From 5ff32d75a767ad605b817798857ed06db81d1f16 Mon Sep 17 00:00:00 2001 From: Michael Wunderlich Date: Tue, 14 Apr 2026 16:35:00 +0000 Subject: [PATCH 1/3] Add security tutorials (batch 13) --- .../iam-access-analyzer.sh | 17 +++++++++++++++++ tuts/188-iam-mfa-devices/iam-mfa.sh | 14 ++++++++++++++ .../iam-password-policy.sh | 11 +++++++++++ tuts/199-iam-groups/iam-groups.sh | 10 ++++++++++ .../iam-service-linked-roles.sh | 7 +++++++ 5 files changed, 59 insertions(+) create mode 100644 tuts/174-iam-access-analyzer/iam-access-analyzer.sh create mode 100644 tuts/188-iam-mfa-devices/iam-mfa.sh create mode 100644 tuts/194-iam-password-policy/iam-password-policy.sh create mode 100644 tuts/199-iam-groups/iam-groups.sh create mode 100644 tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh diff --git a/tuts/174-iam-access-analyzer/iam-access-analyzer.sh b/tuts/174-iam-access-analyzer/iam-access-analyzer.sh new file mode 100644 index 00000000..b1aac03c --- /dev/null +++ b/tuts/174-iam-access-analyzer/iam-access-analyzer.sh @@ -0,0 +1,17 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/aa.log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +RANDOM_ID=$(openssl rand -hex 4); ANALYZER="tut-analyzer-${RANDOM_ID}" +handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR +cleanup() { echo ""; echo "Cleaning up..."; [ -n "$ANALYZER_ARN" ] && aws accessanalyzer delete-analyzer --analyzer-name "$ANALYZER" 2>/dev/null && echo " Deleted analyzer"; rm -rf "$WORK_DIR"; echo "Done."; } +echo "Step 1: Creating analyzer: $ANALYZER" +ANALYZER_ARN=$(aws accessanalyzer create-analyzer --analyzer-name "$ANALYZER" --type ACCOUNT --query 'arn' --output text) +echo " ARN: $ANALYZER_ARN" +echo "Step 2: Listing findings" +aws accessanalyzer list-findings --analyzer-arn "$ANALYZER_ARN" --query 'findings[:5].{Resource:resource,Type:resourceType,Status:status}' --output table 2>/dev/null || echo " No findings yet (analysis takes a few minutes)" +echo "Step 3: Getting analyzer details" +aws accessanalyzer get-analyzer --analyzer-name "$ANALYZER" --query 'analyzer.{Name:name,Type:type,Status:status}' --output table +echo "Step 4: Listing analyzers" +aws accessanalyzer list-analyzers --query 'analyzers[?starts_with(name, `tut-`)].{Name:name,Status:status}' --output table +echo ""; echo "Tutorial complete." +echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup diff --git a/tuts/188-iam-mfa-devices/iam-mfa.sh b/tuts/188-iam-mfa-devices/iam-mfa.sh new file mode 100644 index 00000000..c3a602f1 --- /dev/null +++ b/tuts/188-iam-mfa-devices/iam-mfa.sh @@ -0,0 +1,14 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +echo "Step 1: Listing MFA devices" +aws iam list-mfa-devices --query 'MFADevices[].{User:UserName,Serial:SerialNumber,Enabled:EnableDate}' --output table 2>/dev/null || echo " No MFA devices" +echo "Step 2: Listing virtual MFA devices" +aws iam list-virtual-mfa-devices --query 'VirtualMFADevices[:5].{Serial:SerialNumber,User:User.UserName}' --output table +echo "Step 3: Getting account summary (MFA status)" +aws iam get-account-summary --query 'SummaryMap.{Users:Users,MFADevices:MFADevices,AccountMFAEnabled:AccountMFAEnabled}' --output table +echo "Step 4: Getting credential report" +aws iam generate-credential-report > /dev/null 2>&1; sleep 3 +aws iam get-credential-report --query 'GeneratedTime' --output text 2>/dev/null || echo " Report generating..." +echo ""; echo "Tutorial complete. No resources created — read-only." +rm -rf "$WORK_DIR" diff --git a/tuts/194-iam-password-policy/iam-password-policy.sh b/tuts/194-iam-password-policy/iam-password-policy.sh new file mode 100644 index 00000000..9beb4d8f --- /dev/null +++ b/tuts/194-iam-password-policy/iam-password-policy.sh @@ -0,0 +1,11 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +echo "Step 1: Getting current password policy" +aws iam get-account-password-policy --query 'PasswordPolicy.{MinLength:MinimumPasswordLength,RequireUpper:RequireUppercaseCharacters,RequireLower:RequireLowercaseCharacters,RequireNumbers:RequireNumbers,RequireSymbols:RequireSymbols,MaxAge:MaxPasswordAge,ExpirePasswords:ExpirePasswords}' --output table 2>/dev/null || echo " No custom password policy set" +echo "Step 2: Getting account authorization details summary" +aws iam get-account-summary --query 'SummaryMap.{Users:Users,Groups:Groups,Roles:Roles,Policies:Policies,MFADevices:MFADevices}' --output table +echo "Step 3: Listing access keys" +aws iam list-access-keys --query 'AccessKeyMetadata[].{User:UserName,KeyId:AccessKeyId,Status:Status,Created:CreateDate}' --output table +echo ""; echo "Tutorial complete. No resources created — read-only." +rm -rf "$WORK_DIR" diff --git a/tuts/199-iam-groups/iam-groups.sh b/tuts/199-iam-groups/iam-groups.sh new file mode 100644 index 00000000..7b2a12e0 --- /dev/null +++ b/tuts/199-iam-groups/iam-groups.sh @@ -0,0 +1,10 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +RANDOM_ID=$(openssl rand -hex 4); G="tut-group-${RANDOM_ID}" +cleanup() { aws iam detach-group-policy --group-name "$G" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess 2>/dev/null; aws iam delete-group --group-name "$G" 2>/dev/null; rm -rf "$WORK_DIR"; echo "Done."; } +echo "Step 1: Creating group: $G"; aws iam create-group --group-name "$G" > /dev/null +echo "Step 2: Attaching policy"; aws iam attach-group-policy --group-name "$G" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess +echo "Step 3: Describing group"; aws iam get-group --group-name "$G" --query 'Group.{Name:GroupName,Created:CreateDate}' --output table +echo "Step 4: Listing attached policies"; aws iam list-attached-group-policies --group-name "$G" --query 'AttachedPolicies[].{Name:PolicyName}' --output table +echo "Do you want to clean up? (y/n): "; read -r C; [[ "$C" =~ ^[Yy]$ ]] && cleanup diff --git a/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh b/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh new file mode 100644 index 00000000..272d1de9 --- /dev/null +++ b/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh @@ -0,0 +1,7 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +echo "Step 1: Listing service-linked roles"; aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)][:10].{Name:RoleName,Service:Path}' --output table +echo "Step 2: Counting roles by type"; echo " Service-linked: $(aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)] | length(@)' --output text)" +echo " Custom: $(aws iam list-roles --query 'Roles[?Path==`/`] | length(@)' --output text)" +echo ""; echo "Tutorial complete. Read-only."; rm -rf "$WORK_DIR" From a5054063547172dca5182e7c2892a9b7cf9cebee Mon Sep 17 00:00:00 2001 From: Michael Wunderlich Date: Tue, 21 Apr 2026 05:17:17 +0000 Subject: [PATCH 2/3] Apply technical requirements (R1, R2, R9, R10, R13) - R1: Add AWS_REGION to region fallback chain - R2: Replace openssl rand with /dev/urandom - R9: Remove Appendix/Generation details from READMEs - R10: Remove internal references - R13: Add REVISION-HISTORY.md --- tuts/174-iam-access-analyzer/REVISION-HISTORY.md | 8 ++++++++ tuts/174-iam-access-analyzer/iam-access-analyzer.sh | 4 ++-- tuts/188-iam-mfa-devices/REVISION-HISTORY.md | 8 ++++++++ tuts/188-iam-mfa-devices/iam-mfa.sh | 2 +- tuts/194-iam-password-policy/REVISION-HISTORY.md | 8 ++++++++ tuts/194-iam-password-policy/iam-password-policy.sh | 2 +- tuts/199-iam-groups/REVISION-HISTORY.md | 8 ++++++++ tuts/199-iam-groups/iam-groups.sh | 4 ++-- tuts/205-iam-service-linked-roles/REVISION-HISTORY.md | 8 ++++++++ .../iam-service-linked-roles.sh | 2 +- 10 files changed, 47 insertions(+), 7 deletions(-) create mode 100644 tuts/174-iam-access-analyzer/REVISION-HISTORY.md create mode 100644 tuts/188-iam-mfa-devices/REVISION-HISTORY.md create mode 100644 tuts/194-iam-password-policy/REVISION-HISTORY.md