Add security tutorials (batch 12)

Author: mwunderl

tuts/128-aws-waf-gs/aws-waf-gs.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/waf-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}
+[ -z "$REGION" ] && echo "ERROR: No region" && exit 1
+export AWS_DEFAULT_REGION="$REGION"
+echo "Region: $REGION"
+RANDOM_ID=$(openssl rand -hex 4)
+ACL_NAME="tut-acl-${RANDOM_ID}"
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }
+trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; if [ -n "$ACL_ID" ]; then LOCK=$(aws wafv2 get-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --query 'LockToken' --output text 2>/dev/null); aws wafv2 delete-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --lock-token "$LOCK" 2>/dev/null && echo "  Deleted web ACL"; fi; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating web ACL: $ACL_NAME"
+ACL_ID=$(aws wafv2 create-web-acl --name "$ACL_NAME" --scope REGIONAL \
+    --default-action '{"Allow":{}}' \
+    --visibility-config '{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"tutorialACL"}' \
+    --rules '[{"Name":"RateLimit","Priority":1,"Statement":{"RateBasedStatement":{"Limit":1000,"AggregateKeyType":"IP"}},"Action":{"Block":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"RateLimit"}}]' \
+    --query 'Summary.Id' --output text)
+echo "  ACL ID: $ACL_ID"
+echo "Step 2: Describing web ACL"
+aws wafv2 get-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --query 'WebACL.{Name:Name,Id:Id,Rules:Rules|length(@),DefaultAction:DefaultAction}' --output table
+echo "Step 3: Listing available managed rule groups"
+aws wafv2 list-available-managed-rule-groups --scope REGIONAL --query 'ManagedRuleGroups[:5].{Vendor:VendorName,Name:Name}' --output table
+echo "Step 4: Listing web ACLs"
+aws wafv2 list-web-acls --scope REGIONAL --query 'WebACLs[?starts_with(Name, `tut-`)].{Name:Name,Id:Id}' --output table
+echo ""
+echo "Tutorial complete."
+echo "Do you want to clean up? (y/n): "
+read -r CHOICE
+[[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup || echo "Manual: aws wafv2 delete-web-acl (requires lock-token)"

tuts/129-amazon-macie-gs/amazon-macie-gs.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/macie-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}
+[ -z "$REGION" ] && echo "ERROR: No region" && exit 1
+export AWS_DEFAULT_REGION="$REGION"
+echo "Region: $REGION"
+PREEXISTING=false
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }
+trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; [ "$PREEXISTING" != true ] && aws macie2 disable-macie 2>/dev/null && echo "  Disabled Macie" || echo "  Macie was pre-existing — not disabling"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Enabling Macie"
+STATUS=$(aws macie2 get-macie-session --query 'status' --output text 2>/dev/null || echo "DISABLED")
+if [ "$STATUS" = "ENABLED" ]; then echo "  Already enabled"; PREEXISTING=true; else aws macie2 enable-macie 2>/dev/null; echo "  Macie enabled"; fi
+echo "Step 2: Getting session details"
+aws macie2 get-macie-session --query '{Status:status,Created:createdAt,Updated:updatedAt}' --output table
+echo "Step 3: Listing S3 buckets"
+aws macie2 describe-buckets --query 'buckets[:5].{Name:bucketName,Encryption:serverSideEncryption.type,Public:publicAccess.effectivePermission}' --output table 2>/dev/null || echo "  Bucket inventory not ready yet"
+echo "Step 4: Getting usage statistics"
+aws macie2 get-usage-totals --query 'usageTotals[].{Type:type,Amount:estimatedCost}' --output table 2>/dev/null || echo "  No usage data yet"
+echo ""
+echo "Tutorial complete."
+[ "$PREEXISTING" = true ] && echo "Macie was already enabled — not disabling." || { echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup; }

tuts/130-amazon-detective-gs/amazon-detective-gs.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/detective-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+PREEXISTING=false
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; [ "$PREEXISTING" != true ] && [ -n "$GRAPH_ARN" ] && aws detective delete-graph --graph-arn "$GRAPH_ARN" 2>/dev/null && echo "  Deleted graph" || echo "  Pre-existing — not deleting"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Enabling Detective"
+GRAPHS=$(aws detective list-graphs --query 'GraphList[0].Arn' --output text 2>/dev/null)
+if [ -n "$GRAPHS" ] && [ "$GRAPHS" != "None" ]; then echo "  Already enabled"; GRAPH_ARN="$GRAPHS"; PREEXISTING=true; else GRAPH_ARN=$(aws detective create-graph --query 'GraphArn' --output text); echo "  Graph: $GRAPH_ARN"; fi
+echo "Step 2: Listing graphs"
+aws detective list-graphs --query 'GraphList[].{Arn:Arn,Created:CreatedTime}' --output table
+echo "Step 3: Listing members"
+aws detective list-members --graph-arn "$GRAPH_ARN" --query 'MemberDetails[:5].{Account:AccountId,Status:Status}' --output table 2>/dev/null || echo "  No members"
+echo ""; echo "Tutorial complete."
+[ "$PREEXISTING" = true ] && echo "Detective was already enabled." || { echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup; }

tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/avp-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+RANDOM_ID=$(openssl rand -hex 4)
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; [ -n "$STORE_ID" ] && aws verifiedpermissions delete-policy-store --policy-store-id "$STORE_ID" 2>/dev/null && echo "  Deleted policy store"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating policy store"
+STORE_ID=$(aws verifiedpermissions create-policy-store --validation-settings '{"mode":"OFF"}' --query 'policyStoreId' --output text)
+echo "  Store ID: $STORE_ID"
+echo "Step 2: Creating a static policy"
+POLICY_ID=$(aws verifiedpermissions create-policy --policy-store-id "$STORE_ID" --definition '{"static":{"statement":"permit(principal, action == Action::\"view\", resource);"}}' --query 'policyId' --output text)
+echo "  Policy ID: $POLICY_ID"
+echo "Step 3: Testing authorization"
+aws verifiedpermissions is-authorized --policy-store-id "$STORE_ID" --principal '{"entityType":"User","entityId":"alice"}' --action '{"actionType":"Action","actionId":"view"}' --resource '{"entityType":"Document","entityId":"doc-1"}' --query '{Decision:decision}' --output table
+echo "Step 4: Testing denied action"
+aws verifiedpermissions is-authorized --policy-store-id "$STORE_ID" --principal '{"entityType":"User","entityId":"alice"}' --action '{"actionType":"Action","actionId":"delete"}' --resource '{"entityType":"Document","entityId":"doc-1"}' --query '{Decision:decision}' --output table
+echo "Step 5: Listing policies"
+aws verifiedpermissions list-policies --policy-store-id "$STORE_ID" --query 'policies[].{Id:policyId,Type:policyType}' --output table
+echo ""; echo "Tutorial complete."
+echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup

tuts/154-iam-policies/iam-policies.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/iam-policies.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-$(aws configure get region 2>/dev/null)}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+RANDOM_ID=$(openssl rand -hex 4); POLICY_NAME="tut-policy-${RANDOM_ID}"; ROLE_NAME="tut-iam-role-${RANDOM_ID}"
+ACCOUNT=$(aws sts get-caller-identity --query 'Account' --output text)
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "arn:aws:iam::${ACCOUNT}:policy/$POLICY_NAME" 2>/dev/null; aws iam delete-role --role-name "$ROLE_NAME" 2>/dev/null && echo "  Deleted role"; aws iam delete-policy --policy-arn "arn:aws:iam::${ACCOUNT}:policy/$POLICY_NAME" 2>/dev/null && echo "  Deleted policy"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating a custom policy"
+POLICY_ARN=$(aws iam create-policy --policy-name "$POLICY_NAME" --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::example-bucket","arn:aws:s3:::example-bucket/*"]},{"Effect":"Deny","Action":"s3:DeleteObject","Resource":"*"}]}' --query 'Policy.Arn' --output text)
+echo "  Policy ARN: $POLICY_ARN"
+echo "Step 2: Getting policy details"
+aws iam get-policy --policy-arn "$POLICY_ARN" --query 'Policy.{Name:PolicyName,Arn:Arn,Versions:AttachmentCount}' --output table
+echo "Step 3: Getting policy version (the actual document)"
+aws iam get-policy-version --policy-arn "$POLICY_ARN" --version-id v1 --query 'PolicyVersion.Document' --output json | python3 -m json.tool
+echo "Step 4: Creating a role and attaching the policy"
+aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}' > /dev/null
+aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$POLICY_ARN"
+echo "  Attached $POLICY_NAME to $ROLE_NAME"
+echo "Step 5: Listing attached policies"
+aws iam list-attached-role-policies --role-name "$ROLE_NAME" --query 'AttachedPolicies[].{Name:PolicyName,Arn:PolicyArn}' --output table
+echo "Step 6: Simulating policy"
+aws iam simulate-principal-policy --policy-source-arn "arn:aws:iam::${ACCOUNT}:role/$ROLE_NAME" --action-names s3:GetObject s3:DeleteObject --resource-arns "arn:aws:s3:::example-bucket/file.txt" --query 'EvaluationResults[].{Action:EvalActionName,Decision:EvalDecision}' --output table
+echo ""; echo "Tutorial complete."
+echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup