AWS
To get up and running with AWS, you'll need to create an account, and understand a few things about permissions. Here are some instructions and notes on getting set up.
Exercise 1: User creation + access credentials
The following steps walk you through how to create an AWS user, get some access credentials, and associate those credentials with your AWS CLI, so you can make CLI calls based on that user.
- Create an AWS account + complete the setup
- Install the AWS CLI on your machine
- Create a user (call it any name)
- Create credentials for that user (access key + secret)
- Add those credentials to the CLI using
aws configure
- Input the access key + secret key.
- Set region to
us-east-1
- Why? You can override the region in the CLI with
--region="us-east-1"
, etc. But, it can get a bit annoying to keep typing, so a default region can be useful. Some regions don't have all the AWS services (you can look this up online). I chooseus-east-1
as some services ONLY work in that region also. However, you can choose any region you like.
Warning: You are not given AWS access credentials twice, so if you lose them, you'll need to re-create some more access credentials. Also, you should NEVER store your credentials in text files, or insecure locations. Also, you should NEVER commit your keys to GitHub or any source control. If you do, delete those access keys immediately (this process is called "key rotation") so they cannot be exploited.
Applying permissions in IAM
The user created before should have no permissions. The following is a short exercise to get start to understand how IAM works, and permissions are granted to certain entities. To understand IAM, you'll need to understand a few key terms:
Services
(e.g. This should be quite familiar, it's one of the AWS services, e.g. S3, RDS, EC2, etc)Actions
(e.g. A "thing" that you're trying to do, e.g. make an S3 bucket, delete an S3 bucket)Resources
(e.g. A resource in AWS, typically one that you created, or own)
When you run commands with the AWS CLI and you don't have permissions, the thrown error messages typically tell you the Resource + Actions that you need to configure. Here are two examples:
- Example (listing an S3 bucket) - Given the error:
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
,ListBuckets
is theAction
, the resouce is any/all. - Example (listing an S3 bucket) - Given the error:
make_bucket failed: s3://garcias-bucket-12-02-2023 An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied
theAction
isCreateBucket
, theResource
iss3://garcias-bucket-12-02-2023
.
Exercise 2: Exploring IAM permissions
In this exercise you're going to explore and understand policies, resources and actions, and how they affect the permissions you can access from a given entity. In this case, a user entity access AWS via the CLI.
- Call
aws s3 ls
without adding permissions for your user- ❌ Observe that the command returns permission denied, you don't have permissions to list S3 buckets.
- Add an inline policy to our user to grant
ListAllMyBuckets
- ✅ Observe success for
aws s3 ls
, you should see all S3 buckets. Let's try and create a bucket
- ✅ Observe success for
- Try to create a bucket with
aws s3 mb s3://sams-bucket
- ❌ Observe permission denied, you don't have permissions to create buckets, only list.
- Add an inline policy for
CreateBucket
for a specific bucket, e.g.s3://sams-bucket
- ✅ Observe success when creating a bucket named
aws s3 mb s3://sams-bucket
- ✅ Observe success when creating a bucket named
- Create another bucket called
aws s3 mb s3://garcias-bucket
- ❌ Observe permission denied, you only have permissions to act on the previously named resource, let's add it.
- Updated the inline policy with
s3://garcias-bucket
- ✅ Observe success creating bucket with
aws s3 mb s3://garcias-bucket
- ✅ Observe success creating bucket with
Bonus
- Update inline policy using the wildcard character
*
e.g.s3://finance-*
to allow the creation of buckets only the buckets prefixed withfinance-
- ✅ Observe success for
aws s3 mb s3://finance-october-2020
- ❌ Observe failure to create bucket for
aws s3 mb s3://accounting-october-2020
- ✅ Observe success for
FAQ
- Is this exercise covered in the AWS free tier? S3 currently charges for bucket content size + retrieval. As of the time of writing, 1 GB of data, with no traffic will cost $0.24 per year.