cloud security
38 TopicsSystems Manager: Automation
Hello, On exercise 4 (Create playbook) I'm getting an error if I configure Step One according the instruction, and I can't proceed with the playbook creation. "AccessDeniedException: User: {{user}} is not authorized to perform: ssm:CreateDocument on resource: {{resource}}/NewRunbook because no permissions boundary allows the ssm:CreateDocument action" This is how I structured the code: schemaVersion: '0.3' assumeRole: {{according the instructions}} description: EC2-Stop-Prod-EU-WEST-1 mainSteps: - name: Pause action: aws:pause nextStep: Approve isEnd: false inputs: {} - name: Approve action: aws:approve nextStep: get_instance_ids isEnd: false inputs: Approvers: - {{according the instructions}} - name: get_instance_ids action: aws:executeAwsApi nextStep: turn_off_prod_instances isEnd: false inputs: Api: DescribeInstances Service: ec2 Filters: - Name: tag-key Values: - prod - Name: instance-state-name Values: - running outputs: - Name: InstanceIds Selector: $.Reservations..Instances..InstanceId Type: StringList - name: turn_off_prod_instances action: aws:executeScript isEnd: true inputs: Runtime: python3.8 Handler: script_handler Script: |- def script_handler(events,context): import boto3 #Initialize client ec2 = boto3.client('ec2') instanceList = events['InstanceIds'] for instance in instanceList: ec2.stop_instances(InstanceIds=[instance]) InputPayload: InstanceIds: '{{get_instance_ids.InstanceIds}}' Does anyone had the same error while doing this lab? Regards,Solved108Views3likes2CommentsSystems Manager: Run Command (AWS)
Hi, I am attempting to complete the Systems Manager: Run Command lab and successfully complete run the commands (both turn green). It mentions there should be a token output from the second command but the commands fail each time. Anywhere else I should be looking to get the token and/or successful run the command.Solved121Views3likes4CommentsConfiguring Secure Web Hosting with AWS CloudFront
Hello, Q4 on this lab (Browse to the CloudFront console and click on Create a CloudFront distribution) don't complete even following all the instructions. When the deploy completes, the standard logging appears off: When I click on edit, it shows an IAM error: Anything that I can do from here to complete this task? Regards,Solved64Views2likes3CommentsMicrosoft Defender for Cloud: Setup, CSPM, and Compliance
In the above lab, the last question (11) asks for Mitre technique associated with the previous assessment. The noted Mitre exploit (both name and category number) associated with the answer is not accepted. Anyone else had the same issue?Solved83Views2likes7Comments[AWS]IAM: Tagging
Hello everyone. I'm stuck on Q3 of this lab. I'm leaving the ec2-custom-read policy as: { "Statement": [ { "Action": [ "ec2:GetTransitGateway*" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "automation" ] } }, "Sid": "ReadEC2TransitGateways" } ], "Version": "2012-10-17" } But if I try to save the policy, it gives me an error: Access denied to iam:CreatePolicyVersion You don't have permission to iam:CreatePolicyVersion Any hints on what I'm missing here? I think I didnt understand what exactly the exercise is asking for here. Regards,Solved87Views2likes2CommentsIAM: Demonstrate Your Skills - Developer access (2/3)
Developer access (2/3) I have completed the developer access question 1 with the following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::147026630027:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "lambda:*", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Deny", "Action": "lambda:*", "Resource": "arn:aws:lambda:us-east-1:147026630027:function:virus-scanner" } ] } Currently stuck on the Developer access 2 question: Update the developers-lambda policy, with the following additional permissions: Ensure the policy allows CreatePolicy, CreateRole, GetRole, GetPolicy, GetPolicyVersion, ListRoles, ListPolicies, ListRolePolicies, and ListAttachedRolePolicies actions for all resources. Ensure the policy allows role policy attachment to all resources, but only when the developers-s3 arn:aws:iam::147026630027:policy/developers-s3 policy is present as a permissions boundary. This essentially restricts the maximum permissions of any developer-created role. Leave any condition qualifiers as default and ArnEquals as the condition. I have this code but is not working: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::147026630027:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "lambda:*", "iam:CreatePolicy", "iam:CreateRole", "iam:GetRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListRoles", "iam:ListPolicies", "iam:ListRolePolicies" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::147026630027:policy/developers-s3" } } }, { "Sid": "VisualEditor3", "Effect": "Deny", "Action": "lambda:*", "Resource": "arn:aws:lambda:us-east-1:147026630027:function:virus-scanner" } ] } Any help would be great full. ThanksSolved142Views2likes2CommentsKusto Query Language: Ep.9 – Parsing Complex Data Types.
Hi all, I am stuck on Question 6 as part of the KQL Parsing Complex Data Types. I have been doing adaptations of the following query to only get a blank AvgTime table each time. Event_CL | where EventData contains "KB2267602" | extend ParsedData = parse_json(EventData) | summarize AvgTime = avg(todatetime(ParsedData["@time"])) I may be missing something obvious or not, but any help would be thankful.24Views1like2Comments