Lab Setup
AWS CLI
- We will be creating 3 groups
- Admin:
- Permission for everything
- tester:
- Permission for reading specific services
- dev:
- Permission for read and create but not delete on specific services.
- Admin:
- We will configure admin as default profile in AWS CLI
- We will create two profiles test and dev
- Lets use paris region.
- Any stuff to copy paste throughout this class Refer Here
- Configure the aws cli
- Way to check if it working
Activity: Figure out the zones and local zones in paris region
- Aws cli:
aws ec2 describe-availability-zones
- Output options: Refer Here
- json
- table
- text
- yaml
- Redirect the output of the availability zones to some json file
- Upload this file to Refer Here
aws ec2 describe-availability-zones --query "AvailabilityZones[0].ZoneId"
- Get multiple values
Scenario-1
- Your organization is running a database in different account which is present is zone with id
eu-w3-az1. You are also asked to create an ec2 instance in the same AZ. We need to figure out matching zone name - Input => zone id
- Output => zone name
AvailabilityZones[?ZoneId=='euw3-az1'].ZoneName | [0]
aws ec2 describe-availability-zones --query "AvailabilityZones[?ZoneId=='euw3-az1'].ZoneName | [0]"
- Try Find the zone id for the zone name
eu-west-3b
Activity 2: Find all the iam policies not created by Amazon
- First lets figure out a way to pull all the customer managed policies
- To filter output, try to follow the below approaches
- see if any argument supports your filter
- see if there is filter argument which can help
- use jmes path to filter out based on output.
- In this case we have scope Refer Here
aws iam list-policies --scope Local
- Now we are asked to delete all the policies which are customer managed Refer Here
- We need policy arns
- Consider the following script
#!/bin/bash
policy_arn=$(aws iam list-policies --scope Local --query 'Policies[].Arn|[0]' --output text)
echo "found ${policy_arn}"
while [[ ! -z "$policy_arn" ]]
do
# lets get first arn
echo "The policy arn to be deleted is ${policy_arn}"
aws iam delete-policy --policy-arn ${policy_arn} --output text
echo "The policy arn is successfully deleted"
policy_arn=$(aws iam list-policies --scope Local --query 'Policies[].Arn|[0]' --output text)
done
- The problem with above approach is it might never end.
- other approach: Get all the policy arns into an array and write a while or foreach loop over array. This will never be infinite loop.
Activity 3 – Tagging and filtering the resources based on tags
-
Resource Tags
- helps in filtering the resources
- filter the bills based on tags.
-
Lets create an ec2 instance and then add the following tags
- Project = qtworkshop
- Env = test
- team = qtaws
- release = v1.0
- From cli
- Now try using
aws ec2 create-tagfor tagging your ec2 instance with the above tags. - Refer Here for the script to tag ec2 resources.
Activity 4: Manage lifecycle of ec2 instance based on tag
- Try to stop all the ec2 instances where there is a tag called as Env with value test
- Refer Here
Actvitiy 5: Try stopping all the ec2 instances with some tag in all regions
- Refer Here for the script to stop all ec2 instances with a tag in all regions
Activity 6: Delete all rds instances which are in stopped state
- Refer Here for the script
Activity 7: Delete all the security groups in all regions
- Delete all the security groups in all regions in all vpcs except default
* Get vpc ids of the current region
* for each vpc id get all security group ids
* delete the security group if the name is not default or it is not default
* Then do this activity for all the active regions in your account.
- Refer Here for the script created
Activity 8: Create a security group which opens all traffic
- Try to find a cli command to do this
- Then we will figure out to parametrize this.
- Refer Here for the security group rule
