Tutorials: security-batch-12 (5 tutorials)

tuts/128-aws-waf-gs/README.md

@@ -0,0 +1,37 @@
+# Aws Waf Gs
+
+An AWS CLI tutorial that demonstrates Wafv2 operations.
+
+## Running
+
+```bash
+bash aws-waf-gs.sh
+```
+
+To auto-run with cleanup:
+
+```bash
+echo 'y' | bash aws-waf-gs.sh
+```
+
+## What it does
+
+1. Creating web ACL: $ACL_NAME
+2. Describing web ACL
+3. Listing available managed rule groups
+4. Listing web ACLs
+
+## Resources created
+
+- Web Acl
+
+The script prompts you to clean up resources when it finishes.
+
+## Cost
+
+Free tier eligible for most operations. Clean up resources after use to avoid charges.
+
+## Related docs
+
+- [AWS CLI wafv2 reference](https://docs.aws.amazon.com/cli/latest/reference/wafv2/index.html)
+

tuts/128-aws-waf-gs/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 128-aws-waf-gs
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/128-aws-waf-gs/aws-waf-gs.md

@@ -0,0 +1,27 @@
+# Aws Waf Gs
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Creating web ACL: $ACL_NAME
+
+The script handles this step automatically. See `aws-waf-gs.sh` for the exact CLI commands.
+
+## Step 2: Describing web ACL
+
+The script handles this step automatically. See `aws-waf-gs.sh` for the exact CLI commands.
+
+## Step 3: Listing available managed rule groups
+
+The script handles this step automatically. See `aws-waf-gs.sh` for the exact CLI commands.
+
+## Step 4: Listing web ACLs
+
+The script handles this step automatically. See `aws-waf-gs.sh` for the exact CLI commands.
+
+## Cleanup
+
+The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created.
+

tuts/128-aws-waf-gs/aws-waf-gs.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/waf-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}
+[ -z "$REGION" ] && echo "ERROR: No region" && exit 1
+export AWS_DEFAULT_REGION="$REGION"
+echo "Region: $REGION"
+RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
+ACL_NAME="tut-acl-${RANDOM_ID}"
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }
+trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; if [ -n "$ACL_ID" ]; then LOCK=$(aws wafv2 get-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --query 'LockToken' --output text 2>/dev/null); aws wafv2 delete-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --lock-token "$LOCK" 2>/dev/null && echo "  Deleted web ACL"; fi; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating web ACL: $ACL_NAME"
+ACL_ID=$(aws wafv2 create-web-acl --name "$ACL_NAME" --scope REGIONAL \
+    --default-action '{"Allow":{}}' \
+    --visibility-config '{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"tutorialACL"}' \
+    --rules '[{"Name":"RateLimit","Priority":1,"Statement":{"RateBasedStatement":{"Limit":1000,"AggregateKeyType":"IP"}},"Action":{"Block":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"RateLimit"}}]' \
+    --query 'Summary.Id' --output text)
+echo "  ACL ID: $ACL_ID"
+echo "Step 2: Describing web ACL"
+aws wafv2 get-web-acl --name "$ACL_NAME" --scope REGIONAL --id "$ACL_ID" --query 'WebACL.{Name:Name,Id:Id,Rules:Rules|length(@),DefaultAction:DefaultAction}' --output table
+echo "Step 3: Listing available managed rule groups"
+aws wafv2 list-available-managed-rule-groups --scope REGIONAL --query 'ManagedRuleGroups[:5].{Vendor:VendorName,Name:Name}' --output table
+echo "Step 4: Listing web ACLs"
+aws wafv2 list-web-acls --scope REGIONAL --query 'WebACLs[?starts_with(Name, `tut-`)].{Name:Name,Id:Id}' --output table
+echo ""
+echo "Tutorial complete."
+echo "Do you want to clean up? (y/n): "
+read -r CHOICE
+[[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup || echo "Manual: aws wafv2 delete-web-acl (requires lock-token)"

tuts/129-amazon-macie-gs/README.md

@@ -0,0 +1,29 @@
+# Amazon Macie Gs
+
+A read-only script that queries Macie2 resources and displays information.
+
+## Running
+
+```bash
+bash amazon-macie-gs.sh
+```
+
+## What it does
+
+1. Enabling Macie
+2. Getting session details
+3. Listing S3 buckets
+4. Getting usage statistics
+
+## Resources created
+
+None — this script is read-only.
+
+## Cost
+
+No cost. This script only reads existing resources.
+
+## Related docs
+
+- [AWS CLI macie2 reference](https://docs.aws.amazon.com/cli/latest/reference/macie2/index.html)
+

tuts/129-amazon-macie-gs/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 129-amazon-macie-gs
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/129-amazon-macie-gs/amazon-macie-gs.md

@@ -0,0 +1,23 @@
+# Amazon Macie Gs
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Enabling Macie
+
+The script handles this step automatically. See `amazon-macie-gs.sh` for the exact CLI commands.
+
+## Step 2: Getting session details
+
+The script handles this step automatically. See `amazon-macie-gs.sh` for the exact CLI commands.
+
+## Step 3: Listing S3 buckets
+
+The script handles this step automatically. See `amazon-macie-gs.sh` for the exact CLI commands.
+
+## Step 4: Getting usage statistics
+
+The script handles this step automatically. See `amazon-macie-gs.sh` for the exact CLI commands.
+

tuts/129-amazon-macie-gs/amazon-macie-gs.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/macie-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}
+[ -z "$REGION" ] && echo "ERROR: No region" && exit 1
+export AWS_DEFAULT_REGION="$REGION"
+echo "Region: $REGION"
+PREEXISTING=false
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }
+trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; [ "$PREEXISTING" != true ] && aws macie2 disable-macie 2>/dev/null && echo "  Disabled Macie" || echo "  Macie was pre-existing — not disabling"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Enabling Macie"
+STATUS=$(aws macie2 get-macie-session --query 'status' --output text 2>/dev/null || echo "DISABLED")
+if [ "$STATUS" = "ENABLED" ]; then echo "  Already enabled"; PREEXISTING=true; else aws macie2 enable-macie 2>/dev/null; echo "  Macie enabled"; fi
+echo "Step 2: Getting session details"
+aws macie2 get-macie-session --query '{Status:status,Created:createdAt,Updated:updatedAt}' --output table
+echo "Step 3: Listing S3 buckets"
+aws macie2 describe-buckets --query 'buckets[:5].{Name:bucketName,Encryption:serverSideEncryption.type,Public:publicAccess.effectivePermission}' --output table 2>/dev/null || echo "  Bucket inventory not ready yet"
+echo "Step 4: Getting usage statistics"
+aws macie2 get-usage-totals --query 'usageTotals[].{Type:type,Amount:estimatedCost}' --output table 2>/dev/null || echo "  No usage data yet"
+echo ""
+echo "Tutorial complete."
+[ "$PREEXISTING" = true ] && echo "Macie was already enabled — not disabling." || { echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup; }

tuts/130-amazon-detective-gs/README.md

@@ -0,0 +1,36 @@
+# Amazon Detective Gs
+
+An AWS CLI tutorial that demonstrates Detective operations.
+
+## Running
+
+```bash
+bash amazon-detective-gs.sh
+```
+
+To auto-run with cleanup:
+
+```bash
+echo 'y' | bash amazon-detective-gs.sh
+```
+
+## What it does
+
+1. Enabling Detective
+2. Listing graphs
+3. Listing members
+
+## Resources created
+
+- Graph
+
+The script prompts you to clean up resources when it finishes.
+
+## Cost
+
+Free tier eligible for most operations. Clean up resources after use to avoid charges.
+
+## Related docs
+
+- [AWS CLI detective reference](https://docs.aws.amazon.com/cli/latest/reference/detective/index.html)
+

tuts/130-amazon-detective-gs/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 130-amazon-detective-gs
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/130-amazon-detective-gs/amazon-detective-gs.md

@@ -0,0 +1,23 @@
+# Amazon Detective Gs
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Enabling Detective
+
+The script handles this step automatically. See `amazon-detective-gs.sh` for the exact CLI commands.
+
+## Step 2: Listing graphs
+
+The script handles this step automatically. See `amazon-detective-gs.sh` for the exact CLI commands.
+
+## Step 3: Listing members
+
+The script handles this step automatically. See `amazon-detective-gs.sh` for the exact CLI commands.
+
+## Cleanup
+
+The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created.
+

