Tutorials: security-batch-13 (5 tutorials)

tuts/174-iam-access-analyzer/README.md

@@ -0,0 +1,37 @@
+# Iam Access Analyzer
+
+An AWS CLI tutorial that demonstrates Accessanalyzer operations.
+
+## Running
+
+```bash
+bash iam-access-analyzer.sh
+```
+
+To auto-run with cleanup:
+
+```bash
+echo 'y' | bash iam-access-analyzer.sh
+```
+
+## What it does
+
+1. Creating analyzer: $ANALYZER
+2. Listing findings
+3. Getting analyzer details
+4. Listing analyzers
+
+## Resources created
+
+- Analyzer
+
+The script prompts you to clean up resources when it finishes.
+
+## Cost
+
+Free tier eligible for most operations. Clean up resources after use to avoid charges.
+
+## Related docs
+
+- [AWS CLI accessanalyzer reference](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/index.html)
+

tuts/174-iam-access-analyzer/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 174-iam-access-analyzer
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/174-iam-access-analyzer/iam-access-analyzer.md

@@ -0,0 +1,27 @@
+# Iam Access Analyzer
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Creating analyzer: $ANALYZER
+
+The script handles this step automatically. See `iam-access-analyzer.sh` for the exact CLI commands.
+
+## Step 2: Listing findings
+
+The script handles this step automatically. See `iam-access-analyzer.sh` for the exact CLI commands.
+
+## Step 3: Getting analyzer details
+
+The script handles this step automatically. See `iam-access-analyzer.sh` for the exact CLI commands.
+
+## Step 4: Listing analyzers
+
+The script handles this step automatically. See `iam-access-analyzer.sh` for the exact CLI commands.
+
+## Cleanup
+
+The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created.
+

tuts/174-iam-access-analyzer/iam-access-analyzer.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/aa.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1); ANALYZER="tut-analyzer-${RANDOM_ID}"
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }; trap 'handle_error $LINENO' ERR
+cleanup() { echo ""; echo "Cleaning up..."; [ -n "$ANALYZER_ARN" ] && aws accessanalyzer delete-analyzer --analyzer-name "$ANALYZER" 2>/dev/null && echo "  Deleted analyzer"; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating analyzer: $ANALYZER"
+ANALYZER_ARN=$(aws accessanalyzer create-analyzer --analyzer-name "$ANALYZER" --type ACCOUNT --query 'arn' --output text)
+echo "  ARN: $ANALYZER_ARN"
+echo "Step 2: Listing findings"
+aws accessanalyzer list-findings --analyzer-arn "$ANALYZER_ARN" --query 'findings[:5].{Resource:resource,Type:resourceType,Status:status}' --output table 2>/dev/null || echo "  No findings yet (analysis takes a few minutes)"
+echo "Step 3: Getting analyzer details"
+aws accessanalyzer get-analyzer --analyzer-name "$ANALYZER" --query 'analyzer.{Name:name,Type:type,Status:status}' --output table
+echo "Step 4: Listing analyzers"
+aws accessanalyzer list-analyzers --query 'analyzers[?starts_with(name, `tut-`)].{Name:name,Status:status}' --output table
+echo ""; echo "Tutorial complete."
+echo "Do you want to clean up? (y/n): "; read -r CHOICE; [[ "$CHOICE" =~ ^[Yy]$ ]] && cleanup

tuts/188-iam-mfa-devices/README.md

@@ -0,0 +1,29 @@
+# Iam Mfa
+
+A read-only script that queries Iam resources and displays information.
+
+## Running
+
+```bash
+bash iam-mfa.sh
+```
+
+## What it does
+
+1. Listing MFA devices
+2. Listing virtual MFA devices
+3. Getting account summary (MFA status)
+4. Getting credential report
+
+## Resources created
+
+None — this script is read-only.
+
+## Cost
+
+No cost. This script only reads existing resources.
+
+## Related docs
+
+- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html)
+

tuts/188-iam-mfa-devices/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 188-iam-mfa-devices
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/188-iam-mfa-devices/iam-mfa.md

@@ -0,0 +1,23 @@
+# Iam Mfa
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Listing MFA devices
+
+The script handles this step automatically. See `iam-mfa.sh` for the exact CLI commands.
+
+## Step 2: Listing virtual MFA devices
+
+The script handles this step automatically. See `iam-mfa.sh` for the exact CLI commands.
+
+## Step 3: Getting account summary (MFA status)
+
+The script handles this step automatically. See `iam-mfa.sh` for the exact CLI commands.
+
+## Step 4: Getting credential report
+
+The script handles this step automatically. See `iam-mfa.sh` for the exact CLI commands.
+

tuts/188-iam-mfa-devices/iam-mfa.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+echo "Step 1: Listing MFA devices"
+aws iam list-mfa-devices --query 'MFADevices[].{User:UserName,Serial:SerialNumber,Enabled:EnableDate}' --output table 2>/dev/null || echo "  No MFA devices"
+echo "Step 2: Listing virtual MFA devices"
+aws iam list-virtual-mfa-devices --query 'VirtualMFADevices[:5].{Serial:SerialNumber,User:User.UserName}' --output table
+echo "Step 3: Getting account summary (MFA status)"
+aws iam get-account-summary --query 'SummaryMap.{Users:Users,MFADevices:MFADevices,AccountMFAEnabled:AccountMFAEnabled}' --output table
+echo "Step 4: Getting credential report"
+aws iam generate-credential-report > /dev/null 2>&1; sleep 3
+aws iam get-credential-report --query 'GeneratedTime' --output text 2>/dev/null || echo "  Report generating..."
+echo ""; echo "Tutorial complete. No resources created — read-only."
+rm -rf "$WORK_DIR"

tuts/194-iam-password-policy/README.md

@@ -0,0 +1,28 @@
+# Iam Password Policy
+
+A read-only script that queries Iam resources and displays information.
+
+## Running
+
+```bash
+bash iam-password-policy.sh
+```
+
+## What it does
+
+1. Getting current password policy
+2. Getting account authorization details summary
+3. Listing access keys
+
+## Resources created
+
+None — this script is read-only.
+
+## Cost
+
+No cost. This script only reads existing resources.
+
+## Related docs
+
+- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html)
+

tuts/194-iam-password-policy/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 194-iam-password-policy
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/194-iam-password-policy/iam-password-policy.md

@@ -0,0 +1,19 @@
+# Iam Password Policy
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Getting current password policy
+
+The script handles this step automatically. See `iam-password-policy.sh` for the exact CLI commands.
+
+## Step 2: Getting account authorization details summary
+
+The script handles this step automatically. See `iam-password-policy.sh` for the exact CLI commands.
+
+## Step 3: Listing access keys
+
+The script handles this step automatically. See `iam-password-policy.sh` for the exact CLI commands.
+

tuts/194-iam-password-policy/iam-password-policy.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+echo "Step 1: Getting current password policy"
+aws iam get-account-password-policy --query 'PasswordPolicy.{MinLength:MinimumPasswordLength,RequireUpper:RequireUppercaseCharacters,RequireLower:RequireLowercaseCharacters,RequireNumbers:RequireNumbers,RequireSymbols:RequireSymbols,MaxAge:MaxPasswordAge,ExpirePasswords:ExpirePasswords}' --output table 2>/dev/null || echo "  No custom password policy set"
+echo "Step 2: Getting account authorization details summary"
+aws iam get-account-summary --query 'SummaryMap.{Users:Users,Groups:Groups,Roles:Roles,Policies:Policies,MFADevices:MFADevices}' --output table
+echo "Step 3: Listing access keys"
+aws iam list-access-keys --query 'AccessKeyMetadata[].{User:UserName,KeyId:AccessKeyId,Status:Status,Created:CreateDate}' --output table
+echo ""; echo "Tutorial complete. No resources created — read-only."
+rm -rf "$WORK_DIR"

tuts/199-iam-groups/README.md

@@ -0,0 +1,37 @@
+# Iam Groups
+
+An AWS CLI tutorial that demonstrates Iam operations.
+
+## Running
+
+```bash
+bash iam-groups.sh
+```
+
+To auto-run with cleanup:
+
+```bash
+echo 'y' | bash iam-groups.sh
+```
+
+## What it does
+
+1. Creating group: $G"; aws iam create-group --group-name "$G
+2. Attaching policy"; aws iam attach-group-policy --group-name "$G
+3. Describing group"; aws iam get-group --group-name "$G
+4. Listing attached policies"; aws iam list-attached-group-policies --group-name "$G
+
+## Resources created
+
+- Group
+
+The script prompts you to clean up resources when it finishes.
+
+## Cost
+
+Free tier eligible for most operations. Clean up resources after use to avoid charges.
+
+## Related docs
+
+- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html)
+

tuts/199-iam-groups/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 199-iam-groups
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/199-iam-groups/iam-groups.md

