[AWS]IAM: Tagging
Hello everyone. I'm stuck on Q3 of this lab. I'm leaving the ec2-custom-read policy as: { "Statement": [ { "Action": [ "ec2:GetTransitGateway*" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "automation" ] } }, "Sid": "ReadEC2TransitGateways" } ], "Version": "2012-10-17" } But if I try to save the policy, it gives me an error: Access denied to iam:CreatePolicyVersion You don't have permission to iam:CreatePolicyVersion Any hints on what I'm missing here? I think I didnt understand what exactly the exercise is asking for here. Regards,Solved17Views2likes2CommentsSystems Manager: Automation
Hello, On exercise 4 (Create playbook) I'm getting an error if I configure Step One according the instruction, and I can't proceed with the playbook creation. "AccessDeniedException: User: {{user}} is not authorized to perform: ssm:CreateDocument on resource: {{resource}}/NewRunbook because no permissions boundary allows the ssm:CreateDocument action" This is how I structured the code: schemaVersion: '0.3' assumeRole: {{according the instructions}} description: EC2-Stop-Prod-EU-WEST-1 mainSteps: - name: Pause action: aws:pause nextStep: Approve isEnd: false inputs: {} - name: Approve action: aws:approve nextStep: get_instance_ids isEnd: false inputs: Approvers: - {{according the instructions}} - name: get_instance_ids action: aws:executeAwsApi nextStep: turn_off_prod_instances isEnd: false inputs: Api: DescribeInstances Service: ec2 Filters: - Name: tag-key Values: - prod - Name: instance-state-name Values: - running outputs: - Name: InstanceIds Selector: $.Reservations..Instances..InstanceId Type: StringList - name: turn_off_prod_instances action: aws:executeScript isEnd: true inputs: Runtime: python3.8 Handler: script_handler Script: |- def script_handler(events,context): import boto3 #Initialize client ec2 = boto3.client('ec2') instanceList = events['InstanceIds'] for instance in instanceList: ec2.stop_instances(InstanceIds=[instance]) InputPayload: InstanceIds: '{{get_instance_ids.InstanceIds}}' Does anyone had the same error while doing this lab? Regards,Solved71Views3likes2CommentsEC2: Demonstrate Your Skills
Hello everyone, Q9 (Once your load balancer is active, visit the website via its DNS name. What is the token from the webpage?) from EC2: Demonstrate Your Skills is giving an incorrect answer, tough all previous questions are marked green and I'm filling with the exact output from the page (a six digits number). Anyone with the same error?Solved38Views0likes4CommentsMicrosoft Sentinel SOAR: Demonstrate Your Skills
I am trying to complete the SOAR: Demonstrate your skills lab and I'm having an issue with one question. I believe I have done what it is asking but the question won't show as completed, I can't move on until this part is done. Is anyone able to point me in the right direction if I'm doing something wrong or am completely off target. Thanks39Views1like2Comments
S3: Access Policies (Q5)
Hi I don't get passed this question when I put this for the access point: What am I missing here please, I always get an error on AWS saying that the access point can't be implemented. { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::407044316022:user/metrolio-accessor" }, "Action": ["s3:ListBucket", "s3:GetObject"], "Resource": [ "arn:aws:iam::407044316022:accesspoint/metrolio-access-point/object/data/*" ] }] }58Views0likes5CommentsKubernetes: Native Logging
In lab "Kubernetes: Native Logging" I really cannot understand the question - "What is the token for creating the correct audit rule as specified in the Tasks?" - in step 9. I configured auditing correctly and went through all steps (except 9), and also found the answer for the last 11th step but I really cannot understand the question in step 9. I found one token in audit log, decoded from base64 but that's not correct answer. Anybody can help? PeterSolved51Views0likes1Comment
IAM: Demonstrate Your Skills - Developer access (2/3)
Developer access (2/3) I have completed the developer access question 1 with the following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::147026630027:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "lambda:*", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Deny", "Action": "lambda:*", "Resource": "arn:aws:lambda:us-east-1:147026630027:function:virus-scanner" } ] } Currently stuck on the Developer access 2 question: Update the developers-lambda policy, with the following additional permissions: Ensure the policy allows CreatePolicy, CreateRole, GetRole, GetPolicy, GetPolicyVersion, ListRoles, ListPolicies, ListRolePolicies, and ListAttachedRolePolicies actions for all resources. Ensure the policy allows role policy attachment to all resources, but only when the developers-s3 arn:aws:iam::147026630027:policy/developers-s3 policy is present as a permissions boundary. This essentially restricts the maximum permissions of any developer-created role. Leave any condition qualifiers as default and ArnEquals as the condition. I have this code but is not working: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::147026630027:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "lambda:*", "iam:CreatePolicy", "iam:CreateRole", "iam:GetRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListRoles", "iam:ListPolicies", "iam:ListRolePolicies" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::147026630027:policy/developers-s3" } } }, { "Sid": "VisualEditor3", "Effect": "Deny", "Action": "lambda:*", "Resource": "arn:aws:lambda:us-east-1:147026630027:function:virus-scanner" } ] } Any help would be great full. ThanksSolved106Views2likes2CommentsSnort Rules: Ep.5 – Fake Tech Support Popup
I have been stuck on Question 5 for a while now. Create a Snort rule to detect connections to this IP address from 10.1.9.101 on port 49349, then submit the token. Does this IP refer to IP in the previous question? If so, I have tried so many different rules but one worked.Solved136Views1like1Comment
Microsoft Sentinel SOAR: Demonstrate Your Skills
I am trying to complete the SOAR: Demonstrate your skills lab and I'm having an issue with one question. I believe I have done what it is asking but the question won't show as completed, I can't move on until this part is done. Is anyone able to point me in the right direction if I'm doing something wrong or am completely off target. ThanksS3: Access Policies (Q5)
Hi I don't get passed this question when I put this for the access point: What am I missing here please, I always get an error on AWS saying that the access point can't be implemented. { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::407044316022:user/metrolio-accessor" }, "Action": ["s3:ListBucket", "s3:GetObject"], "Resource": [ "arn:aws:iam::407044316022:accesspoint/metrolio-access-point/object/data/*" ] }] }