tuts/130-amazon-detective-gs/amazon-detective-gs.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/detective-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+PREEXISTING=false
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; [ "$PREEXISTING" != true ] && [ -n "$GRAPH_ARN" ] && aws detective delete-graph --graph-arn "$GRAPH_ARN" 2>/dev/null && echo "  Deleted graph" || echo "  Pre-existing — not deleting"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Enabling Detective"
+GRAPHS=$(aws detective list-graphs --query 'GraphList[0].Arn' --output text 2>/dev/null)
+if [ -n "$GRAPHS" ] && [ "$GRAPHS" != "None" ]; then echo "  Already enabled"; GRAPH_ARN="$GRAPHS"; PREEXISTING=true; else GRAPH_ARN=$(aws detective create-graph --query 'GraphArn' --output text); echo "  Graph: $GRAPH_ARN"; fi
+echo "Step 2: Listing graphs"
+aws detective list-graphs --query 'GraphList[].{Arn:Arn,Created:CreatedTime}' --output table
+echo "Step 3: Listing members"
+aws detective list-members --graph-arn "$GRAPH_ARN" --query 'MemberDetails[:5].{Account:AccountId,Status:Status}' --output table 2>/dev/null || echo "  No members"
+echo ""; echo "Tutorial complete."
+[ "$PREEXISTING" = true ] && echo "Detective was already enabled." || { echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup; }

tuts/131-amazon-verifiedpermissions-gs/README.md

@@ -0,0 +1,39 @@
+# Amazon Verifiedpermissions Gs
+
+An AWS CLI tutorial that demonstrates Verifiedpermissions operations.
+
+## Running
+
+```bash
+bash amazon-verifiedpermissions-gs.sh
+```
+
+To auto-run with cleanup:
+
+```bash
+echo 'y' | bash amazon-verifiedpermissions-gs.sh
+```
+
+## What it does
+
+1. Creating policy store
+2. Creating a static policy
+3. Testing authorization
+4. Testing denied action
+5. Listing policies
+
+## Resources created
+
+- Policy
+- Policy Store
+
+The script prompts you to clean up resources when it finishes.
+
+## Cost
+
+Free tier eligible for most operations. Clean up resources after use to avoid charges.
+
+## Related docs
+
+- [AWS CLI verifiedpermissions reference](https://docs.aws.amazon.com/cli/latest/reference/verifiedpermissions/index.html)
+

tuts/131-amazon-verifiedpermissions-gs/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 131-amazon-verifiedpermissions-gs
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.md

@@ -0,0 +1,31 @@
+# Amazon Verifiedpermissions Gs
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Creating policy store
+
+The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands.
+
+## Step 2: Creating a static policy
+
+The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands.
+
+## Step 3: Testing authorization
+
+The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands.
+
+## Step 4: Testing denied action
+
+The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands.
+
+## Step 5: Listing policies
+
+The script handles this step automatically. See `amazon-verifiedpermissions-gs.sh` for the exact CLI commands.
+
+## Cleanup
+
+The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created.
+

tuts/131-amazon-verifiedpermissions-gs/amazon-verifiedpermissions-gs.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/avp-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; [ -n "$STORE_ID" ] && aws verifiedpermissions delete-policy-store --policy-store-id "$STORE_ID" 2>/dev/null && echo "  Deleted policy store"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating policy store"
+STORE_ID=$(aws verifiedpermissions create-policy-store --validation-settings '{"mode":"OFF"}' --query 'policyStoreId' --output text)
+echo "  Store ID: $STORE_ID"
+echo "Step 2: Creating a static policy"
+POLICY_ID=$(aws verifiedpermissions create-policy --policy-store-id "$STORE_ID" --definition '{"static":{"statement":"permit(principal, action == Action::\"view\", resource);"}}' --query 'policyId' --output text)
+echo "  Policy ID: $POLICY_ID"
+echo "Step 3: Testing authorization"
+aws verifiedpermissions is-authorized --policy-store-id "$STORE_ID" --principal '{"entityType":"User","entityId":"alice"}' --action '{"actionType":"Action","actionId":"view"}' --resource '{"entityType":"Document","entityId":"doc-1"}' --query '{Decision:decision}' --output table
+echo "Step 4: Testing denied action"
+aws verifiedpermissions is-authorized --policy-store-id "$STORE_ID" --principal '{"entityType":"User","entityId":"alice"}' --action '{"actionType":"Action","actionId":"delete"}' --resource '{"entityType":"Document","entityId":"doc-1"}' --query '{Decision:decision}' --output table
+echo "Step 5: Listing policies"
+aws verifiedpermissions list-policies --policy-store-id "$STORE_ID" --query 'policies[].{Id:policyId,Type:policyType}' --output table
+echo ""; echo "Tutorial complete."
+echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup