Introduction to AWS Security
-
Introduction
About the course and authors -
AWS cloud architecture
-
Security concerns with our architecture
-
Regions and Availability Zones (AZs)
-
Shared responsibility in the cloud
-
[Cheat Sheet] AWS Security Services
-
Create a billing alert to avoid surprise bills
-
Infrastructure SecurityVPC networks
-
Default VPCs
-
[DEMO] Creating VPCs and Subnets
-
How many VPCs should you use?
-
[DEMO] Subnet, Route Table, and Gateway Configurations
-
[LAB] [Challenge] Create a VPC with public and private subnets
-
[LAB] Launching an EC2 instance
-
[DEMO] Security Groups (SGs)
-
Security Groups Best Practices
-
[DEMO] Network Access Control Lists (NACLs)
-
[Cheat Sheet] SGs vs. NACLs
-
[LAB] [Challenge] Configure security groups and NACLs to specific requirements
-
Elastic Load Balancers
-
[DEMO] AWS WAF
-
[LAB] [Challenge] Deploy AWS WAF ACL for Application Load Balancer
-
[DEMO] AWS Network Firewall - Part 1
-
[DEMO] AWS Network Firewall - Part 2
-
AWS Shield for DDoS Protection
-
[LAB] Reduce AWS attack surface with port scanning and Security Groups
-
AWS Firewall Manager
-
Identity and Access Management (IAM)Key Concepts of IAM in AWS
-
[DEMO] Getting started with IAM in AWS
-
[DEMO] Creating our first admin user
-
Assigning permissions with policies
-
[Cheat Sheet] Anatomy of an AWS IAM Policy
-
[DEMO] Using Identity Center AWS SSO
-
IAM Roles
-
[DEMO] Creating a role for EC2 instances to access S3 buckets
-
End-User Management with Amazon Cognito
-
IAM Access Analyzer
-
[DEMO] IAM Access Analyzer Unused Access
-
[LAB] Check policies for new access before deployment with IAM Access Analyzer
-
[LAB] Check IAM policies against a deny list with IAM Access Analyzer
-
[LAB] IAM Credentials Report
-
Data ProtectionData protection in the cloud
-
EBS Data Protection and Encryption
-
[LAB] Encrypt Existing Unencrypted EBS Volumes and Snapshots
-
Amazon RDS Data Protection and Encryption
-
Key Management with AWS KMS
-
[Cheat Sheet] Getting Started with AWS KMS
-
[DEMO] Creating a Symmetric Encryption KMS Key
-
[Cheat Sheet] Encrypt and Decrypt Data with KMS and Data Keys
-
[LAB] Encrypt and Decrypt Data with KMS and Data Keys
-
Amazon S3 Bucket ProtectionUnderstanding Bucket Ownership
-
[LAB] Creating Buckets and Uploading Objects in S3
-
Managing Access to Buckets
-
[Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies
-
[LAB] [Challenge] Create an IAM role for secure access to S3 based on a scenario
-
Using Signed URLs
-
[LAB] S3 Presigned URLs
-
Encrypting S3 Data
-
[DEMO] Enable S3 Object Versioning
-
[Cheat Sheet] Amazon S3 Protection Summary
-
[Cheat Sheet] Create a least privilege S3 bucket policy
-
AWS Log Types and Auditing Options
-
Logging, Monitoring, and Incident Response[DEMO] Enable S3 Server Access Logs
-
AWS CloudTrail
-
Amazon CloudWatch
-
[DEMO] CloudTrail Security Automation with CloudWatch Logs and SNS
-
[LAB] Amazon VPC Flow Logs
-
Proper Logging and Monitoring
-
Amazon GuardDuty
-
[LAB] [DEMO] Enable Threat Detection with GuardDuty
-
[DEMO] Amazon EventBridge
-
AWS Config
-
AWS Systems Manager
-
[LAB] Secure EC2 Access with SSM Session Manager and KMS
-
[DEMO] AWS Config Automated Remediation with SSM
-
[LAB] Automated S3 Remediation to Enforce Block Public Access
-
[LAB] Remediate Open SSH Security Groups with AWS Config and SSM
-
Amazon Detective
-
[DEMO] Amazon Inspector
-
[LAB] Find vulnerable Lambda Functions with Amazon Inspector
-
About Amazon Macie
-
[DEMO] Deploying Amazon Macie
-
[DEMO] AWS Security Hub CSPM
-
[DEMO] Must-have AWS monitoring and alerting with SSK
-
[DEMO] AWS Organizations
-
Multi-Account Security[DEMO] Centrally managing root access
-
[DEMO] AWS SCPs and Management Policies
-
[DEMO] Resource Control Policies (RCPs)
-
AWS Control Tower
-
[DEMO] Using RAM to share resources across accounts
-
About IaC
-
Infrastructure as Code (IaC)[DEMO] Deploying resources with CloudFormation
-
[DEMO] Deploying a Lambda function with CloudFormation
-
[DEMO] Multi-account and multi-region deployments
-
[DEMO] Detecting drift
-
[LAB] CloudFormation Guard
-
[DEMO] Using AWS Service Catalog - Part 1
-
[DEMO] Using AWS Service Catalog - Part 2
-
[DEMO] Getting started with the Cloud Development Kit (CDK)
-
[DEMO] Deploying a project with the CDK
-
Wrap-up and Key TakeawaysWhat next?
[LAB] [Challenge] Create a VPC with public and private subnets
Christophe October 18, 2022
Lab Details 👨🔬
- Length of time: < 20 minutes
- Cost:
- $0 when using Cybr’s Hands-On Labs
- $0 if you decide to use your own AWS account instead * Please note that we can’t guarantee this since a) AWS can change pricing unexpectedly and b) some resources will continue accruing charges if they’re left on, so if you forget to stop them or delete them, you may incur additional costs. We are not responsible for any unexpected costs. With that said, this lab does not require any resources that cost money to run so you should not have to pay anything at all
- Difficulty: Easy
We did something very similar in the demo lesson titled “Creating VPCs and Subnets” but I want you to try and complete this scenario as much as possible without looking back at that lesson. Of course, if you’re stuck and you can’t find answers by searching online, I do recommend using the course lesson material to break through. Pretend like you’ve been asked to do this on the job and troubleshoot to the best of your ability. That will help you build practical skills.
Scenario 🧪
Create a VPC named cybr-vpc-lab that contains 2 public subnets and 2 private subnets. Each of the public subnets should reside in different availability zones, with a private subnet in each of those zones as well.
Use a CIDR block of /16 for the VPC and CIDRs of /24 for the subnets.
Create an S3 Gateway VPC Endpoint that is connected to both of the private subnets.
While you can use the “VPC and more” option to automate a lot of this, I challenge you to manually create these resources instead to really apply what you’ve learned so far.
Tips:
- Remember what makes a public subnet versus a private one
- Before you launch a resource, it’s a great idea to verify its pricing first. For example, you should not be launching a NAT Gateway if you want to keep the cost at $0.00 since NAT Gateways cost money — all resources needed for this lab don’t cost anything so that’s a hint you don’t need a NAT Gateway
Conclusion
If you’d like us to verify your work after you’ve completed this lab, feel free to post in Discord here so as to avoid sharing any spoilers on this page.
Note: if you are running this scenario in your own AWS account and plan on experimenting with these resources further, feel free to keep them around. Otherwise, I’d recommend deleting them so that they don’t just sit around collecting dust for no reason. Otherwise, if you’re using Cybr’s lab environment, you don’t have to worry about deleting the resources, although though it is good practice, especially since deleting VPC resources can be a pain due to dependencies.
Solution
If you’re stuck or want to compare your work, here’s a fantastic write-up by Mariana from the community.
Want to achieve this using Infrastructure as Code with Terraform? Cybr member Kuljot Biring wrote up a guide!
Do I need to delete resource after lab challenge?
Hey, in this case it’s up to you! If you plan on using the VPC further, then you can keep the resources around since they won’t cost you. Otherwise I’d go ahead and delete them!
route 53 resolver says that it cannot load rule groups, because arn:aws:iam::546027517081:user/create-a-vpc-with-public-and-private-subnet-LabUser-m9CixWe1it8R is not authorized to perform: route53resolver:ListFirewallRuleGroupAssociations, is this something im doing incorrectly?
Hey, seeing errors like that in the console is perfectly normal and expected when you are working from an identity with least privilege, because the AWS console is displaying all sorts of information by default. Some of it you will have access to and some of it you won’t. As long as it didn’t prevent you from completing the lab scenario (it shouldn’t), it is not an issue :). If it did prevent you from completing the scenario, let me know at which step and we’ll take a look!
Hi team, while doing the lab, i got below error message:-
User: arn:aws:iam::872863893867:user/create-a-vpc-with-public-and-private-subnet-LabUser-ok3lusrBCFlG is not authorized to perform: route53resolver:ListFirewallRuleGroupAssociations on resource: arn:aws:route53resolver:us-east-1:872863893867:firewall-rule-group-association/ because no identity-based policy allows the route53resolver:ListFirewallRuleGroupAssociations action
Please check and do the needful.
Hi, there is a similar comment above. I’m not sure on which step/page you are seeing that error, but it won’t prevent you from completing the lab. Seeing some errors in our labs is perfectly normal, as they provide least privilege but the console oftentimes tries to load a bunch of stuff you may not have access to. If it’s preventing you from completing the steps in the lab’s scenario, please let me know at which step and I will provide hints. But the lab environment is correctly configured 🙂
Enjoyable.
where i should do CIDR /16 or CIDR /24
theres only one place to set it up that i can see and it’s where we did /24 in the last lesson.
is there another place where i should do /16?
The /16 replaces /24, so you would put that where you would have otherwise put /24
Got it.