--- tags: comp4635(2025) --- # COMP 4635 - W2 Lab 1: Exploring AWS Identity and Access Management (IAM) ## Code of Ethics :::danger * The lab exercises for the course should be attempted ONLY INSIDE THE SECLUDED LAB ENVIRONMENT documented or provided. Please note that most of the attacks described in the lab sheet would be ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. The university, course lecturer, lab instructors and teaching assistants assume no responsibility for any actions performed outside the secluded lab. * The lab network should be regarded as a hostile environment. No sensitive information should be stored on your virtual machine that someone is able to gain access to it. * Do not intentionally disrupt other students who are working in the labs or hack into other student's physical or virtual machines. ::: ## Method of Submission In the following lab, each checkpoint will require you to submit some files **with designated names**. Put all files into a folder and compress them into a ZIP archive named `w2lab1-<your-id>.zip`, where `<your-id>` should be replaced with your student ID. Submit the ZIP archive [on Canvas](https://canvas.ust.hk/courses/63913/assignments/385049). There are in total **5** checkpoints. The base mark is **10** points. ## Accessing the AWS Management Console 1. At the top of [the lab's Canvas page](https://awsacademy.instructure.com/courses/124954/assignments/1420727) (login if necessary), choose ▶ **Start Lab**. - The lab session starts. - A timer displays at the top of the page and shows the time remaining in the session. 💡**Tip:** To refresh the session length at any time, choose ▶ **Start Lab** again before the timer reaches 0:00. - Before you continue, wait until the circle icon to the right of the <span class="underline">AWS<span style="color:chartreuse">●</span></span> link in the upper-left corner turns green. When the lab environment is ready, the AWS Details panel will also display. 2. To connect to the AWS Management Console, choose the **AWS** link in the upper-left corner, above the terminal window. - A new browser tab opens and connects you to the console. 💡**Tip:** If a new browser tab does not open, a banner or icon is usually at the top of your browser with the message that your browser is preventing the site from opening pop-up windows. Choose the banner or icon, and then choose **Allow pop-ups**. 3. Arrange the AWS Management Console tab so that it displays alongside these instructions. Ideally, you will be able to see both browser tabs at the same time, to make it easier to follow the lab steps. ⚠ **Do not change the Region unless instructed to do so**. 4. The instructions provided in the lab's Canvas page may look similar, but submission details only exist in this one, and there may be changes that could affect your grading. Therefore, please refer to this lab sheet. 5. In this lab environment, access to AWS services and service actions might be restricted to the ones that are needed to complete the lab instructions. You might encounter errors if you attempt to access other services or perform actions beyond the ones that are described in this lab. ## Objectives In this lab, you explore users and groups and inspect the associated policies in the AWS Identity and Access Management (IAM) service. You also add users to the groups and verify the permissions that are inherited by them. After completing this lab, you should be able to do the following: * Explore pre-created IAM users and groups. * Inspect IAM policies as they were applied to the pre-created groups. * Follow a real-world scenario, while adding users to groups with specific capabilities enabled. * Locate and use the IAM sign-in URL. * Test the effects of policies on service access. ## Task 1: Explore the users and groups, and inspect policies In this task, you explore the users and groups that were created for you in IAM. 1. First, note the Region that you are in; for example, **N. Virginia**. The Region is displayed in the upper-right corner of the console page. You might need this information later in the lab. 2. Choose the ᎒᎒᎒ **Services** menu, locate the **Security, Identity, & Compliance** services, and choose **IAM**. 3. In the navigation pane on the left, choose **Users**. The following IAM users were created for you: * `user-1` * `user-2` * `user-3` 4. Choose the name of **`user-1`**. * This brings you to a summary page for `user-1`. The **Permissions** tab is displayed. * Notice that `user-1` does not have any permissions. 5. Choose the **Groups** tab. Notice that `user-1` also is not a member of any groups. 6. Choose the **Security credentials** tab. Notice that `user-1` is assigned a **Console password**. This allows the user to access the AWS Management Console. 7. In the navigation pane on the left, choose **User groups**. The following groups were created for you: * `EC2-Admin` * `EC2-Support` * `S3-Support` 8. Choose the name of the **`EC2-Support`** group. This brings you to the summary page for the **`EC2-Support`** group. 9. Choose the **Permissions** tab. This group has a managed policy called **`AmazonEC2ReadOnlyAccess`** associated with it. Managed policies are prebuilt policies (built either by AWS or by your administrators) that can be attached to IAM users and groups. When the policy is updated, the changes to the policy are immediately applied against all users and groups that are attached to the policy. 10. Below **Policy Name**, choose the link for the **`AmazonEC2ReadOnlyAccess`** policy. 11. Choose the **JSON** tab. * A policy defines which actions are allowed or denied for specific AWS resources. This policy is granting permission to _List_ and _Describe_ (view) information about Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, Amazon CloudWatch, and Amazon EC2 Auto Scaling. This ability to view resources, but not modify them, is ideal for assigning to a support role. * Statements in an IAM policy have the following basic structure: * **Effect** says whether to _`Allow`_ or _`Deny`_ the permissions. * **Action** specifies the API calls that can be made against an AWS service (for example, _`cloudwatch:ListMetrics`_). * **Resource** defines the scope of entities covered by the policy rule (for example, a specific Amazon Simple Storage Service \[Amazon S3\] bucket or Amazon EC2 instance; an asterisk \[`*`\] means *any resource*). 12. In the navigation pane on the left, choose **User groups**. 13. Choose the name of the **`S3-Support`** group. 14. Choose the **Permissions** tab. The S3-Support group has the **`AmazonS3ReadOnlyAccess`** policy attached. 15. Below **Policy Name**, choose the link for the **`AmazonS3ReadOnlyAccess`** policy. 16. Choose the **JSON** tab. This policy has permissions to _Get_ and _List_ for _all_ resources in Amazon S3. 17. In the navigation pane on the left, choose **User groups**. 18. Choose the name of the **`EC2-Admin`** group. 19. Choose the **Permissions** tab. This group is different from the other two. Instead of a managed policy, the group has an _inline policy_, which is a policy assigned to just one user or group. Inline policies are typically used to apply permissions for specific situations. 20. Below **Policy Name**, choose the name of the **`EC2-Admin-Policy`** policy. 21. Choose the **JSON** tab. This policy grants permission to _Describe_ information about Amazon EC2 instances and the ability to _Start_ and _Stop_ instances. 22. At the bottom of the screen, choose **Cancel** to close the policy, and then choose **Continue**. ## Business scenario For the remainder of this lab, you work with these users and groups to enable permissions that support the following business scenario. Your company is growing its use of AWS services and is using many Amazon EC2 instances and Amazon S3 buckets. You want to give access to new staff based on their job function, as indicated in the following table: | User | In Group | Permissions | | --- | --- | --- | |`user-1`|`S3-Support`|Read-only access to Amazon S3| |`user-2`|`EC2-Support`|Read-only access to Amazon EC2| |`user-3`|`EC2-Admin`|View, Start, and Stop Amazon EC2 instances| ## Task 2: Add users to groups You recently hired _`user-1`_ into a role where they will provide support for Amazon S3. In this task, you add them to the _`S3-Support`_ group so that they inherit the necessary permissions through the attached _`AmazonS3ReadOnlyAccess`_ policy. Note: Ignore any "not authorized" errors that appear during this task. They are caused by your lab account having limited permissions and don't impact your ability to complete the lab. ### Task 2.1: Add `user-1` to the `S3-Support` group 23. In the left navigation pane, choose **User groups**. 24. Choose the name of the **`S3-Support`** group. 25. On the **Users** tab, choose **Add users**. 26. Select **`user-1`**, and choose **Add users**. On the **Users** tab, notice that _`user-1`_ was added to the group. ### Task 2.2: Add `user-2` to the `EC2-Support` group You hired _`user-2`_ into a role where they will provide support for Amazon EC2. You will add them to the _`EC2-Support`_ group so that they inherit the necessary permissions through the attached _`AmazonEC2ReadOnlyAccess`_ policy. 27. Use what you learned from the previous steps to add _`user-2`_ to the _`EC2-Support`_ group. Verify that _`user-2`_ is now part of the _`EC2-Support`_ group. ### Task 2.3: Add `user-3` to the `EC2-Admin` group You hired _`user-3`_ as your Amazon EC2 administrator to manage your EC2 instances. You will add them to the _`EC2-Admin`_ group so that they inherit the necessary permissions through the attached _`EC2-Admin-Policy`_. 28. Use what you learned from the previous steps to add _`user-3`_ to the _`EC2-Admin`_ group. Verify that _`user-3`_ is now part of the _`EC2-Admin`_ group. 29. In the navigation pane on the left, choose **User groups**. Each group should have a **1** in the **Users** column. This indicates the number of users in each group. If you do not have a **1** for the **Users** column for a group, revisit the previous steps to ensure that each user is assigned to a group, as shown in the table in the **Business scenario** section. :::success ### Checkpoint 1 (2 marks) Submit a screenshot, named **`cp1.{png/jpg/jpeg}`**, showing that each defined user group has 1 user each. You can obtain such a screenshot at the user groups page. Make sure the screenshot shows the following: - The 3 security groups and their names - The number of users of the groups ::: ## Task 3: Sign in and test user permissions In this task, you test the permissions inherited by IAM users in the console. ### Task 3.1: Get the console sign-in URL 30. In the navigation pane on the left, choose **Dashboard**. Notice the **Sign-in URL for IAM users in this account** section at the top of the page. The sign-in URL looks similar to the following: **https://123456789012.signin.aws.amazon.com/console** This link can be used to sign in to the AWS account that you are currently using. 31. Copy the sign-in link to a text editor. ### Task 3.2: Test `user-1` permissions 32. Open a **private** or **incognito** window in your browser. 33. Paste the sign-in link into the private browser, and press ENTER. You will now sign-in as _`user-1`_, who was hired as your Amazon S3 storage support staff. 34. Sign in with the following credentials: * **IAM user name:** `user-1` * **Password:** `Lab-Password1` 35. Choose the ᎒᎒᎒ **Services** menu, and choose **S3**. You can also use the search bar to find and choose **S3**. 36. Choose the name of one of your buckets, and browse the contents. Because this user is part of the _`S3-Support`_ group in IAM, they have permissions to view a list of Amazon S3 buckets and their contents. Now, test whether the user has access to Amazon EC2. 37. Choose the ᎒᎒᎒ **Services** menu, and choose **EC2**. You can also use the search bar to find and choose **EC2**. 38. In the left navigation pane, choose **Instances**. You cannot see any instances. Instead, an error message says _you are not authorized to perform this operation_. This user has not been assigned any permissions to use Amazon EC2. :::success ### Checkpoint 2 (2 marks) Submit a screenshot, named **`cp2.{png/jpg/jpeg}`**, showing that _`user-1`_ cannot access EC2 instances. Make sure the screenshot shows the following: - The Instances page - The error message ::: You will now sign in as _`user-2`_, who was hired as your Amazon EC2 support person. 39. First, sign out _`user-1`_ from the console: * In the upper-right corner of the page, choose **`user-1`**. * Choose **Sign Out**. ### Task 3.3: Test `user-2` permissions 40. Paste the sign-in link into the private browser again, and press ENTER. 41. Sign in with the following credentials: * **IAM user name:** `user-2` * **Password:** `Lab-Password2` 42. Choose the ᎒᎒᎒ **Services** menu, and choose **EC2**. You can also use the search bar to find and choose **EC2**. 43. In the navigation pane on the left, choose **Instances**. * You are now able to see an EC2 instance. However, you cannot make any changes to Amazon EC2 resources because you have read-only permissions. * If you cannot see an EC2 instance, then your Region might be incorrect. In the upper-right corner of the page, choose the Region name, and then choose the Region that you were in at the beginning of the lab (for example, **N. Virginia**). 44. Select the EC2 instance. 45. Choose the **Instance state** menu, and then choose **Stop instance**. 46. To confirm that you want to stop the instance, choose **Stop**. An error message appears and says that _`You are not authorized to perform this operation`_. This demonstrates that the policy only allows you to view information without making changes. Next, check whether _`user-2`_ can access Amazon S3. :::success ### Checkpoint 3 (2 marks) Submit a screenshot, named **`cp3.{png/jpg/jpeg}`**, showing that _`user-2`_ cannot stop EC2 instances. Make sure the screenshot shows the following: - The Instance state page - The error message ::: 47. Choose the ᎒᎒᎒ **Services** menu, and choose **S3**. You can also use the search bar to find and choose **S3**. You should be redirected to the S3 homepage. This happens because you do not have access. Open the **menu** on the left and click **General purpose buckets**. You should then get an access denied error message. :::success ### Checkpoint 4 (2 marks) Submit a screenshot, named **`cp4.{png/jpg/jpeg}`**, showing that _`user-2`_ cannot list S3 buckets. Make sure the screenshot shows the following: - The general purpose bucket page under Amazon S3 - The error message ::: You will now sign-in as _`user-3`_, who was hired as your Amazon EC2 administrator. 48. First, sign out _`user-2`_ from the console: * In the upper-right corner of the page, choose **user-2**. * Choose **Sign Out**. ### Task 3.4: Test `user-3` permissions 49. Paste the sign-in link into the private browser again, and press ENTER. 50. Sign in with the following credentials: * **IAM user name:** `user-3` * **Password:** `Lab-Password3` 51. Choose the ᎒᎒᎒ **Services** menu, and choose **EC2**. 52. In the navigation pane on the left, choose **Instances**. * An EC2 instance is listed. As an Amazon EC2 Administrator, this user should have permissions to _Stop_ the EC2 instance. * If you cannot see an EC2 instance, then your Region might be incorrect. In the upper-right corner of the page, choose the Region name, and then choose the Region that you were in at the beginning of the lab (for example, **N. Virginia**). 53. ☑ Select the EC2 instance. 54. Choose the **Instance state** menu, and then choose **Stop instance**. 55. To confirm that you want to stop the instance, choose **Stop**. This time, the action is successful because _`user-3`_ has permissions to stop EC2 instances. The **Instance state** changes to _`Stopping`_ and starts to shut down. :::success ### Checkpoint 5 (2 marks) Submit a screenshot, named **`cp5.{png/jpg/jpeg}`**, showing that _`user-3`_ can stop EC2 instances. Make sure the screenshot shows the following: - The Instances page - The new state of the instance (`Stopping`/`Stopped`) ::: 56. Close your private browser window. ## Conclusion Congratulations! You now have successfully done the following: * Explored pre-created IAM users and groups * Inspected IAM policies as applied to the pre-created groups * Followed a real-world scenario, while adding users to groups with specific capabilities enabled * Located and used the IAM sign-in URL * Tested the effects of policies on service access ## Lab complete Congratulations! You have completed the lab. Remember to submit the necessary files [on Canvas](https://canvas.ust.hk/courses/63913/assignments/385049). 57. To confirm that you want to end the lab, at the top of this page, choose **End Lab**, and then choose **Yes**. A message appears: _Ended AWS Lab Successfully_