# jam
## easy
### Encrypt the data lake(done)
**task 1**
**solve 1&2&3**
---
## medium
### overly ambitious security controls(done)
**task 1
**solve 1**
**solve 2**
**solve 3**
---
### Privilege Separation - Got Root?(done)
**task 1**
**solve 1**
**solve 2**
**solve 3**
---
### My Pipeline is stuck!
**task 1**
**solve 2**
import boto3
cp_client = boto3.client('codepipeline')
cp_client.put_job_success_result(jobId=event['CodePipeline.job']['id'])
import boto3
cp_client.put_job_failure_result(
jobId=event['CodePipeline.job']['id'], failureDetails={'message': str(e), 'type': 'JobFailed'})
**solve 3**
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codepipeline:PutJobFailureResult",
"codepipeline:PutJobSuccessResult"
],
"Resource": "*"
}]
}
```
---
```
import ssl
import os
import json
import boto3
from urllib.request import urlopen
cp_client = boto3.client('codepipeline')
ssl._create_default_https_context = ssl._create_unverified_context
def lambda_handler(event, context):
url = os.getenv('API_URL')
try:
status_code = urlopen(url).getcode()
print(status_code)
cp_client.put_job_success_result(jobId=event['CodePipeline.job']['id'])
return {
'statusCode': status_code,
'body': "Completed Lambda execution successfully"
}
except Exception as e:
print(f'Error occurred - {str(e)}')
cp_client.put_job_failure_result(
jobId=event['CodePipeline.job']['id'],
failureDetails={'message': str(e), 'type': 'JobFailed'})
return {
'statusCode': 500,
'body': "Lambda execution completed. Internal error occurred"
}
```
---
### 7 Gems for the price of 1
**task 1**
**solve 1**
**solve 2**
**solve 3**
---
### memory loss
MEMORY LOSS
普通
Overview
An application team within your organization has just migrated their first application to AWS running on EC2. When the application team views their instance in the AWS console, they notice that there are no memory statistics displayed. They don’t have direct access to the EC2 instance and want to be able to see the memory statistics from the AWS console. They also want to be notified by email whenever the memory used by the EC2 instance is over 75%. Can you help them?
Task 1: Where's the memory?
Possible Points: 75 Clue Penalty: -16 Points Available: 59
Summary
No memory? No problem! Your task is to get the memory in use by the EC2 instance to display in the AWS console. You want to view, graph, and monitor the memory used by the EC2 instance moving forward.
Getting Started
Get started by taking a look at the EC2 instance provisioned for the development team in the EC2 console.
Inventory
You are provided a single t2.micro EC2 instance for this task.
Services You Should Use:
AWS Identity and Access Management (IAM)
Amazon Elastic Compute Cloud (EC2)
AWS Systems Manager
Amazon CloudWatch
Task Validation
The task will be complete once the memory used by the EC2 instance is available in the AWS console.
Clues
Penalty: 7 points
Clue 1:Meet me half way...
The CloudWatch agent enables you to capture and ingest custom metrics from EC2 and on premises instances.
Penalty: 9 points
Clue 2:Walkthrough
The CloudWatch agent must be installed and running in order to capture metrics such as memory and disk space used. You must also update the permissions for the EC2 instance profile that is attached to your EC2 instance to include permissions to use send data to CloudWatch. Since there is no private key configured for the EC2 instance, you must install the CloudWatch agent without having to ssh into the instance.
Update permissions for the AWS EC2 Instance
Note: If you update the permissions after installing the CloudWatch agent, you will need to stop and restart the AWS CloudWatch agent so that it can retrieve the updated credentials.
Update the EC2 instance profile role with the additional AWS Systems Manager permissions required.
a. Open the EC2 service menu and list your EC2 instances. The details for the instance identify the IAM role in use by the instance.
b. Click on the instance profile name to open the MemoryLossJamChallenge role in the IAM service menu.
c. Attach the CloudWatchAgentServerPolicy AWS Managed Policy to the role.
The AWS Systems Manager agent is running on the instance so you can install the CloudWatch agent using AWS Systems Manager Distributor or using AWS Systems Manager Session Manager. Choose either flow below to complete the first step.
AWS Systems Manager Distributor Cloudwatch Agent Installation Flow
AWS Systems Manager Distributor includes an AWS managed package called AmazonCloudWatchAgent that enables you to install the latest version of the Amazon CloudWatch agent. AWS Systems Manager Distributor uses a run command with the AWS Systems Manager document, AWS-ConfigureAWSPackage, to install the CloudWatch agent.
a. Open the AWS Systems Manager service menu and select Distributor from the service menu.
b. Select the AmazonCloudWatchAgent package and choose Install one time.
c. For targets, select Choose instances manually and then select your EC2 instance. Uncheck the Enable writing to an S3 bucket and choose Run.
