Looking For A Challenge To Hone Your AWS Debugging Skills?
How do your AWS infrastructure debugging skills measure up?
Today I have a treat for you. This is the first cloudwargames.com asynchronous challenge.
If you just want my regular content don’t worry. I will only do these occasionally on the main Schematical socials and mailing list and keep the challenges primarily to the Cloud War Games mailing lists.
Warning:
It is super, super basic. I figured I would start with something really beginner to give people an idea of what I am going for and then work my way up from there.
Without further ado let's dive on in!
Brief:
Your boss("Boss Person") wants access to an important file "extremely_important_stuff.txt" running on S3 whenever they want. They already have an AWS IAM User in your company's AWS account, they just need access.
Setup Instructions:
Run the following command but replace {your-prefix} with a prefix(No spaces or special chars).
terraform apply -var='bucket_prefix={your-prefix}'
Once that is complete there should be a file called bossperson-login.txt that has the login credentials for Boss Person.
Important NOTE:
In real life, you should NOT have access to any other person's login credentials. But because this is a learning exercise you get to play both you and Boss Person.
Login as Boss Person and head over to S3 buckets:
https://console.aws.amazon.com/s3/buckets
Success Criteria:
Once the Boss Person user, which does not have root access or any other elevated permissions, has access to the files in the S3 Bucket created when we spun up this infrastructure but no additional buckets.
Terraform:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.85.0"
}
}
}
provider "aws" {
# Configuration options
region = "us-east-1"
}
variable "users" {
type = list(string)
default = ["bossperson"]
}
variable "bucket_prefix" {
type = string
default = "my_bucket_prefix"
}
resource "aws_s3_bucket" "important_stuff_bucket" {
bucket = "${var.bucket_prefix}-big-bucket"
}
resource "aws_s3_object" "important_stuff_s3_object" {
bucket = aws_s3_bucket.important_stuff_bucket.bucket
key = "extremely_important_stuff.txt"
content = "This is really important stuff"
}
resource "aws_iam_user" "iam_user" {
for_each = toset(var.users)/*{
for index, user in var.users:
user.username => username
}*/
name = each.value
# path = "/system/"
}
resource "aws_iam_user_policy_attachment" "test-attach" {
for_each = aws_iam_user.iam_user
user = each.value.name
policy_arn = aws_iam_policy.user_iam_policy.arn
}
resource "aws_iam_policy" "user_iam_policy" {
name = "explodeme-com-v1-s3-access"
policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "S3ListBucket",
"Effect" : "Allow",
"Action" : [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource" : "*"
},
{
"Sid" : "S3GetObject",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:GetObject",
],
"Resource" : [
"arn:aws:s3:::some-other-bucket/*"
]
}
]
}
)
}
resource "aws_iam_user_login_profile" "iam_user_login_profile" {
for_each = aws_iam_user.iam_user
user = each.value.name
}
resource "local_file" "login" {
for_each = aws_iam_user_login_profile.iam_user_login_profile
content = "${each.value.user}\n${each.value.password}"
filename = "${each.value.user}-login.txt"
}
What is your solution?
Once you have a solution DM or message it to me. I want to see what you come up with.
Want more challenges like this?
Like I said, the Schematical posts are going to be similar to what I have been doing. If you want more challenges then sign up at cloudwargames.com.
The more the merrier, so invite your friends and co-workers to live events, climb the leaderboards(once I get those built out) and a lot more.