diff --git a/tuts/128-aws-waf-gs/README.md b/tuts/128-aws-waf-gs/README.md new file mode 100644 index 00000000..b71b6d25 --- /dev/null +++ b/tuts/128-aws-waf-gs/README.md @@ -0,0 +1,37 @@ +# Aws Waf Gs + +An AWS CLI tutorial that demonstrates Wafv2 operations. + +## Running + +```bash +bash aws-waf-gs.sh +``` + +To auto-run with cleanup: + +```bash +echo 'y' | bash aws-waf-gs.sh +``` + +## What it does + +1. Creating web ACL: $ACL_NAME +2. Describing web ACL +3. Listing available managed rule groups +4. Listing web ACLs + +## Resources created + +- Web Acl + +The script prompts you to clean up resources when it finishes. + +## Cost + +Free tier eligible for most operations. Clean up resources after use to avoid charges. + +## Related docs + +- [AWS CLI wafv2 reference](https://docs.aws.amazon.com/cli/latest/reference/wafv2/index.html) + diff --git a/tuts/128-aws-waf-gs/REVISION-HISTORY.md b/tuts/128-aws-waf-gs/REVISION-HISTORY.md new file mode 100644 index 00000000..817ab260 --- /dev/null +++ b/tuts/128-aws-waf-gs/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 128-aws-waf-gs + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/128-aws-waf-gs/aws-waf-gs.md b/tuts/128-aws-waf-gs/aws-waf-gs.md new file mode 100644 index 00000000..06f2ea86 --- /dev/null +++ b/tuts/128-aws-waf-gs/aws-waf-gs.md @@ -0,0 +1,27 @@ +# Aws Waf Gs + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Creating web ACL: $ACL_NAME + +The script handles this step automatically. See `aws-waf-gs.sh` for the exact CLI commands. + +## Step 2: Describing web ACL + +The script handles this step automatically. See `aws-waf-gs.sh` for the exact CLI commands. + +## Step 3: Listing available managed rule groups + +The script handles this step automatically. See `aws-waf-gs.sh` for the exact CLI commands. + +## Step 4: Listing web ACLs + +The script handles this step automatically. See `aws-waf-gs.sh` for the exact CLI commands. + +## Cleanup + +The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created. + diff --git a/tuts/128-aws-waf-gs/aws-waf-gs.sh b/tuts/128-aws-waf-gs/aws-waf-gs.sh new file mode 100644 index 00000000..2e6186f3 --- /dev/null +++ b/tuts/128-aws-waf-gs/aws-waf-gs.sh @@ -0,0 +1,30 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d) +exec > >(tee -a "$WORK_DIR/waf-$(date +%Y%m%d-%H%M%S).log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))} +[ -z "$REGION" ] && echo "ERROR: No region" && exit 1 +export AWS_DEFAULT_REGION="$REGION" +echo "Region: $REGION" +RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) +ACL_NAME="tut-acl-${RANDOM_ID}" +handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; } +trap 'handle_error $LINENO' ERR +cleanup() { echo ""; echo "Cleaning up..."; if [ -n "$ACL_ID" ]; then LOCK=$(aws wafv2 get-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --query 'LockToken' --output text 2>/dev/null); aws wafv2 delete-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --lock-token "$LOCK" 2>/dev/null && echo " Deleted web ACL"; fi; rm -rf "$WORK_DIR"; echo "Done."; } +echo "Step 1: Creating web ACL: $ACL_NAME" +ACL_ID=$(aws wafv2 create-web-acl --name "$ACL_NAME" --scope REGIONAL \ + --default-action '{"Allow":{}}' \ + --visibility-config '{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"tutorialACL"}' \ + --rules '[{"Name":"RateLimit","Priority":1,"Statement":{"RateBasedStatement":{"Limit":1000,"AggregateKeyType":"IP"}},"Action":{"Block":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"RateLimit"}}]' \ + --query 'Summary.Id' --output text) +echo " ACL ID: $ACL_ID" +echo "Step 2: Describing web ACL" +aws wafv2 get-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --query 'WebACL.{Name:Name,Id:Id,Rules:Rules|length(@),DefaultAction:DefaultAction}' --output table +echo "Step 3: Listing available managed rule groups" +aws wafv2 list-available-managed-rule-groups --scope REGIONAL --query 'ManagedRuleGroups[:5].{Vendor:VendorName,Name:Name}' --output table +echo "Step 4: Listing web ACLs" +aws wafv2 list-web-acls --scope REGIONAL --query 'WebACLs[?starts_with(Name, `tut-`)].{Name:Name,Id:Id}' --output table +echo "" +echo "Tutorial complete." +echo "Do you want to clean up? (y/n): " +read -r CHOICE +[[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup || echo "Manual: aws wafv2 delete-web-acl (requires lock-token)" diff --git a/tuts/129-amazon-macie-gs/README.md b/tuts/129-amazon-macie-gs/README.md new file mode 100644 index 00000000..5cb18192 --- /dev/null +++ b/tuts/129-amazon-macie-gs/README.md @@ -0,0 +1,29 @@ +# Amazon Macie Gs + +A read-only script that queries Macie2 resources and displays information. + +## Running + +```bash +bash amazon-macie-gs.sh +``` + +## What it does + +1. Enabling Macie +2. Getting session details +3. Listing S3 buckets +4. Getting usage statistics + +## Resources created + +None — this script is read-only. + +## Cost + +No cost. This script only reads existing resources. + +## Related docs + +- [AWS CLI macie2 reference](https://docs.aws.amazon.com/cli/latest/reference/macie2/index.html) + diff --git a/tuts/129-amazon-macie-gs/REVISION-HISTORY.md b/tuts/129-amazon-macie-gs/REVISION-HISTORY.md new file mode 100644 index 00000000..616910e1 --- /dev/null +++ b/tuts/129-amazon-macie-gs/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 129-amazon-macie-gs + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/129-amazon-macie-gs/amazon-macie-gs.md b/tuts/129-amazon-macie-gs/amazon-macie-gs.md new file mode 100644 index 00000000..ab5443d9 --- /dev/null +++ b/tuts/129-amazon-macie-gs/amazon-macie-gs.md @@ -0,0 +1,23 @@ +# Amazon Macie Gs + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Enabling Macie + +The script handles this step automatically. See `amazon-macie-gs.sh` for the exact CLI commands. + +## Step 2: Getting session details + +The script handles this step automatically. See `amazon-macie-gs.sh` for the exact CLI commands. + +## Step 3: Listing S3 buckets + +The script handles this step automatically. See `amazon-macie-gs.sh` for the exact CLI commands. + +## Step 4: Getting usage statistics + +The script handles this step automatically. See `amazon-macie-gs.sh` for the exact CLI commands. + diff --git a/tuts/129-amazon-macie-gs/amazon-macie-gs.sh b/tuts/129-amazon-macie-gs/amazon-macie-gs.sh new file mode 100644 index 00000000..7561293c --- /dev/null +++ b/tuts/129-amazon-macie-gs/amazon-macie-gs.sh @@ -0,0 +1,23 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d) +exec > >(tee -a "$WORK_DIR/macie-$(date +%Y%m%d-%H%M%S).log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))} +[ -z "$REGION" ] && echo "ERROR: No region" && exit 1 +export AWS_DEFAULT_REGION="$REGION" +echo "Region: $REGION" +PREEXISTING=false +handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; } +trap 'handle_error $LINENO' ERR +cleanup() { echo ""; echo "Cleaning up..."; [ "$PREEXISTING" != true ] && aws macie2 disable-macie 2>/dev/null && echo " Disabled Macie" || echo " Macie was pre-existing — not disabling"; rm -rf "$WORK_DIR"; echo "Done."; } +echo "Step 1: Enabling Macie" +STATUS=$(aws macie2 get-macie-session --query 'status' --output text 2>/dev/null || echo "DISABLED") +if [ "$STATUS" = "ENABLED" ]; then echo " Already enabled"; PREEXISTING=true; else aws macie2 enable-macie 2>/dev/null; echo " Macie enabled"; fi +echo "Step 2: Getting session details" +aws macie2 get-macie-session --query '{Status:status,Created:createdAt,Updated:updatedAt}' --output table +echo "Step 3: Listing S3 buckets" +aws macie2 describe-buckets --query 'buckets[:5].{Name:bucketName,Encryption:serverSideEncryption.type,Public:publicAccess.effectivePermission}' --output table 2>/dev/null || echo " Bucket inventory not ready yet" +echo "Step 4: Getting usage statistics" +aws macie2 get-usage-totals --query 'usageTotals[].{Type:type,Amount:estimatedCost}' --output table 2>/dev/null || echo " No usage data yet" +echo "" +echo "Tutorial complete." +[ "$PREEXISTING" = true ] && echo "Macie was already enabled — not disabling." || { echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup; } diff --git a/tuts/130-amazon-detective-gs/README.md b/tuts/130-amazon-detective-gs/README.md new file mode 100644 index 00000000..9f2b3c2c --- /dev/null +++ b/tuts/130-amazon-detective-gs/README.md @@ -0,0 +1,36 @@ +# Amazon Detective Gs + +An AWS CLI tutorial that demonstrates Detective operations. + +## Running + +```bash +bash amazon-detective-gs.sh +``` + +To auto-run with cleanup: + +```bash +echo 'y' | bash amazon-detective-gs.sh +``` + +## What it does + +1. Enabling Detective +2. Listing graphs +3. Listing members + +## Resources created + +- Graph + +The script prompts you to clean up resources when it finishes. + +## Cost + +Free tier eligible for most operations. Clean up resources after use to avoid charges. + +## Related docs + +- [AWS CLI detective reference](https://docs.aws.amazon.com/cli/latest/reference/detective/index.html) + diff --git a/tuts/130-amazon-detective-gs/REVISION-HISTORY.md b/tuts/130-amazon-detective-gs/REVISION-HISTORY.md new file mode 100644 index 00000000..13a29904 --- /dev/null +++ b/tuts/130-amazon-detective-gs/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 130-amazon-detective-gs + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/130-amazon-detective-gs/amazon-detective-gs.md b/tuts/130-amazon-detective-gs/amazon-detective-gs.md new file mode 100644 index 00000000..5e3fc7a5 --- /dev/null +++ b/tuts/130-amazon-detective-gs/amazon-detective-gs.md @@ -0,0 +1,23 @@ +# Amazon Detective Gs + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Enabling Detective + +The script handles this step automatically. See `amazon-detective-gs.sh` for the exact CLI commands. + +## Step 2: Listing graphs + +The script handles this step automatically. See `amazon-detective-gs.sh` for the exact CLI commands. + +## Step 3: Listing members + +The script handles this step automatically. See `amazon-detective-gs.sh` for the exact CLI commands. + +## Cleanup + +The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created. + diff --git a/tuts/130-amazon-detective-gs/amazon-detective-gs.sh b/tuts/130-amazon-detective-gs/amazon-detective-gs.sh new file mode 100644 index 00000000..d3c64200 --- /dev/null +++ b/tuts/130-amazon-detective-gs/amazon-detective-gs.sh @@ -0,0 +1,16 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d) +exec > >(tee -a "$WORK_DIR/detective-$(date +%Y%m%d-%H%M%S).log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +PREEXISTING=false +handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR +cleanup() { echo ""; echo "Cleaning up..."; [ "$PREEXISTING" != true ] && [ -n "$GRAPH_ARN" ] && aws detective delete-graph --graph-arn "$GRAPH_ARN" 2>/dev/null && echo " Deleted graph" || echo " Pre-existing — not deleting"; rm -rf "$WORK_DIR"; echo "Done."; } +echo "Step 1: Enabling Detective" +GRAPHS=$(aws detective list-graphs --query 'GraphList[0].Arn' --output text 2>/dev/null) +if [ -n "$GRAPHS" ] && [ "$GRAPHS" != "None" ]; then echo " Already enabled"; GRAPH_ARN="$GRAPHS"; PREEXISTING=true; else GRAPH_ARN=$(aws detective create-graph --query 'GraphArn' --output text); echo " Graph: $GRAPH_ARN"; fi +echo "Step 2: Listing graphs" +aws detective list-graphs --query 'GraphList[].{Arn:Arn,Created:CreatedTime}' --output table +echo "Step 3: Listing members" +aws detective list-members --graph-arn "$GRAPH_ARN" --query 'MemberDetails[:5].{Account:AccountId,Status:Status}' --output table 2>/dev/null || echo " No members" +echo ""; echo "Tutorial complete." +[ "$PREEXISTING" = true ] && echo "Detective was already enabled." || { echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup; } diff --git a/tuts/131-amazon-verifiedpermissions-gs/README.md b/tuts/131-amazon-verifiedpermissions-gs/README.md new file mode 100644 index 00000000..bfb5fca5 --- /dev/null +++ b/tuts/131-amazon-verifiedpermissions-gs/README.md @@ -0,0 +1,39 @@ +# Amazon Verifiedpermissions Gs + +An AWS CLI tutorial that demonstrates Verifiedpermissions operations. + +## Running + +```bash +bash amazon-verifiedpermissions-gs.sh +``` + +To auto-run with cleanup: + +```bash +echo 'y' | bash amazon-verifiedpermissions-gs.sh +``` + +## What it does + +1. Creating policy store +2. Creating a static policy +3. Testing authorization +4. Testing denied action +5. Listing policies + +## Resources created + +- Policy +- Policy Store + +The script prompts you to clean up resources when it finishes. + +## Cost + +Free tier eligible for most operations. Clean up resources after use to avoid charges. + +## Related docs + +- [AWS CLI verifiedpermissions reference](https://docs.aws.amazon.com/cli/latest/reference/verifiedpermissions/index.html) + diff --git