create mode 100644 tuts/199-iam-groups/REVISION-HISTORY.md create mode 100644 tuts/205-iam-service-linked-roles/REVISION-HISTORY.md diff --git a/tuts/174-iam-access-analyzer/REVISION-HISTORY.md b/tuts/174-iam-access-analyzer/REVISION-HISTORY.md new file mode 100644 index 00000000..d28febe2 --- /dev/null +++ b/tuts/174-iam-access-analyzer/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 174-iam-access-analyzer + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/174-iam-access-analyzer/iam-access-analyzer.sh b/tuts/174-iam-access-analyzer/iam-access-analyzer.sh index b1aac03c..2d78b450 100644 --- a/tuts/174-iam-access-analyzer/iam-access-analyzer.sh +++ b/tuts/174-iam-access-analyzer/iam-access-analyzer.sh @@ -1,7 +1,7 @@ #!/bin/bash WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/aa.log") 2>&1 -REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" -RANDOM_ID=$(openssl rand -hex 4); ANALYZER="tut-analyzer-${RANDOM_ID}" +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1); ANALYZER="tut-analyzer-${RANDOM_ID}" handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR cleanup() { echo ""; echo "Cleaning up..."; [ -n "$ANALYZER_ARN" ] && aws accessanalyzer delete-analyzer --analyzer-name "$ANALYZER" 2>/dev/null && echo " Deleted analyzer"; rm -rf "$WORK_DIR"; echo "Done."; } echo "Step 1: Creating analyzer: $ANALYZER" diff --git a/tuts/188-iam-mfa-devices/REVISION-HISTORY.md b/tuts/188-iam-mfa-devices/REVISION-HISTORY.md new file mode 100644 index 00000000..6eab7ef5 --- /dev/null +++ b/tuts/188-iam-mfa-devices/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 188-iam-mfa-devices + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/188-iam-mfa-devices/iam-mfa.sh b/tuts/188-iam-mfa-devices/iam-mfa.sh index c3a602f1..7a5744ef 100644 --- a/tuts/188-iam-mfa-devices/iam-mfa.sh +++ b/tuts/188-iam-mfa-devices/iam-mfa.sh @@ -1,6 +1,6 @@ #!/bin/bash WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1 -REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" echo "Step 1: Listing MFA devices" aws iam list-mfa-devices --query 'MFADevices[].{User:UserName,Serial:SerialNumber,Enabled:EnableDate}' --output table 2>/dev/null || echo " No MFA devices" echo "Step 2: Listing virtual MFA devices" diff --git a/tuts/194-iam-password-policy/REVISION-HISTORY.md b/tuts/194-iam-password-policy/REVISION-HISTORY.md new file mode 100644 index 00000000..c17f1845 --- /dev/null +++ b/tuts/194-iam-password-policy/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 194-iam-password-policy + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/194-iam-password-policy/iam-password-policy.sh b/tuts/194-iam-password-policy/iam-password-policy.sh index 9beb4d8f..4be58104 100644 --- a/tuts/194-iam-password-policy/iam-password-policy.sh +++ b/tuts/194-iam-password-policy/iam-password-policy.sh @@ -1,6 +1,6 @@ #!/bin/bash WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1 -REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" echo "Step 1: Getting current password policy" aws iam get-account-password-policy --query 'PasswordPolicy.{MinLength:MinimumPasswordLength,RequireUpper:RequireUppercaseCharacters,RequireLower:RequireLowercaseCharacters,RequireNumbers:RequireNumbers,RequireSymbols:RequireSymbols,MaxAge:MaxPasswordAge,ExpirePasswords:ExpirePasswords}' --output table 2>/dev/null || echo " No custom password policy set" echo "Step 2: Getting account authorization details summary" diff --git a/tuts/199-iam-groups/REVISION-HISTORY.md b/tuts/199-iam-groups/REVISION-HISTORY.md new file mode 100644 index 00000000..7ce09d2d --- /dev/null +++ b/tuts/199-iam-groups/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 199-iam-groups + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/199-iam-groups/iam-groups.sh b/tuts/199-iam-groups/iam-groups.sh index 7b2a12e0..b44c651a 100644 --- a/tuts/199-iam-groups/iam-groups.sh +++ b/tuts/199-iam-groups/iam-groups.sh @@ -1,7 +1,7 @@ #!