AWS

content/AWS/AWS Organizations.md

@@ -0,0 +1,66 @@
+---
+title: AWS Organizations
+draft: false
+tags:
+  - aws
+---
+
+Create or invite other AWS accounts into the organization structure.
+
+### Invite Account
+To invite an existing account to the org, you need the target account ID or email address to create and invite.
+#### Send Invite
+In the AWS Organizations portal:
+Select 'Add and AWS Account':
+![[Pasted image 20240701100211.png]]
+Select 'Send Invitation':
+![[Pasted image 20240701102639.png]]
+In the target account, remember to accept the invitation inside the AWS Organizations portal and you are now connected to the organization. To enable role switching, follow below to enable IAM access to the account.
+#### Adding IAM role to target account
+Now that we have sent an invitation, we need to add the proper IAM roles in order to allow access from the management account:
+
+![[Pasted image 20240702080800.png]]
+
+Select 'Create Role':
+![[Pasted image 20240702080843.png]]
+Select:
+AWS Account>Another AWS Account and enter the management account ID:
+![[Pasted image 20240702080933.png]]
+To add permissions, search 'administratoraccess':
+![[Pasted image 20240702081017.png]] 
+You can give it any role name but 'OrganizationAccountAccessRole'  is the standard role name that AWS has when allowing organization access: ![[Pasted image 20240702081048.png]]
+ Click on 'Create role' when you have finished. You can now go to the Role Switching section below.
+### Create New Account
+In the AWS portal, navigate to AWS Organizations and select the 'Add an AWS Account':
+![[Pasted image 20240701100211.png]]
+Enter a unique username and email address:
+![[2024-07-01 09_51_41-Add an AWS account _ AWS Organizations _ Global — Mozilla Firefox.png]]
+Once the account has been created, copy the ID (Green Box) and move to the role switching section below:
+![[Pasted image 20240701100310.png]]
+Note: You can only access this type of account through role switching.
+### Role Switching
+For invited accounts: In order to implement this, in the destination account, add an IAM role to allow administrator access for another AWS account.
+
+On the top right side, select the 'Switch Role' button:
+
+![[Pasted image 20240701102311.png]]
+
+Enter the:
+- Account ID (Copied earlier in the 'Create Account' section above
+- IAM role name you used when creating the account (Default should be 'OrganizationAccountAccessRole')
+- Display name - identifier for the account
+- Display Color - for easier identification
+Select switch role when done:
+
+![[Pasted image 20240701100506.png]]
+
+The console will direct you to the new account which can be identified by the top right corner:
+![[Pasted image 20240701102343.png]]
+
+You once you switch the role, you will now see that you are in the target account on the top right corner of the console. To go back select the 'switch back' button:
+
+![[Pasted image 20240702082152.png]]
+
+You can now invite, create, and switch AWS accounts. 
+
+

content/AWS/Amazon Web Services (AWS).md

@@ -0,0 +1,6 @@
+This is Amazon Web Services which has many cloud services such as [[SAAS]], [[PAAS]], and [[IAAS]]. 
+### Storage
+[[S3]]
+Elastic Block Store (EBS)
+## Compute
+[[EC2]] 