a/tuts/131-amazon-verifiedpermissions-gs/REVISION-HISTORY.md b/tuts/131-amazon-verifiedpermissions-gs/REVISION-HISTORY.md new file mode 100644 index 00000000..8ea6aee5 --- /dev/null +++ b/tuts/131-amazon-verifiedpermissions-gs/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 131-amazon-verifiedpermissions-gs + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.md b/tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.md new file mode 100644 index 00000000..878f6913 --- /dev/null +++ b/tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.md @@ -0,0 +1,31 @@ +# Amazon Verifiedpermissions Gs + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Creating policy store + +The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands. + +## Step 2: Creating a static policy + +The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands. + +## Step 3: Testing authorization + +The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands. + +## Step 4: Testing denied action + +The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands. + +## Step 5: Listing policies + +The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands. + +## Cleanup + +The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created. + diff --git a/tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.sh b/tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.sh new file mode 100644 index 00000000..ff80db5e --- /dev/null +++ b/tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.sh @@ -0,0 +1,21 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d) +exec > >(tee -a "$WORK_DIR/avp-$(date +%Y%m%d-%H%M%S).log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) +handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR +cleanup() { echo ""; echo "Cleaning up..."; [ -n "$STORE_ID" ] && aws verifiedpermissions delete-policy-store --policy-store-id "$STORE_ID" 2>/dev/null && echo " Deleted policy store"; rm -rf "$WORK_DIR"; echo "Done."; } +echo "Step 1: Creating policy store" +STORE_ID=$(aws verifiedpermissions create-policy-store --validation-settings '{"mode":"OFF"}' --query 'policyStoreId' --output text) +echo " Store ID: $STORE_ID" +echo "Step 2: Creating a static policy" +POLICY_ID=$(aws verifiedpermissions create-policy --policy-store-id "$STORE_ID" --definition '{"static":{"statement":"permit(principal, action == Action::\"view\", resource);"}}' --query 'policyId' --output text) +echo " Policy ID: $POLICY_ID" +echo "Step 3: Testing authorization" +aws verifiedpermissions is-authorized --policy-store-id "$STORE_ID" --principal '{"entityType":"User","entityId":"alice"}' --action '{"actionType":"Action","actionId":"view"}' --resource '{"entityType":"Document","entityId":"doc-1"}' --query '{Decision:decision}' --output table +echo "Step 4: Testing denied action" +aws verifiedpermissions is-authorized --policy-store-id "$STORE_ID" --principal '{"entityType":"User","entityId":"alice"}' --action '{"actionType":"Action","actionId":"delete"}' --resource '{"entityType":"Document","entityId":"doc-1"}' --query '{Decision:decision}' --output table +echo "Step 5: Listing policies" +aws verifiedpermissions list-policies --policy-store-id "$STORE_ID" --query 'policies[].{Id:policyId,Type:policyType}' --output table +echo ""; echo "Tutorial complete." +echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup diff --git a/tuts/154-iam-policies/README.md b/tuts/154-iam-policies/README.md new file mode 100644 index 00000000..cb0d482f --- /dev/null +++ b/tuts/154-iam-policies/README.md @@ -0,0 +1,40 @@ +# Iam Policies + +An AWS CLI tutorial that demonstrates Iam operations. + +## Running + +```bash +bash iam-policies.sh +``` + +To auto-run with cleanup: + +```bash +echo 'y' | bash iam-policies.sh +``` + +## What it does + +1. Creating a custom policy +2. Getting policy details +3. Getting policy version (the actual document) +4. Creating a role and attaching the policy +5. Listing attached policies +6. Simulating policy + +## Resources created + +- Policy +- Role + +The script prompts you to clean up resources when it finishes. + +## Cost + +Free tier eligible for most operations. Clean up resources after use to avoid charges. + +## Related docs + +- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html) + diff --git a/tuts/154-iam-policies/REVISION-HISTORY.md b/tuts/154-iam-policies/REVISION-HISTORY.md new file mode 100644 index 00000000..dbff22af --- /dev/null +++ b/tuts/154-iam-policies/REVISION-HISTORY.md @@ -0,0 +1,8 @@ +# Revision History: 154-iam-policies + +## Shell (CLI script) + +### 2026-04-14 v1 published +- Type: functional +- Initial version + diff --git a/tuts/154-iam-policies/iam-policies.md b/tuts/154-iam-policies/iam-policies.md new file mode 100644 index 00000000..da08a03f --- /dev/null +++ b/tuts/154-iam-policies/iam-policies.md @@ -0,0 +1,35 @@ +# Iam Policies + +## Prerequisites + +1. AWS CLI installed and configured (`aws configure`) +2. Appropriate IAM permissions for the AWS services used + +## Step 1: Creating a custom policy + +The script handles this step automatically. See `iam-policies.sh` for the exact CLI commands. + +## Step 2: Getting policy details + +The script handles this step automatically. See `iam-policies.sh` for the exact CLI commands. + +## Step 3: Getting policy version (the actual document) + +The script handles this step automatically. See `iam-policies.sh` for the exact CLI commands. + +## Step 4: Creating a role and attaching the policy + +The script handles this step automatically. See `iam-policies.sh` for the exact CLI commands. + +## Step 5: Listing attached policies + +The script handles this step automatically. See `iam-policies.sh` for the exact CLI commands. + +## Step 6: Simulating policy + +The script handles this step automatically. See `iam-policies.sh` for the exact CLI commands. + +## Cleanup + +The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created. + diff --git a/tuts/154-iam-policies/iam-policies.sh b/tuts/154-iam-policies/iam-policies.sh new file mode 100644 index 00000000..a30d84a6 --- /dev/null +++ b/tuts/154-iam-policies/iam-policies.sh @@ -0,0 +1,24 @@ +#!/bin/bash +WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/iam-policies.log") 2>&1 +REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION" +RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1); POLICY_NAME="tut-policy-${RANDOM_ID}"; ROLE_NAME="tut-iam-role-${RANDOM_ID}" +ACCOUNT=$(aws sts get-caller-identity --query 'Account' --output text) +handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR +cleanup() { echo ""; echo "Cleaning up..."; aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "arn:aws:iam::${ACCOUNT}:policy/$POLICY_NAME" 2>/dev/null; aws iam delete-role --role-name "$ROLE_NAME" 2>/dev/null && echo " Deleted role"; aws iam delete-policy --policy-arn "arn:aws:iam::${ACCOUNT}:policy/$POLICY_NAME" 2>/dev/null && echo " Deleted policy"; rm -rf "$WORK_DIR"; echo "Done."; } +echo "Step 1: Creating a custom policy" +POLICY_ARN=$(aws iam create-policy --policy-name "$POLICY_NAME" --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::example-bucket","arn:aws:s3:::example-bucket/*"]},{"Effect":"Deny","Action":"s3:DeleteObject","Resource":"*"}]}' --query 'Policy.Arn' --output text) +echo " Policy ARN: $POLICY_ARN" +echo "Step 2: Getting policy details" +aws iam get-policy --policy-arn "$POLICY_ARN" --query 'Policy.{Name:PolicyName,Arn:Arn,Versions:AttachmentCount}' --output table +echo "Step 3: Getting policy version (the actual document)" +aws iam get-policy-version --policy-arn "$POLICY_ARN" --version-id v1 --query 'PolicyVersion.Document' --output json | python3 -m json.tool +echo "Step 4: Creating a role and attaching the policy" +aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}' > /dev/null +aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$POLICY_ARN" +echo " Attached $POLICY_NAME to $ROLE_NAME" +echo "Step 5: Listing attached policies" +aws iam list-attached-role-policies --role-name "$ROLE_NAME" --query 'AttachedPolicies[].{Name:PolicyName,Arn:PolicyArn}' --output table +echo "Step 6: Simulating policy" +aws iam simulate-principal-policy --policy-source-arn "arn:aws:iam::${ACCOUNT}:role/$ROLE_NAME" --action-names s3:GetObject s3:DeleteObject --resource-arns "arn:aws:s3:::example-bucket/file.txt" --query 'EvaluationResults[].{Action:EvalActionName,Decision:EvalDecision}' --output table +echo ""; echo "Tutorial complete." +echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup