The first step is to create an AWS Organization, designate the Account you want to be your Lab Account, and have fun doing an AWS Nuke on those lab resources later!
Step 1. Create the Organization
Step 2. Click the Add Button
Step 3. Create the Account
Step 4. Create the Account Details
Presto! The Account has been created.
The very first reason to use AWS Organizations in your lab environment? Provide a consistent way to “nuke” or clean up your Lab/Dev Environment without affecting your main/Production account hosting your WordPress website, dear photos, and other stuff in which should not be affected by your Lab environment.
Get the Account ID and use the following URL for login https://My_AWS_Account_ID.signin.aws.amazon.com/console/
Create the Console users and give the user the option for either users based on pattern or from a given .csv file.
Create the Console user and create a password for that user.
Add the User to a particular group which has the IAM Policies attached to that group.
The script will then either wait a certain amount of time after the Users were created or the admin can manually run the user deletion script. The user will than be removed from the group ( thus removing access ) and the password will be changed. The easiest way to remove access is to delete the user.
Later scripts will somehow delete the resources that were created at the end of the day.
The code thus far to Create the Lab User Account and delete the lab users accounts can be found here:https://github.com/itglueguy/AWS-OpenLabs
On my journey to becoming an AWS Certified Solutions Architect, i noticed there wasn’t really any open source ways to create Labs or Assessments using the AWS environment. Although it might not be coded the best, i intend to create a powershell based AWS Environment that allows for Labs and assessment using a combination of AWS Technologies.
I hope to improve the architecture of this as i go so that i may better understand how to architect usable solutions.
AWS OpenLabs V1. Rather than provide users the Cloudformation template to provision the environment, this simply gives a way to deploy IAM Users with Console Passwords for a certain period time with a particular set of IAM Roles and Policies for particular lab scenarios
Notes on this particular Architecture:
The main part of this architecture is created IAM Users and creating a Console Password for them. After a setup amount of time, those accounts can than be deleted.
Attach certain Roles / Policies to certain groups so that if a user is contained with a certain IAM group, they will only be provided the particular permissions of that group. The IAM Role will provide high level access in which all lab scenarios share. The IAM policy for the particular session will only be limited to the pertinent rights of that share.
High Level permissions include:
Limit Provisioning to a certain region
DENY the IAM privilege
DENY modifying resource tags
Low Level permissions include:
Access to particular AWS Services related to the particular scenario
Functions to make all this work include:
Function which creates users and create a console password for those users
Function which moves users from one group to another
Function which removes users from groups, deletes their profile password, and deletes the users itself
Variable IAM Policy Generation
Tagging untagged Resources
A Cleanup modules that deletes particular resources by age / tag