After installation of the agent, you can then use the AWS Systems Manager Run Command option in the Instances & Nodes sub-menu to execute the AmazonCloudWatch-ManageAgent document to configure the agent with a default CloudWatch configuration that includes the mem_used_percent metric and also restarts the CloudWatch agent.
a. Open the AWS Systems Manager service menu and choose Documents from the menu.
b. In the search bar, choose Document name prefix : Equals : AmazonCloudWatch and then choose the AmazonCloudWatch-ManageAgent document.
c. Choose Run command with the following options:
* **Action**: configure
* **Mode**: ec2
* **Optional Configuration Source**: default
* **Optional Restart**: yes
d. Select Choose instances manually and select the instance for the challenge. Uncheck the Enable writing to an S3 bucket and choose Run.
The CloudWatch agent will now start with the default configuration.
AWS Systems Manager Session Manager CloudWatch Agent Installation Flow
AWS Systems Manager Session Manager can be used to login to the instance and manually install and configure the CloudWatch agent.
a. Open the AWS Systems Manager service menu and choose Session Manager from the service menu.
b. Choose Start Session and then select the EC2 instance for the challenge and choose Start session.
c. Enter: sudo yum install amazon-cloudwatch-agent d. Enter: cd /opt/aws/amazon-cloudwatch-agent/bin e. Enter: sudo ./amazon-cloudwatch-agent-ctl -a start -m ec2 -c default -s
The CloudWatch agent will now start with the default configuration.
Confirm that the CloudWatch agent is capturing the mem_used_percent metric
Proceed to the CloudWatch service in the AWS console and choose the Metrics feature. Within 5 minutes, you should see the CWAgent custom namespace appear.
a. Click on the "CWAgent" namespace. Within this namespace you should see a dimension group called ImageId, InstanceId, InstanceType. Click on this dimension group to see the metrics within it.
b. Confirm that the mem_used_percent metric is available. Check the metric to see the latest observations in a graph.
Finished! Now the CloudWatch agent running on your EC2 instance is reporting the memory in use by your EC2 instance for your analysis and actions.
Task 2: Who Cares About Memory??...We Do!
Possible Points: 75 Clue Penalty: -16 Points Available: 59
Summary
Now that the memory is available in the AWS console, you need to know when memory runs low on the EC2 instance. In this task, you will need to automatically send an email notification to an email address of your choice when the memory used by the EC2 instance exceeds 75%.
Getting Started
Get started by taking a look at the mem_used_percent metric in the CloudWatch metrics console.
Inventory
You now have the mem_used_percent custom Amazon CloudWatch metric captured by the CloudWatch agent running on your EC2 instance.
Services You Should Use:
Amazon CloudWatch
Amazon SNS
Task Validation
This task will be complete once an email address you have chosen is configured to receive notifications whenever the memory exceeds 75%.
Clues
Penalty: 7 points
Clue 1:If a tree falls in a forest and no one is around to hear it, does it make a sound?
Amazon CloudWatch Alarms enable you to take actions when a threshold is reached for CloudWatch Metrics. When the threhold is breached, an action is taken that you define...
Penalty: 9 points
Clue 2:Walkthrough
In order to complete this task, you must create an alarm for the 'mem_used_percent' metric that you are capturing for your EC2 instance.
Open the CloudWatch service from the AWS Console and choose Metrics from the menu.
Click the CWAgent namespace under Custom Namespaces. This is the default namespace for CloudWatch metrics generated by the CloudWatch agent.
Click the ImageId, InstanceId, InstanceType dimension set. These are the dimensions applied to the mem_used_percent metric.
Select the metric from the metric list for the EC2 instance.
Click the Graphed Metrics tab and then select the bell icon in the Actions column for the metric.
Set the Conditions section to Static, Greater than ... and enter 75 for the threshold value and select Next.
For notification, select "In alarm" and select "Create new topic". This will create a new SNS topic that can be used for notifications by email, text message, or any SNS supported notification endpoint.
Enter a name for the notification topic, such as "Alarm-Memory-High".
Enter your email address or an email address that you have access to for the notification target in the "Email endpoints..." text box.
Click "Create Topic". When the topic is created, you should receive an email asking you to confirm subscription to the topic. Normally, you would confirm subscription so you could receive new notifications. However, you are not required to raise an alarm for this topic so you can ignore the request.
Finally, for Alarm Name, enter a descriptive name, such as "Alarm-Memory-High-Dev-Server". You can optionally enter a description.
Click Next and review all the options for this alarm. Click create to create this alarm.
Finished! Now, if the memory used was to exceed 75% on the EC2 instance, you would receive an email at the address you entered for the SNS topic.
## hard
### WHO HAS MY CREDS?
task 1
solve
2.
task 2
solve
3.
task 3
solve
4.
task 4
solve
---
### Tag You're It
task 1
solve 1
solve 2
solve 3
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "01AllowStopStartWithProjectTag",
"Effect": "Allow",
"Action": [
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
},
{
"Sid": "AllowRunInstancesResourcesNoTags",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "02AllowRunInstancesWithProjectTag",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/Project": "${aws:PrincipalTag/Project}"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Project"
]
}
}
},
{
"Sid": "03AllowCreateTagsOnRunInstances",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances"
]
}
}
}
]
}
```
###### tags: `JAM`
Sign in with Wallet
Connect another wallet