@@ -0,0 +1,27 @@
+# Iam Groups
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Creating group: $G"; aws iam create-group --group-name "$G
+
+The script handles this step automatically. See `iam-groups.sh` for the exact CLI commands.
+
+## Step 2: Attaching policy"; aws iam attach-group-policy --group-name "$G
+
+The script handles this step automatically. See `iam-groups.sh` for the exact CLI commands.
+
+## Step 3: Describing group"; aws iam get-group --group-name "$G
+
+The script handles this step automatically. See `iam-groups.sh` for the exact CLI commands.
+
+## Step 4: Listing attached policies"; aws iam list-attached-group-policies --group-name "$G
+
+The script handles this step automatically. See `iam-groups.sh` for the exact CLI commands.
+
+## Cleanup
+
+The script prompts you to clean up all created resources. If you need to clean up manually, check the script log for the resource names that were created.
+

tuts/199-iam-groups/iam-groups.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1); G="tut-group-${RANDOM_ID}"
+cleanup() { aws iam detach-group-policy --group-name "$G" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess 2>/dev/null; aws iam delete-group --group-name "$G" 2>/dev/null; rm -rf "$WORK_DIR"; echo "Done."; }
+echo "Step 1: Creating group: $G"; aws iam create-group --group-name "$G" > /dev/null
+echo "Step 2: Attaching policy"; aws iam attach-group-policy --group-name "$G" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
+echo "Step 3: Describing group"; aws iam get-group --group-name "$G" --query 'Group.{Name:GroupName,Created:CreateDate}' --output table
+echo "Step 4: Listing attached policies"; aws iam list-attached-group-policies --group-name "$G" --query 'AttachedPolicies[].{Name:PolicyName}' --output table
+echo "Do you want to clean up? (y/n): "; read -r C; [[ "$C" =~ ^[Yy]$ ]] && cleanup

tuts/205-iam-service-linked-roles/README.md

@@ -0,0 +1,27 @@
+# Iam Service Linked Roles
+
+A read-only script that queries Iam resources and displays information.
+
+## Running
+
+```bash
+bash iam-service-linked-roles.sh
+```
+
+## What it does
+
+1. Listing service-linked roles
+2. Counting roles by type"; echo "  Service-linked: $(aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)] | length(@)' --output text)
+
+## Resources created
+
+None — this script is read-only.
+
+## Cost
+
+No cost. This script only reads existing resources.
+
+## Related docs
+
+- [AWS CLI iam reference](https://docs.aws.amazon.com/cli/latest/reference/iam/index.html)
+

tuts/205-iam-service-linked-roles/REVISION-HISTORY.md

@@ -0,0 +1,8 @@
+# Revision History: 205-iam-service-linked-roles
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+

tuts/205-iam-service-linked-roles/iam-service-linked-roles.md

@@ -0,0 +1,15 @@
+# Iam Service Linked Roles
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Listing service-linked roles
+
+The script handles this step automatically. See `iam-service-linked-roles.sh` for the exact CLI commands.
+
+## Step 2: Counting roles by type"; echo "  Service-linked: $(aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)] | length(@)' --output text)
+
+The script handles this step automatically. See `iam-service-linked-roles.sh` for the exact CLI commands.
+

tuts/205-iam-service-linked-roles/iam-service-linked-roles.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d); exec > >(tee -a "$WORK_DIR/tut.log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}; [ -z "$REGION" ] && echo "ERROR: No region" && exit 1; export AWS_DEFAULT_REGION="$REGION"; echo "Region: $REGION"
+echo "Step 1: Listing service-linked roles"; aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)][:10].{Name:RoleName,Service:Path}' --output table
+echo "Step 2: Counting roles by type"; echo "  Service-linked: $(aws iam list-roles --query 'Roles[?starts_with(Path, `/aws-service-role/`)] | length(@)' --output text)"
+echo "  Custom: $(aws iam list-roles --query 'Roles[?Path==`/`] | length(@)' --output text)"
+echo ""; echo "Tutorial complete. Read-only."; rm -rf "$WORK_DIR"