http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html https://www.youtube.com/watch?v=_wiGpBQGCjU
- Virtualbox
- Ubuntu 14.04 LTS VM, 64-bit http://releases.ubuntu.com/14.04/ubuntu-14.04.4-desktop-amd64.iso
- create new machine, settings System / Processor Enable PAE/NX System / Acceleration Paravirtualization Interface: Default Enable VT-x/AMD-V Enable Nested Paging Display / Screen Video Memory: 128MB Acceleration: Enable 3D Acceleration
- boot
- install
echo $USER sudo echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers sudo su apt-get update apt-get install -y build-essential dkms linux-headers-$(uname -r) cd /media/aws-admin/ sh ./VBoxLinuxAdditions.run shutdown now
sudo apt-get install -y python-dev python-pip sudo pip install awscli aws --version aws configure
cat # output a file tee # split output into a file cut -f 2 # print the 2nd column, per line sed -n '5{p;q}' # print the 5th line in a file sed 1d # print all lines, except the first tail -n +2 # print all lines, starting on the 2nd head -n 5 # print the first 5 lines tail -n 5 # print the last 5 lines
expand # convert tabs to 4 spaces unexpand -a # convert 4 spaces to tabs wc # word count tr ' ' \t # translate / convert characters to other characters
sort # sort data uniq # show only unique entries paste # combine rows of text, by line join # combine rows of text, by initial column value
http://docs.aws.amazon.com/cli/latest/reference/cloudtrail/
5 Trails total, does support resource level permissions
aws cloudtrail describe-trails
aws s3 ls
aws cloudtrail create-subscription
--name awslog
--s3-new-bucket awslog2016
aws cloudtrail describe-trails --output text | cut -f 8
aws cloudtrail get-trail-status
--name awslog
aws cloudtrail delete-trail
--name awslog
aws s3 rb s3://awslog2016 --force
aws cloudtrail add-tags
--resource-id awslog
--tags-list "Key=log-type,Value=all"
aws cloudtrail list-tags
--resource-id-list
aws cloudtrail remove-tags
--resource-id awslog
--tags-list "Key=log-type,Value=all"
http://docs.aws.amazon.com/cli/latest/reference/iam/index.html
https://blogs.aws.amazon.com/security/post/Tx15CIT22V4J8RP/How-to-rotate-access-keys-for-IAM-users
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
Limits = 5000 users, 100 group, 250 roles, 2 access keys / user
aws iam list-users
aws iam list-users --output text | cut -f 6
aws iam get-user
aws iam list-access-keys
aws iam create-user
--user-name aws-admin2
allUsers=$(cat ./user-names.txt)
for userName in $allUsers; do
aws iam create-user
--user-name $userName
done
aws iam list-users --no-paginate
aws iam get-user
--user-name aws-admin2
aws iam delete-user
--user-name aws-admin2
allUsers=$(cat ./user-names.txt)
for userName in $allUsers; do
aws iam delete-user
--user-name $userName
done
http://docs.aws.amazon.com/cli/latest/reference/iam/delete-account-password-policy.html
aws iam delete-account-password-policy
http://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
aws iam get-account-password-policy
http://docs.aws.amazon.com/cli/latest/reference/iam/update-account-password-policy.html
aws iam update-account-password-policy
--minimum-password-length 12
--require-symbols
--require-numbers
--require-uppercase-characters
--require-lowercase-characters
--allow-users-to-change-password
aws iam list-access-keys
aws iam list-access-keys
--user-name aws-admin2
aws iam create-access-key
--user-name aws-admin2
--output text | tee aws-admin2.txt
aws iam get-access-key-last-used
--access-key-id AKIAINA6AJZY4EXAMPLE
aws iam update-access-key
--access-key-id AKIAI44QH8DHBEXAMPLE
--status Inactive
--user-name aws-admin2
aws iam delete-access-key
--access-key-id AKIAI44QH8DHBEXAMPLE
