2.amazonaws.com'
+            Action: 
+              - 'sts:AssumeRole'
+      ManagedPolicyArns:
+             - arn:aws:iam::aws:policy/IAMReadOnlyAccess
+
+  myRole2:
+    Type: 'AWS::IAM::Role'
+    Properties: 
+      RoleName: fidelisRole2
+      AssumeRolePolicyDocument: # (required) only one trust policy with a role
+        Version: '2012-10-17'
+        Statement: 
+          - 
+            Effect: Allow
+            Principal: 
+              Service: 
+                - 'ec2.amazonaws.com'
+            Action: 
+              - 'sts:AssumeRole'
+      ManagedPolicyArns:
+             - arn:aws:iam::aws:policy/IAMReadOnlyAccess
+             - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
+
+

03-iam/iam-3-2-1.yaml

@@ -0,0 +1,22 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Cloudformation template to create IAM Role with inline policy 
+
+Resources:
+
+  myRole321:
+    Type: 'AWS::IAM::Role'
+    Properties: 
+      RoleName: fidelisRole2
+      AssumeRolePolicyDocument: # (required) only one trust policy with a role
+        Version: '2012-10-17'
+        Statement: 
+          - 
+            Effect: Allow
+            Principal: 
+              AWS: arn:aws:iam::324320755747:user/fidelis.ogunsanmi.labs
+            Action: 
+              - 'sts:AssumeRole'
+      ManagedPolicyArns:
+              - arn:aws:iam::aws:policy/IAMReadOnlyAccess
+              - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
+

03-iam/iam-3-2-3.yaml

@@ -0,0 +1,32 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Cloudformation template to create IAM Role with inline policy 
+
+Parameters:
+  BucketName:
+    Type: String
+    Description: The name of the S3 Bucket to create
+    Default: stelligent-u-fidelisogunsanmi
+
+Resources:
+
+  myRole321:
+    Type: 'AWS::IAM::Role'
+    Properties: 
+      RoleName: fidelisRole2
+      AssumeRolePolicyDocument: # (required) only one trust policy with a role
+        Version: '2012-10-17'
+        Statement: 
+          - 
+            Effect: Allow
+            Principal: 
+              AWS: arn:aws:iam::324320755747:user/fidelis.ogunsanmi.labs
+            Action: 
+              - 'sts:AssumeRole'
+      ManagedPolicyArns:
+              - arn:aws:iam::aws:policy/AmazonS3FullAccess
+
+  myS3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: !Join [ '-', [ !Ref AWS::StackName, !Ref BucketName ] ]
+

03-iam/iam-3-3-1.yaml

@@ -0,0 +1,42 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Cloudformation template to create IAM Role with inline policy 
+
+Parameters:
+  BucketName1:
+    Type: String
+    Description: The name of the S3 Bucket to create
+    Default: stelligent-u-fidelisogunsanmi-1
+
+  BucketName2:
+    Type: String
+    Description: The name of the S3 Bucket to create
+    Default: stelligent-u-fidelisogunsanmi-2
+
+
+Resources:
+
+  myRole321:
+    Type: 'AWS::IAM::Role'
+    Properties: 
+      RoleName: fidelisRole
+      AssumeRolePolicyDocument: 
+        Version: '2012-10-17'
+        Statement: 
+          - 
+            Effect: Allow
+            Principal: 
+              AWS: arn:aws:iam::324320755747:user/fidelis.ogunsanmi.labs
+            Action: 
+              - 'sts:AssumeRole'
+      ManagedPolicyArns:
+              - arn:aws:iam::aws:policy/AmazonS3FullAccess
+
+  myS3Bucket1:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: !Join [ '-', [ !Ref AWS::StackName, !Ref BucketName1 ] ]
+
+  myS3Bucket2:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: !Join [ '-', [ !Ref AWS::StackName, !Ref BucketName2 ] ]

03-iam/iam.yaml

@@ -0,0 +1,62 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Cloudformation template to create IAM Role with inline policy 
+
+Resources:
+
+  myPolicy:
+      Type: 'AWS::IAM::ManagedPolicy'
+      Properties:
+        ManagedPolicyName: fidelisManagedPolicy
+        Description: Reusing same policy as attachment to Role2 
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+              - Effect: Allow
+                Action:
+                 - 'iam:Get*'
+                 - 'iam:List*'
+                Resource: '*'
+
+  myRole1:
+    Type: 'AWS::IAM::Role'
+    Properties: 
+      RoleName: fidelisRole1
+      AssumeRolePolicyDocument: # (required) only one trust policy with a role
+        Version: '2012-10-17'
+        Statement: 
+          - 
+            Effect: Allow
+            Principal: 
+              Service: 
+                - 'ec2.amazonaws.com'
+            Action: 
+              - 'sts:AssumeRole'
+      Policies:
+         - PolicyName: FidelisIAMRO
+           PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                 - Effect: Allow
+                   Action:
+                     - 'iam:Get*'
+                     - 'iam:List*'
+                   Resource: '*'
+
+  myRole2:
+    Type: 'AWS::IAM::Role'
+    Properties: 
+      RoleName: fidelisRole2
+      AssumeRolePolicyDocument: # (required) only one trust policy with a role
+        Version: '2012-10-17'
+        Statement: 
+          - 
+            Effect: Allow
+            Principal: 
+              Service: 
+                - 'ec2.amazonaws.com'
+            Action: 
+              - 'sts:AssumeRole'
+      ManagedPolicyArns:
+        - !Ref myPolicy
+
+

03-iam/myREADMe.md

@@ -0,0 +1,3 @@
+# IAM MODULE
+
+## Practice 3.1

03-iam/user-policy.json

@@ -0,0 +1,8 @@
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": "sts:AssumeRole",
+        "Resource": "arn:aws:iam::324320755747:role/fidelisRole2"
+    }
+}