content/AWS/Image transformation using S3 Events and Lambda.md

@@ -0,0 +1,83 @@
+This project will use S3 events that will trigger a lambda. Every time an image is uploaded, it will trigger the Lambda and pixelize the image. 
+
+This lab was taken from Adrian Cantrill's course: https://github.com/acantril/learn-cantrill-io-labs/tree/master/00-aws-simple-demos/aws-lambda-s3-events
+#### Create the S3 Buckets
+In the S3 portal, click on 'Create bucket' we will need to create 2 buckets:
+
+![[Pasted image 20240702113438.png]]
+
+Give it a unique name, I named one 'imagepixelationsource' and 'imagepixelationprocessed':
+![[Pasted image 20240702115102.png]]
+![[Pasted image 20240702115818.png]]
+
+##### Create the Lambda role
+
+Navigate to IAM and select 'Roles', click on 'Create role':
+
+![[Pasted image 20240702120014.png]]
+
+Select 'AWS service' and choose Lambda:
+
+![[Pasted image 20240702120116.png]]
+
+Give it a name and select 'Create role', we will not be adding any policies yet:
+
+![[Pasted image 20240702120226.png]]
+
+Select the role and select 'Add permissions' and 'Create inline policy':
+![[Pasted image 20240702120902.png]]
+
+Select JSON and paste the JSON copied from https://raw.githubusercontent.com/acantril/learn-cantrill-io-labs/master/00-aws-simple-demos/aws-lambda-s3-events/01_LABSETUP/policy/s3pixelator.json to here. Edit in the bucket names and account ID:
+
+![[Pasted image 20240702121437.png]]
+
+Give the policy a name and click 'Create policy':
+
+![[Pasted image 20240702121628.png]]
+
+#### Create the Lambda Function
+
+Navigate to the Lambda page and click on 'Create a function':
+
+![[Pasted image 20240702122338.png]]
+
+Author from scratch and fill out the required information:
+	Function name
+	Python 3.9
+	x86_64
+	Use an existing role (Select the role created in the step above)
+
+![[Pasted image 20240702122509.png]]
+
+Select the 'Upload from' and choose the .zip file. Upload the .zip file from https://github.com/acantril/learn-cantrill-io-labs/blob/master/00-aws-simple-demos/aws-lambda-s3-events/01_LABSETUP/my-deployment-package.zip :
+
+![[Pasted image 20240702122729.png]]
+
+Click on the 'Configuration' tab and under 'Environment Variables', select 'Edit':
+
+![[Pasted image 20240702122953.png]]
+
+Add the processed bucket key and value and hit 'Save':
+
+![[Pasted image 20240702123115.png]]
+
+Under 'General configuration', change the timeout to 1 minute:
+
+![[Pasted image 20240702123329.png]]
+
+Under the 'Triggers' section, add a trigger:
+
+![[Pasted image 20240702123416.png]]
+
+Make sure to select the source bucket or it may cause an exponential look and increase your costs!:
+
+![[Pasted image 20240702123606.png]]
+
+#### Assembling everything together
+
+Upload an image into the source bucket and see how the processed bucket will output 5 images with varying degrees of pixelation:
+![[Pasted image 20240702125012.png]]![[Pasted image 20240702125030.png]]
+
+![[Pasted image 20240702125139.png]]
+
+![[Pasted image 20240702125252.png]]

content/AWS/Revoking AWS Temporary Access Credentials.md

@@ -0,0 +1,29 @@
+---
+title: Revoking Temporaroy Access Credentials
+draft: false
+tags:
+  - aws
+---
+
+The rest of your content lives here. You can use **Markdown** here :)
+In order to revoke Temporary Access Credentials, we need to remove active sessions using the credentials. Running the revoke policy will
+Navigate to IAM and under Access Management, select Roles:
+
+![[Pasted image 20240702103852.png]]
+
+Select the role that was compromised and select 'Revoke sessions':
+![[Pasted image 20240702103958.png]]
+
+Click on 'Revoke active sessions':
+
+![[Pasted image 20240702103745.png]]
+
+A green banner will notify you that all active sessions have been revoked:
+
+![[Pasted image 20240702104131.png]]
+
+If you go back to the permissions tab, you will notice a new policy revoking older sessions:
+
+![[Pasted image 20240702105458.png]]
+
+Note: If EC2 instances are using the role, restart the instances and it will regenerate a new set of credentials for the service. 

content/AWS/Securing Access using Service Control Policies.md

@@ -0,0 +1,46 @@
+---
+title: Securing Access using service control policies
+draft: false
+tags:
+  - aws
+---
+
+The rest of your content lives here. You can use **Markdown** here :)We can prevent accounts from accessing services through the use of SCP. 
+
+If you apply a SCP to an Organizational Unit (OU), everything down the tree will be affected.
+
+Navigate to the 'Policies' section of AWS Organizations:
+
+![[Pasted image 20240702084215.png]]
+
+Select 'Create policy':
+![[Pasted image 20240702084321.png]]
+
+Give it a policy name and description of what it will do:
+
+![[Pasted image 20240702084757.png]]
+
+For this example I will be allowing all services while denying EC2 and Budgets:
+![[Pasted image 20240702084844.png]]
+
+Navigate back to the main page in AWS Organisations and select which Organizational Unit (OU) you want to apply the policy to. We will be using the PROD OU:
+
+![[Pasted image 20240702085029.png]]
+
+Select the polices tab and select 'Attach':
+
+![[Pasted image 20240702085209.png]]
+
+Select the SCP you created earlier and click on 'Attach policy':
+
+![[Pasted image 20240702085306.png]]
+
+Now that the SCP has been attached, you can navigate into the targeted account and notice that EC2 has been denied:
+
+![[Pasted image 20240702085705.png]]
+
+Going into Budgets also show that it has been denied:
+
+![[Pasted image 20240702085839.png]]
+
+You can now create and apply SCPs to OUs, effectively allowing or denying access on an organizational scale.