├── 18_cost_optimization └── guidance.txt ├── README.md ├── 08_image_builder └── guidance.txt ├── 17_security_mitigation └── guidance.txt ├── 12_deploying_rds ├── guidance.txt ├── deploy_aurora_parameters.json └── deploy_aurora.yaml ├── 11_deploying_efs ├── guidance.txt └── efs_filesystem_creation.md ├── 05_CATs_and_budgets ├── guidance.txt └── deny_ec2_launch.json ├── 14_s3_website └── guidance.txt ├── 10_s3_operations ├── guidance.txt └── create_s3_bucket.sh ├── 07_global_networks └── guidance.txt ├── 03_aws_organizations ├── guidance.txt └── deny_ec2_terminate.json ├── 16_event_driven_monitoring └── guidance.txt ├── 06_compliance_and_events ├── guidance.txt └── guardduty_severe_finding.json ├── 02_iam └── guidance.txt ├── 04_security_compliance └── guidance.txt ├── 13_deploy_3_tier_architecture ├── add_listener_cert.json ├── create_elbv2.json ├── create_http_listener.json ├── create_https_listener.json └── guidance.txt ├── 15_aws_backup └── guidance.txt ├── 01_account_creation_and_login └── guidance.txt └── 09_ssm_patch_manager └── guidance.txt /18_cost_optimization/guidance.txt: -------------------------------------------------------------------------------- 1 | Implement EC2 Optimizer 2 | 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # hands-on-with-aws 2 | Hands-on with AWS in 3 weeks 3 | -------------------------------------------------------------------------------- /08_image_builder/guidance.txt: -------------------------------------------------------------------------------- 1 | Create Component(s) 2 | Create recipe 3 | Create pipeline 4 | -------------------------------------------------------------------------------- /17_security_mitigation/guidance.txt: -------------------------------------------------------------------------------- 1 | Install Inspector Agent on EC2 2 | Implement Inspector Assessment Run 3 | 4 | -------------------------------------------------------------------------------- /12_deploying_rds/guidance.txt: -------------------------------------------------------------------------------- 1 | Deploy Aurora using CloudFormation 2 | Enable Monitoring Options 3 | Enable Custom Parameters 4 | -------------------------------------------------------------------------------- /11_deploying_efs/guidance.txt: -------------------------------------------------------------------------------- 1 | Create EFS file system 2 | Create mount point in VPC 3 | Mount file system on EC2 instance 4 | 5 | -------------------------------------------------------------------------------- /05_CATs_and_budgets/guidance.txt: -------------------------------------------------------------------------------- 1 | Explore Cost Allocation Tags 2 | Create Cost Budget 3 | Create budget action to deny ec2 launch via SCP 4 | -------------------------------------------------------------------------------- /14_s3_website/guidance.txt: -------------------------------------------------------------------------------- 1 | Create and configure S3 bucket 2 | Deploy static page to S3 3 | Create and configure CloudFront distribution 4 | 5 | -------------------------------------------------------------------------------- /10_s3_operations/guidance.txt: -------------------------------------------------------------------------------- 1 | Use CLI to create S3 bucket with full configuration 2 | Explore monitoring options 3 | Explore S3 Batch options 4 | 5 | -------------------------------------------------------------------------------- /07_global_networks/guidance.txt: -------------------------------------------------------------------------------- 1 | Deploy VPCs in different region (Terraform) 2 | Connect VPCs using peering connections 3 | Connect VPCs using Transit GW 4 | -------------------------------------------------------------------------------- /03_aws_organizations/guidance.txt: -------------------------------------------------------------------------------- 1 | Explore the Organizations dashboard 2 | Discuss Organizations policies 3 | Create new SCP to deny EC2 termination 4 | Validate the SCP 5 | -------------------------------------------------------------------------------- /16_event_driven_monitoring/guidance.txt: -------------------------------------------------------------------------------- 1 | Create monitoring workflow notifying via SNS for any termination of EC2 instances 2 | Use EventBridge -> SNS with rules based on CloudTrail 3 | -------------------------------------------------------------------------------- /06_compliance_and_events/guidance.txt: -------------------------------------------------------------------------------- 1 | Create event-based Config rule 2 | Create scheduled Config rule 3 | Create Config rule with active remediation 4 | Create EventBridge rule for GuardDuty 5 | -------------------------------------------------------------------------------- /02_iam/guidance.txt: -------------------------------------------------------------------------------- 1 | Create IAM role for power users 2 | Create test users 3 | Attach policy to users for pw change 4 | Attach policy to users for role assumption 5 | Validate user credentials and role assumption 6 | -------------------------------------------------------------------------------- /06_compliance_and_events/guardduty_severe_finding.json: -------------------------------------------------------------------------------- 1 | { 2 | "source": ["aws.guardduty"], 3 | "detail-type": ["GuardDuty Finding"], 4 | "detail": { 5 | "severity": [7.0,7.1,7.2,7.3,7.4,7.5,7.6,7.7,7.8,7.9,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8,8.9,7,8] 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /04_security_compliance/guidance.txt: -------------------------------------------------------------------------------- 1 | Explore Security Hub dashboard 2 | https://aws.amazon.com/blogs/security/automated-response-and-remediation-with-aws-security-hub/ 3 | Explore Audit Manager 4 | Explore Config dashboard and compliance 5 | Explore SSM Patch manager and compliance 6 | -------------------------------------------------------------------------------- /13_deploy_3_tier_architecture/add_listener_cert.json: -------------------------------------------------------------------------------- 1 | { 2 | "ListenerArn": "LISTENER_ARN", 3 | "Certificates": [ 4 | { 5 | "CertificateArn": "arn:aws:acm:us-east-1:615458447572:certificate/939792cf-369e-4c0d-8b9c-be2f8b1d6de9" 6 | } 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /15_aws_backup/guidance.txt: -------------------------------------------------------------------------------- 1 | # Navigate to the Backup console 2 | # Create a Vault 3 | # Create a Backup Plan 4 | # Backup in local region 5 | # Backup and copy to remote region 6 | # Two separate retention periods 7 | # Add a resource assignment to the newly created plan 8 | 9 | -------------------------------------------------------------------------------- /05_CATs_and_budgets/deny_ec2_launch.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "Statement1", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "ec2:RunInstances" 9 | ], 10 | "Resource": [ 11 | "*" 12 | ] 13 | } 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /03_aws_organizations/deny_ec2_terminate.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "Statement1", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "ec2:TerminateInstances" 9 | ], 10 | "Resource": [ 11 | "*" 12 | ] 13 | } 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /01_account_creation_and_login/guidance.txt: -------------------------------------------------------------------------------- 1 | https://phd.aws.amazon.com/phd/home#/dashboard/open-issues 2 | https://console.aws.amazon.com/iam/home?region=us-east-1#/account_settings 3 | https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#Settings:tab=zones 4 | https://console.aws.amazon.com/billing/home?region=us-east-1#/preferences 5 | -------------------------------------------------------------------------------- /10_s3_operations/create_s3_bucket.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Set all the variables 4 | BUCKET1=$1 5 | REGION=$2 6 | 7 | #Create the two buckets 8 | aws s3api create-bucket --bucket $BUCKET1 --region $REGION 9 | 10 | #Enable bucket versioning on both buckets 11 | aws s3api put-bucket-versioning --bucket $BUCKET1 --versioning-configuration Status=Enabled --region $REGION 12 | 13 | -------------------------------------------------------------------------------- /13_deploy_3_tier_architecture/create_elbv2.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "demo-alb", 3 | "Subnets": [ 4 | "subnet-7de82230", 5 | "subnet-0a3c3b56", 6 | "subnet-4c83b82b" 7 | ], 8 | "SecurityGroups": [ 9 | "sg-07974c9f523609b68" 10 | ], 11 | "Scheme": "internet-facing", 12 | "Tags": [ 13 | { 14 | "Key": "Name", 15 | "Value": "demo-alb" 16 | } 17 | ], 18 | "Type": "application", 19 | "IpAddressType": "ipv4" 20 | } 21 | -------------------------------------------------------------------------------- /13_deploy_3_tier_architecture/create_http_listener.json: -------------------------------------------------------------------------------- 1 | { 2 | "LoadBalancerArn": "ALB_ARN", 3 | "Protocol": "HTTP", 4 | "Port": 80, 5 | "DefaultActions": [ 6 | { 7 | "Type": "redirect", 8 | "RedirectConfig": { 9 | "Protocol": "HTTPS", 10 | "Port": "443", 11 | "Host": "#{host}", 12 | "Path": "/#{path}", 13 | "Query": "", 14 | "StatusCode": "HTTP_301" 15 | } 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /12_deploying_rds/deploy_aurora_parameters.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "DBUSER", 4 | "ParameterValue": "root" 5 | }, 6 | { 7 | "ParameterKey": "DBPASS", 8 | "ParameterValue": "changeme" 9 | }, 10 | { 11 | "ParameterKey": "INSTANCETYPE", 12 | "ParameterValue": "db.r5.large" 13 | }, 14 | { 15 | "ParameterKey": "SGID", 16 | "ParameterValue": "sg-ddd4a599" 17 | }, 18 | { 19 | "ParameterKey": "SUBNETLIST", 20 | "ParameterValue": "subnet-103b055a, subnet-c9305eae, subnet-4c760362" 21 | 22 | } 23 | ] 24 | -------------------------------------------------------------------------------- /13_deploy_3_tier_architecture/create_https_listener.json: -------------------------------------------------------------------------------- 1 | { 2 | "LoadBalancerArn": "ALB_ARN", 3 | "Protocol": "HTTPS", 4 | "Port": 443, 5 | "Certificates": [ 6 | { 7 | "CertificateArn": "arn:aws:acm:us-east-1:615458447572:certificate/60a12b8f-1d51-4ff4-9278-5c50d8589e4e" 8 | } 9 | ], 10 | "DefaultActions": [ 11 | { 12 | "Type": "fixed-response", 13 | "FixedResponseConfig": { 14 | "MessageBody": "SSL worked!", 15 | "StatusCode": "200", 16 | "ContentType": "text/plain" 17 | } 18 | } 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /09_ssm_patch_manager/guidance.txt: -------------------------------------------------------------------------------- 1 | # This demo will create a patch group and a patch baseline that can be 2 | # applied to Amazon Linux 2 instances as the default for the region 3 | 4 | # Navigate to the SSM service dashboard and click on Patch Manager 5 | 6 | # Click on View Predefined Patch Baselines 7 | # Click on Create Patch Baseline 8 | # Name: amazon-linux2-test-baseline 9 | # OS: Amazon Linux 2 10 | # Select product, classification and severity as required 11 | 12 | # Click on Create Patch Baseline 13 | 14 | # Click on the Patch baselines tab 15 | # Search for test-baseline 16 | # Click on the radio button next to the new baseline 17 | # Click on Actions, then Modify Patch Groups 18 | # Enter "testgroup" and click on Add 19 | # Click Close 20 | -------------------------------------------------------------------------------- /13_deploy_3_tier_architecture/guidance.txt: -------------------------------------------------------------------------------- 1 | Deploy ALB 2 | 3 | #To create the load balancer initially, use a command similar to the following: 4 | #For all commands in this document, you'll need to edit the corresponding json to fit your specific environment. 5 | aws elbv2 create-load-balancer --cli-input-json file://create_elbv2.json --region us-east-1 6 | #To create the HTTPS listener, edit the json and execute the following: 7 | aws elbv2 create-listener --cli-input-json file://create_https_listener.json --region us-east-1 8 | #If you want to add more SSL certificates to the listener, use the following: 9 | aws elbv2 add-listener-certificates --cli-input-json file://add_listener_cert.json --region us-east-1 10 | #To create the HTTP listener and the redirect, execute the following: 11 | aws elbv2 create-listener --cli-input-json file://create_http_listener.json --region us-east-1 12 | 13 | Deploy Auto Scaling group (use Console) 14 | 15 | Deploy Secret for EC2 to communicate with RDS 16 | -------------------------------------------------------------------------------- /11_deploying_efs/efs_filesystem_creation.md: -------------------------------------------------------------------------------- 1 | # Steps to Create an AWS EFS Filesystem 2 | 3 | ## Step 1: Open the Amazon EFS Console 4 | - Navigate to the AWS Management Console. 