/bin/bash WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1 -REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" -RANDOM_ID=$(openssl rand -hex 4); G="tut-group-${RANDOM_ID}" +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1); G="tut-group-${RANDOM_ID}" cleanup() { aws iam detach-group-policy --group-name "$G" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess 2>/dev/null; aws iam delete-group --group-name "$G" 2>/dev/null; rm -rf "$WORK_DIR"; echo "Done."; } echo "Step 1: Creating group: $G"; aws iam create-group --group-name "$G" > /dev/null echo "Step 2: Attaching policy"; aws iam attach-group-policy --group-name "$G" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess diff --git a/tuts/205-iam-service-linked-roles/REVISION-HISTORY.md b/tuts/205-iam-service-linked-roles/REVISION-HISTORY.md new file mode 100644 index 00000000..c31fa01d --- /dev/null +++ b/tuts/205-iam-service-linked-roles/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 205-iam-service-linked-roles + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh b/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh index 272d1de9..317e4100 100644 --- a/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh +++ b/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh @@ -1,6 +1,6 @@ #!/bin/bash WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1 -REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" echo "Step 1: Listing service-linked roles"; aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)][:10].{Name:RoleName,Service:Path}' --output table echo "Step 2: Counting roles by type"; echo " Service-linked: $(aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)] | length(@)' --output text)" echo " Custom: $(aws iam list-roles --query 'Roles[?Path==`/`] | length(@)' --output text)" From 7521d7af2b80084524c2669354d69ec37750cfeb Mon Sep 17 00:00:00 2001 From: Michael Wunderlich Date: Tue, 21 Apr 2026 05:38:01 +0000 Subject: [PATCH 3/3] Add README.md and tutorial walkthrough for script-only tutorials --- tuts/174-iam-access-analyzer/README.md | 37 +++++++++++++++++++ .../iam-access-analyzer.md | 27 ++++++++++++++ tuts/188-iam-mfa-devices/README.md | 29 +++++++++++++++ tuts/188-iam-mfa-devices/iam-mfa.md | 23 ++++++++++++ tuts/194-iam-password-policy/README.md | 28 ++++++++++++++ .../iam-password-policy.md | 19 ++++++++++ tuts/199-iam-groups/README.md | 37 +++++++++++++++++++ tuts/199-iam-groups/iam-groups.md | 27 ++++++++++++++ tuts/205-iam-service-linked-roles/README.md | 27 ++++++++++++++ .../iam-service-linked-roles.md | 15 ++++++++ 10 files changed, 269 insertions(+) create mode 100644 tuts/174-iam-access-analyzer/README.md create mode 100644 tuts/174-iam-access-analyzer/iam-access-analyzer.md create mode 100644 tuts/188-iam-mfa-devices/README.md create mode 100644 tuts/188-iam-mfa-devices/iam-mfa.md create mode 100644 tuts/194-iam-password-policy/README.md create mode 100644 tuts/194-iam-password-policy/iam-password-policy.md create mode 100644 tuts/199-iam-groups/README.md create mode 100644 tuts/199-iam-groups/iam-groups.md create mode 100644 tuts/205-iam-service-linked-roles/README.md create mode 100644 tuts/205-iam-service-linked-roles/iam-service-linked-roles.md diff --git a/tuts/174-iam-access-analyzer/README.md b/tuts/174-iam-access-analyzer/README.md new file mode 100644 index 00000000..684ee92d --- /dev/null +++ b/tuts/174-iam-access-analyzer/README.md @@ -0,0 +1,37 @@ +# Iam Access Analyzer + +An AWS CLI tutorial that demonstrates Accessanalyzer operations. + +## Running + +```bash +bash iam-access-analyzer.sh +``` + +To auto-run with cleanup: + +```bash +echo 'y' | bash iam-access-analyzer.sh +``` + +## What it does + +1. Creating analyzer: $ANALYZER +2. Listing findings +3. Getting analyzer details +4. Listing analyzers + +## Resources created + +- Analyzer + +The script prompts you to clean up resources when it finishes. + +## Cost + +Free tier eligible for most operations. Clean up resources after use to avoid charges. + +## Related docs + +- [AWS CLI accessanalyzer reference](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/index.html) + diff --git a/tuts/174-iam-access-analyzer/iam-access-analyzer.md b/tuts/174-iam-access-analyzer/iam-access-analyzer.md new file mode 100644 index 00000000..8b05bac5 --- /dev/null +++ b/tuts/174-iam-access-analyzer/iam-access-analyzer.md @@ -0,0 +1,27 @@ +# Iam Access Analyzer + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Creating analyzer: $ANALYZER + +The script handles this step automatically. See `iam-access-analyzer.sh` for the exact CLI commands. + +## Step 2: Listing findings + +The script handles this step automatically. See `iam-access-analyzer.sh` for the exact CLI commands. + +## Step 3: Getting analyzer details + +The script handles this step automatically. See `iam-access-analyzer.sh` for the exact CLI commands. + +## Step 4: Listing analyzers + +The script handles this step automatically. See `iam-access-analyzer.sh` for the exact CLI commands. + +## Cleanup + +The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created. + diff --git a/tuts/188-iam-mfa-devices/README.md b/tuts/188-iam-mfa-devices/README.md new file mode 100644 index 00000000..21a4a7d7 --- /dev/null +++ b/tuts/188-iam-mfa-devices/README.md @@ -0,0 +1,29 @@ +# Iam Mfa + +A read-only script that queries Iam resources and displays information. + +## Running + +```bash +bash iam-mfa.sh +``` + +## What it does + +1. Listing MFA devices +2. Listing virtual MFA devices +3. Getting account summary (MFA status) +4. Getting credential report + +## Resources created + +None — this script is read-only. + +## Cost + +No cost. This script only reads existing resources. + +## Related docs + +- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html) + diff --git a/tuts/188-iam-mfa-devices/iam-mfa.md b/tuts/188-iam-mfa-devices/iam-mfa.md new file mode 100644 index 00000000..444832db --- /dev/null +++ b/tuts/188-iam-mfa-devices/iam-mfa.md @@ -0,0 +1,23 @@ +# Iam Mfa + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Listing MFA devices + +The script handles this step automatically. See `iam-mfa.sh` for the exact CLI commands. + +## Step 2: Listing virtual MFA devices + +The script handles this step automatically. See `iam-mfa.sh` for the exact CLI commands. + +## Step 3: Getting account summary (MFA status) + +The script handles this step automatically. See `iam-mfa.sh` for the exact CLI commands. + +## Step 4: Getting credential report + +The script handles this step automatically. See `iam-mfa.sh` for the exact CLI commands. + diff --git a/tuts/194-iam-password-policy/README.md b/tuts/194-iam-password-policy/README.md new file mode 100644 index 00000000..05a52675 --- /dev/null +++ b/tuts/194-iam-password-policy/README.md @@ -0,0 +1,28 @@ +# Iam Password Policy + +A read-only script that queries Iam resources and displays information. + +## Running + +```bash +bash iam-password-policy.sh +``` + +## What it does + +1. Getting current password policy +2. Getting account authorization details summary +3. Listing access keys + +## Resources created + +None — this script is read-only. + +## Cost + +No cost. This script only reads existing resources. + +## Related docs + +- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html) + diff --git a/tuts/194-iam-password-policy/iam-password-policy.md b/tuts/194-iam-password-policy/iam-password-policy.md new file mode 100644 index 00000000..d234308e --- /dev/null +++ b/tuts/194-iam-password-policy/iam-password-policy.md @@ -0,0 +1,19 @@ +# Iam Password Policy + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Getting current password policy + +The script handles this step automatically. See `iam-password-policy.sh` for the exact CLI commands. + +## Step 2: Getting account authorization details summary + +The script handles this step automatically. See `iam-password-policy.sh` for the exact CLI commands. + +## Step 3: Listing access keys + +The script handles this step automatically. See `iam-password-policy.sh` for the exact CLI commands. + diff --git a/tuts/199-iam-groups/README.md b/tuts/199-iam-groups/README.md new file mode 100644 index 00000000..97b37ac6 --- /dev/null +++ b/tuts/199-iam-groups/README.md @@ -0,0 +1,37 @@ +# Iam Groups + +An AWS CLI tutorial that demonstrates Iam operations. + +## Running + +```bash +bash iam-groups.sh +``` + +To auto-run with cleanup: + +```bash +echo 'y' | bash iam-groups.sh +``` + +## What it does + +1. Creating group: $G"; aws iam create-group --group-name "$G +2. Attaching policy"; aws iam attach-group-policy --group-name "$G +3. Describing group"; aws iam get-group --group-name "$G +4. Listing attached policies"; aws iam list-attached-group-policies --group-name "$G + +## Resources created + +- Group + +The script prompts you to clean up resources when it finishes. + +## Cost + +Free tier eligible for most operations. Clean up resources after use to avoid charges. + +## Related docs + +- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html) + diff --git a/tuts/199-iam-groups/iam-groups.md b/tuts/199-iam-groups/iam-groups.md new file mode 100644 index 00000000..4c84317a --- /dev/null +++ b/tuts/199-iam-groups/iam-groups.md @@ -0,0 +1,27 @@ +# Iam Groups + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Creating group: $G"; aws iam create-group --group-name "$G + +The script handles this step automatically. See `iam-groups.sh` for the exact CLI commands. + +## Step 2: Attaching policy"; aws iam attach-group-policy --group-name "$G + +The script handles this step automatically. See `iam-groups.sh` for the exact CLI commands. + +## Step 3: Describing group"; aws iam get-group --group-name "$G + +The script handles this step automatically. See `iam-groups.sh` for the exact CLI commands. + +## Step 4: Listing attached policies"; aws iam list-attached-group-policies --group-name "$G + +The script handles this step automatically. See `iam-groups.sh` for the exact CLI commands. + +## Cleanup + +The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created. + diff --git a/tuts/205-iam-service-linked-roles/README.md b/tuts/205-iam-service-linked-roles/README.md new file mode 100644 index 00000000..7c192b7e --- /dev/null +++ b/tuts/205-iam-service-linked-roles/README.md @@ -0,0 +1,27 @@ +# Iam Service Linked Roles + +A read-only script that queries Iam resources and displays information. + +## Running + +```bash +bash iam-service-linked-roles.sh +``` + +## What it does + +1. Listing service-linked roles +2. Counting roles by type"; echo " Service-linked: $(aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)] | length(@)' --output text) + +## Resources created + +None — this script is read-only. + +## Cost + +No cost. This script only reads existing resources. + +## Related docs + +- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html) + diff --git a/tuts/205-iam-service-linked-roles/iam-service-linked-roles.md b/tuts/205-iam-service-linked-roles/iam-service-linked-roles.md new file mode 100644 index 00000000..3491b33f --- /dev/null +++ b/tuts/205-iam-service-linked-roles/iam-service-linked-roles.md @@ -0,0 +1,15 @@ +# Iam Service Linked Roles + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Listing service-linked roles + +The script handles this step automatically. See `iam-service-linked-roles.sh` for the exact CLI commands. + +## Step 2: Counting roles by type"; echo " Service-linked: $(aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)] | length(@)' --output text) + +The script handles this step automatically. See `iam-service-linked-roles.sh` for the exact CLI commands. +