--user-name aws-admin2
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
aws iam list-groups
aws iam create-group --group-name FullAdmins
aws iam delete-group
--group-name FullAdmins
aws iam list-policies
aws iam get-policy
--policy-arn
aws iam list-entities-for-policy
--policy-arn
aws iam list-attached-group-policies
--group-name FullAdmins
aws iam attach-group-policy
--group-name FullAdmins
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam add-user-to-group
--group-name FullAdmins
--user-name aws-admin2
aws iam get-group
--group-name FullAdmins
aws iam list-groups-for-user
--user-name aws-admin2
aws iam remove-user-from-group
--group-name FullAdmins
--user-name aws-admin2
aws iam detach-group-policy
--group-name FullAdmins
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam delete-group
--group-name FullAdmins
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
aws ec2 describe-key-pairs
aws ec2 create-key-pair
--key-name
ssh-keygen -t rsa -b 2048
aws ec2 import-key-pair
--key-name keyname_test
--public-key-material file:///home/apollo/id_rsa.pub
aws ec2 delete-key-pair
--key-name
aws ec2 describe-security-groups
aws ec2 create-security-group
--vpc-id vpc-1a2b3c4d
--group-name web-access
--description "web access"
aws ec2 describe-security-groups
--group-id sg-0000000
aws ec2 authorize-security-group-ingress
--group-id sg-0000000
--protocol tcp
--port 80
--cidr 0.0.0.0/24
my_ip=$(dig +short myip.opendns.com @resolver1.opendns.com); echo $my_ip
aws ec2 authorize-security-group-ingress
--group-id sg-0000000
--protocol tcp
--port 80
--cidr $my_ip/24
aws ec2 revoke-security-group-ingress
--group-id sg-0000000
--protocol tcp
--port 80
--cidr 0.0.0.0/24
aws ec2 delete-security-group
--group-id sg-00000000
http://docs.aws.amazon.com/cli/latest/reference/ec2/index.html#cli-aws-ec2 http://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html
aws ec2 describe-instances
aws ec2 run-instances
--image-id ami-f0e7d19a \
--instance-type t2.micro
--security-group-ids sg-00000000
--dry-run
aws ec2 terminate-instances
--instance-ids <instance_id>
aws ec2 describe-instances
aws ec2 describe-tags
aws ec2 create-tags
--resources "ami-1a2b3c4d"
--tags Key=name,Value=debian
aws ec2 delete-tags
--resources "ami-1a2b3c4d"
--tags Key=Name,Value=
http://docs.aws.amazon.com/cli/latest/reference/cloudwatch/index.html
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatchLogs.html http://docs.aws.amazon.com/cli/latest/reference/logs/index.html#cli-aws-logs
http://docs.aws.amazon.com/cli/latest/reference/logs/create-log-group.html
aws logs create-log-group
--log-group-name "DefaultGroup"
http://docs.aws.amazon.com/cli/latest/reference/logs/describe-log-groups.html aws logs describe-log-groups
aws logs describe-log-groups
--log-group-name-prefix "Default"
http://docs.aws.amazon.com/cli/latest/reference/logs/delete-log-group.html
aws logs delete-log-group
--log-group-name "DefaultGroup"
http://docs.aws.amazon.com/cli/latest/reference/logs/create-log-stream.html
Log group names can be between 1 and 512 characters long. Allowed characters include a-z, A-Z, 0-9, '_' (underscore), '-' (hyphen), '/' (forward slash), and '.' (period).
aws logs create-log-stream
--log-group-name "DefaultGroup"
--log-stream-name "syslog"
http://docs.aws.amazon.com/cli/latest/reference/logs/describe-log-streams.html
aws logs describe-log-streams
aws logs describe-log-streams
--log-group-name "syslog"
aws logs describe-log-streams
--log-stream-name-prefix "syslog"
http://docs.aws.amazon.com/cli/latest/reference/logs/delete-log-stream.html
aws logs delete-log-stream
--log-group-name "DefaultGroup"
--log-stream-name "Default Stream"