5 | - Go to Services and select **EFS** under Storage. 6 | 7 | ## Step 2: Start the File System Creation Process 8 | - Click on **Create file system**. 9 | - You will be directed to the configuration settings page. 10 | 11 | ## Step 3: Configure the File System 12 | - **Name**: Give your file system a name for easy identification. 13 | - **VPC**: Select the Virtual Private Cloud (VPC) that the file system will be accessible from. Ensure that this is the same VPC as your compute resources. 14 | 15 | ## Step 4: Configure Network Access 16 | - Add the VPC and the availability zones. You need to specify the subnets and security groups. Security groups should allow inbound NFS traffic from your compute instances. 17 | 18 | ## Step 5: Configure Optional Settings 19 | - **Performance Mode**: Choose between General Purpose (for latency-sensitive use cases) and Max I/O (for high levels of aggregate throughput and operations). 20 | - **Throughput Mode**: Decide between Bursting Throughput and Provisioned Throughput, depending on your workload. 21 | - **Encryption**: Enable encryption at rest if required, using AWS Key Management Service (KMS). 22 | 23 | ## Step 6: Review and Create 24 | - Review all settings. Make sure everything is configured according to your needs. 25 | - Click on **Create file system**. 26 | 27 | ## Step 7: Mount the File System 28 | - After the file system is created, go to its dashboard. 29 | - Click on **Attach**, which shows the instructions to mount the file system to your EC2 instances or on-premises servers. 30 | - Follow the provided instructions to install the necessary NFS client and mount the file system. 31 | -------------------------------------------------------------------------------- /12_deploying_rds/deploy_aurora.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | AWSTemplateFormatVersion: 2010-09-09 3 | 4 | Description: A simple deployment of Aurora MySQL 5 | 6 | Parameters: 7 | DBUSER: 8 | AllowedPattern: "[a-zA-Z0-9]+" 9 | Description: The database admin account user name, between 1 to 16 alphanumeric characters. 10 | MaxLength: '16' 11 | MinLength: '1' 12 | Type: String 13 | DBPASS: 14 | AllowedPattern: "[a-zA-Z0-9]+" 15 | Description: The database admin account password, between 8 to 41 alphanumeric characters. 16 | MaxLength: '41' 17 | MinLength: '8' 18 | Type: String 19 | SUBNETLIST: 20 | Type: List 21 | Description: a list of 3 subnets to be used to create a Database Subnet Group 22 | INSTANCETYPE: 23 | Type: String 24 | Description: the Aurora DB instance type 25 | Default : "db.t3.micro" 26 | SGID: 27 | Type: List 28 | 29 | Metadata: 30 | AWS::CloudFormation::Interface: 31 | ParameterGroups: 32 | - Label: 33 | default: Database Configuration 34 | Parameters: 35 | - DBUSER 36 | - DBPASS 37 | ParameterLabels: 38 | DBUSER: 39 | default: Database Username 40 | DBPASS: 41 | default: Database Password 42 | 43 | Resources: 44 | DatabaseSubnetGroup: 45 | Type: AWS::RDS::DBSubnetGroup 46 | Properties: 47 | DBSubnetGroupDescription: CloudFormation managed DB subnet group. 48 | SubnetIds: !Ref "SUBNETLIST" 49 | 50 | DBCluster: 51 | Type: AWS::RDS::DBCluster 52 | Properties: 53 | Engine: aurora 54 | MasterUsername: !Ref "DBUSER" 55 | MasterUserPassword: !Ref "DBPASS" 56 | BackupRetentionPeriod: 1 57 | DBSubnetGroupName: !Ref "DatabaseSubnetGroup" 58 | VpcSecurityGroupIds: !Ref "SGID" 59 | 60 | DatabasePrimaryInstance: 61 | Type: AWS::RDS::DBInstance 62 | Properties: 63 | Engine: aurora 64 | DBClusterIdentifier: !Ref "DBCluster" 65 | DBInstanceClass: !Ref "INSTANCETYPE" 66 | DBSubnetGroupName: !Ref "DatabaseSubnetGroup" 67 | --------------------------------------------------------------------------------