├── .gitignore ├── Day 3- Restricting users to disable CloudTrail or Creating IAM Users └── main.tf ├── Day1-AWS-IAM ├── Create_IAM_user.sh ├── create_iam_user.py └── terraform │ ├── iam │ ├── main.tf │ └── variables.tf │ └── main.tf ├── Day1-CloudWatch-Events ├── .gitignore ├── env_setup.sh ├── main.tf └── variables.tf ├── Day2-Allow-Access-to-Specific-Region └── main.tf ├── image-rekognition └── suspect-detect.py ├── installing_terraform.sh └── python_lambda_runtime_packages.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | crash.*.log 11 | 12 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as 13 | # password, private keys, and other secrets. These should not be part of version 14 | # control as they are data points which are potentially sensitive and subject 15 | # to change depending on the environment. 16 | *.tfvars 17 | *.tfvars.json 18 | 19 | # Ignore override files as they are usually used to override resources locally and so 20 | # are not checked in 21 | override.tf 22 | override.tf.json 23 | *_override.tf 24 | *_override.tf.json 25 | 26 | # Include override files you do wish to add to version control using negated pattern 27 | # !example_override.tf 28 | 29 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 30 | # example: *tfplan* 31 | 32 | # Ignore CLI configuration files 33 | .terraformrc 34 | terraform.rc 35 | .terraform.lock.hcl 36 | .idea 37 | -------------------------------------------------------------------------------- /Day 3- Restricting users to disable CloudTrail or Creating IAM Users/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-west-2" 3 | } 4 | 5 | resource "aws_organizations_policy" "logging" { 6 | name = "scp_cloudtrail_iam" 7 | description = "This SCP policy will prevents users to disable CloudTrail logging, Deleting CloudTrail and creating IAM users" 8 | content = < /dev/null 8 | 9 | # Creating Access Key and Secret Access key 10 | 11 | aws_credentials=$(aws iam create-access-key --user-name "${username}" --query 'AccessKey.[AccessKeyId,SecretAccessKey]' --output text) 12 | 13 | # Getting the access_key and secret_key 14 | access_key=$(echo ${aws_credentials} |awk '{print $1}') 15 | secret_access_key=$(echo ${aws_credentials} |awk '{print $2}') 16 | 17 | # Display the username, access_key and secret_access_key 18 | echo "The IAM user "${username}" has been created" 19 | echo "The access key id of ${username} is $access_key" 20 | echo "The secret access key id of ${username} is $secret_access_key" 21 | 22 | #Generating Random Password for the user 23 | gen_random_pass() { 24 | head -c 9 /dev/urandom | uuencode -m - | head -2 | tail -1 | tr '1IlO0' '$/%&#' 25 | } 26 | 27 | #Attaching an IAM Policy to the user 28 | aws iam attach-user-policy --user-name="$username" --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess 29 | 30 | #To create a user and assign random password to it 31 | user_password=$(gen_random_pass) 32 | aws iam create-login-profile --user-name="$username" --password="$user_password" --password-reset-required > /dev/null 33 | 34 | # Displaying the user password 35 | echo "The IAM user "${username}" has been created with passowrd $user_password" -------------------------------------------------------------------------------- /Day1-AWS-IAM/create_iam_user.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | import logging 3 | from botocore.exceptions import ClientError 4 | 5 | logger = logging.getLogger(__name__) 6 | iam = boto3.resource('iam') 7 | 8 | def create_iam_user(user_name): 9 | """ 10 | The newly created IAM user doesn't have any policy attached to it 11 | """ 12 | try: 13 | user = iam.create_user(UserName=user_name) 14 | logger.info("Create IAM user %s", user_name) 15 | except: 16 | logger.exception("Couldn't create an IAM user %s", user_name) 17 | raise 18 | else: 19 | return user 20 | 21 | 22 | def attach_policy(user_name, policy_arn): 23 | """ 24 | Attaches an IAM policy to a user. 25 | """ 26 | try: 27 | iam.User(user_name).attach_policy(PolicyArn=policy_arn) 28 | logger.info("Attached IAM policy %s to user %s.", policy_arn, user_name) 29 | except ClientError: 30 | logger.exception("Couldn't attach IAM policy %s to user %s.", policy_arn, user_name) 31 | raise 32 | 33 | def main(): 34 | create_iam_user(user_name="plakheraiamnew") 35 | attach_policy(user_name="plakheraiamnew", policy_arn="arn:aws:iam::aws:policy/AdministratorAccess") 36 | 37 | 38 | if __name__ == '__main__': 39 | main() 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /Day1-AWS-IAM/terraform/iam/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_iam_user" "newuser" { 2 | name = var.iam_user 3 | } 4 | 5 | resource "aws_iam_access_key" "accesskey" { 6 | user = aws_iam_user.newuser.name 7 | } 8 | 9 | resource "aws_iam_user_policy" "userpolicy" { 10 | name = "s3fullaccess" 11 | user = aws_iam_user.newuser.name 12 | 13 | policy = <', 17 | 'Name': suspect + '.jpg' 18 | } 19 | }, 20 | TargetImage={ 21 | 'S3Object': { 22 | 'Bucket': '', 23 | 'Name': 'detected-security-camera-image.jpg' 24 | } 25 | } 26 | ) 27 | 28 | 29 | if len(response['FaceMatches']) > 0: 30 | final_results.append({'suspect' : suspect, 'ismatch' : 'yes', 'Similarity' : response['FaceMatches'][0]['Similarity']}) 31 | elif len(response['UnmatchedFaces']) > 0: 32 | final_results.append({'suspect' : suspect, 'ismatch' : 'no'}) 33 | 34 | 35 | 36 | return { 37 | 'body': final_results 38 | } 39 | -------------------------------------------------------------------------------- /installing_terraform.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Script to install terraform 4 | # Script must need to run as root user 5 | if [[ $EUID -ne 0 ]] 6 | then 7 | echo "You must be root user in order to execute this script" 8 | exit 1 9 | fi 10 | # Script is tested only with 11 | if cat /etc/*release | grep ^NAME | grep Ubuntu 12 | then 13 | echo "Ubuntu operating system" 14 | else 15 | echo "This script is only tested in Ubuntu operating, exiting..." 16 | exit 1 17 | fi 18 | 19 | # Updating all the system packages 20 | apt-get update 21 | 22 | # Checking if curl and jq installed on the system 23 | which curl 2>/dev/null || { apt-get install -y curl; } 24 | which jq 2>/dev/null || { apt-get install -y jq; } 25 | 26 | # Terraform Installation of version 1.1.7 27 | 28 | function terraform_installation(){ 29 | 30 | if which terraform 2>/dev/null 31 | then 32 | echo "Terraform is already installed in this system" 33 | else 34 | Terraform_1_1_7_Ver="$(curl -sL https://releases.hashicorp.com/terraform/index.json | jq -r '.versions[].builds[].url' | sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n | egrep '1.1.7' |egrep -v 'rc|beta' | egrep 'linux.*amd64'|head -1)" 35 | curl -sL ${Terraform_1_1_7_Ver} > /tmp/terraform.zip 36 | unzip /tmp/terraform.zip 37 | cp terraform /usr/local/bin 38 | echo "Verifying the terraform version" 39 | terraform version 40 | fi 41 | } 42 | -------------------------------------------------------------------------------- /python_lambda_runtime_packages.py: -------------------------------------------------------------------------------- 1 | from pkg_resources import working_set 2 | 3 | def lambda_handler(event, context): 4 | for package in list(working_set): 5 | print(package.project_name, package.version) 6 | --------------------------------------------------------------------------------