Part 2 – Using AWS Organizations and creating Lab Accounts

The first step is to create an AWS Organization, designate the Account you want to be your Lab Account, and have fun doing an AWS Nuke on those lab resources later!

Step 1. Create the Organization

Step 2. Click the Add Button

Step 3. Create the Account

Step 4. Create the Account Details

Presto! The Account has been created.

The very first reason to use AWS Organizations in your lab environment? Provide a consistent way to “nuke” or clean up your Lab/Dev Environment without affecting your main/Production account hosting your WordPress website, dear photos, and other stuff in which should not be affected by your Lab environment.

Part 1: Managing IAM Users and their groups; managing user deprovisioning

The journey to writing a user provisioning and deprovisioning process for AWS Labs…in Powershell

ActionPowershell Commands
Create UserNew-Iamuser -username $user
Create Console PasswordNew-IAMLoginProfile -username $user
Change Console PasswordUpdate-IAMLoginProfile -username $user
Add user to GroupAdd-IAMUserToGroup -username $user -groupname $group
Remove User from Group
Remove-IAMUserfromGroup -username $user -groupname $group
Remove the IAM UserRemove-IAMUser -username $user
Get the Account ID and use the following URL for login

Generic Steps

  1. Create the Console users and give the user the option for either users based on pattern or from a given .csv file.
  2. Create the Console user and create a password for that user.
  3. Add the User to a particular group which has the IAM Policies attached to that group.
  4. The script will then either wait a certain amount of time after the Users were created or the admin can manually run the user deletion script. The user will than be removed from the group ( thus removing access ) and the password will be changed. The easiest way to remove access is to delete the user.
  5. Later scripts will somehow delete the resources that were created at the end of the day.

The code thus far to Create the Lab User Account and delete the lab users accounts can be found here:

AWS OpenLabs V1

On my journey to becoming an AWS Certified Solutions Architect, i noticed there wasn’t really any open source ways to create Labs or Assessments using the AWS environment. Although it might not be coded the best, i intend to create a powershell based AWS Environment that allows for Labs and assessment using a combination of AWS Technologies.

I hope to improve the architecture of this as i go so that i may better understand how to architect usable solutions.

AWS OpenLabs V1. Rather than provide users the Cloudformation template to provision the environment, this simply gives a way to deploy IAM Users with Console Passwords for a certain period time with a particular set of IAM Roles and Policies for particular lab scenarios

Notes on this particular Architecture:

  1. The main part of this architecture is created IAM Users and creating a Console Password for them. After a setup amount of time, those accounts can than be deleted.
    1. Attach certain Roles / Policies to certain groups so that if a user is contained with a certain IAM group, they will only be provided the particular permissions of that group. The IAM Role will provide high level access in which all lab scenarios share. The IAM policy for the particular session will only be limited to the pertinent rights of that share.
    2. High Level permissions include:
      • Limit Provisioning to a certain region
      • DENY the IAM privilege
      • DENY modifying resource tags
    3. Low Level permissions include:
      • Access to particular AWS Services related to the particular scenario
  2. Functions to make all this work include:
    • Function which creates users and create a console password for those users
    • Function which moves users from one group to another
    • Function which removes users from groups, deletes their profile password, and deletes the users itself
    • Variable IAM Policy Generation
    • Tagging untagged Resources
    • A Cleanup modules that deletes particular resources by age / tag