Add security tutorials (batch 13)

mwunderl · mwunderl · commit 5ff32d75a767 · 2026-04-14T16:35:00.000Z
diff --git a/tuts/174-iam-access-analyzer/iam-access-analyzer.sh b/tuts/174-iam-access-analyzer/iam-access-analyzer.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/aa.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+RANDOM_ID=$(openssl rand -hex 4); ANALYZER="tut-analyzer-${RANDOM_ID}"
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; [ -n "$ANALYZER_ARN" ] && aws accessanalyzer delete-analyzer --analyzer-name "$ANALYZER" 2>/dev/null && echo "  Deleted analyzer"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating analyzer: $ANALYZER"
+ANALYZER_ARN=$(aws accessanalyzer create-analyzer --analyzer-name "$ANALYZER" --type ACCOUNT --query 'arn' --output text)
+echo "  ARN: $ANALYZER_ARN"
+echo "Step 2: Listing findings"
+aws accessanalyzer list-findings --analyzer-arn "$ANALYZER_ARN" --query 'findings[:5].{Resource:resource,Type:resourceType,Status:status}' --output table 2>/dev/null || echo "  No findings yet (analysis takes a few minutes)"
+echo "Step 3: Getting analyzer details"
+aws accessanalyzer get-analyzer --analyzer-name "$ANALYZER" --query 'analyzer.{Name:name,Type:type,Status:status}' --output table
+echo "Step 4: Listing analyzers"
+aws accessanalyzer list-analyzers --query 'analyzers[?starts_with(name, `tut-`)].{Name:name,Status:status}' --output table
+echo ""; echo "Tutorial complete."
+echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup
diff --git a/tuts/188-iam-mfa-devices/iam-mfa.sh b/tuts/188-iam-mfa-devices/iam-mfa.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+echo "Step 1: Listing MFA devices"
+aws iam list-mfa-devices --query 'MFADevices[].{User:UserName,Serial:SerialNumber,Enabled:EnableDate}' --output table 2>/dev/null || echo "  No MFA devices"
+echo "Step 2: Listing virtual MFA devices"
+aws iam list-virtual-mfa-devices --query 'VirtualMFADevices[:5].{Serial:SerialNumber,User:User.UserName}' --output table
+echo "Step 3: Getting account summary (MFA status)"
+aws iam get-account-summary --query 'SummaryMap.{Users:Users,MFADevices:MFADevices,AccountMFAEnabled:AccountMFAEnabled}' --output table
+echo "Step 4: Getting credential report"
+aws iam generate-credential-report > /dev/null 2>&1; sleep 3
+aws iam get-credential-report --query 'GeneratedTime' --output text 2>/dev/null || echo "  Report generating..."
+echo ""; echo "Tutorial complete. No resources created — read-only."
+rm -rf "$WORK_DIR"
diff --git a/tuts/194-iam-password-policy/iam-password-policy.sh b/tuts/194-iam-password-policy/iam-password-policy.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+echo "Step 1: Getting current password policy"
+aws iam get-account-password-policy --query 'PasswordPolicy.{MinLength:MinimumPasswordLength,RequireUpper:RequireUppercaseCharacters,RequireLower:RequireLowercaseCharacters,RequireNumbers:RequireNumbers,RequireSymbols:RequireSymbols,MaxAge:MaxPasswordAge,ExpirePasswords:ExpirePasswords}' --output table 2>/dev/null || echo "  No custom password policy set"
+echo "Step 2: Getting account authorization details summary"
+aws iam get-account-summary --query 'SummaryMap.{Users:Users,Groups:Groups,Roles:Roles,Policies:Policies,MFADevices:MFADevices}' --output table
+echo "Step 3: Listing access keys"
+aws iam list-access-keys --query 'AccessKeyMetadata[].{User:UserName,KeyId:AccessKeyId,Status:Status,Created:CreateDate}' --output table
+echo ""; echo "Tutorial complete. No resources created — read-only."
+rm -rf "$WORK_DIR"
diff --git a/tuts/199-iam-groups/iam-groups.sh b/tuts/199-iam-groups/iam-groups.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+RANDOM_ID=$(openssl rand -hex 4); G="tut-group-${RANDOM_ID}"
+cleanup() { aws iam detach-group-policy --group-name "$G" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess 2>/dev/null; aws iam delete-group --group-name "$G" 2>/dev/null; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating group: $G"; aws iam create-group --group-name "$G" > /dev/null
+echo "Step 2: Attaching policy"; aws iam attach-group-policy --group-name "$G" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
+echo "Step 3: Describing group"; aws iam get-group --group-name "$G" --query 'Group.{Name:GroupName,Created:CreateDate}' --output table
+echo "Step 4: Listing attached policies"; aws iam list-attached-group-policies --group-name "$G" --query 'AttachedPolicies[].{Name:PolicyName}' --output table
+echo "Do you want to clean up? (y/n): "; read -r C; [[ "$C" =~ ^[Yy]$ ]] && cleanup
diff --git a/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh b/tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+echo "Step 1: Listing service-linked roles"; aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)][:10].{Name:RoleName,Service:Path}' --output table
+echo "Step 2: Counting roles by type"; echo "  Service-linked: $(aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)] | length(@)' --output text)"
+echo "  Custom: $(aws iam list-roles --query 'Roles[?Path==`/`] | length(@)' --output text)"
+echo ""; echo "Tutorial complete. Read-only."; rm -rf "$WORK_DIR"
