Login to the cu-training AWS account using AWS SSOtraditional Shibboleth login.
1. Use this link to initiate login: https://cornell-sso.awsapps.com/start
2. On the "Single Sign-on" page, click on "Search" and enter "training".
3. signin.aws.cucloud.net/
4. If you are given the option of selecting a role, select "shib-training" under the "cu-training" AWS account, and click on "Sign in".Click on the "CU AWS Training" item and click the "Management Console" in the role for "sso-training"
Once in the AWS Management Console, check which AWS region your console is pointed at. You want "N. ViriginiaVirginia". If your console is in any other region, change it to "US East (N. Virigina) us-east-1".
In the AWS Management Console, type "config" in the search box and click on "Config" under "Services".
In the Config Dashboard, take note of the high numbers of non-compliant resources. (100+ resources)

Click on "Resources" from the left-hand navigation panel in the Config console.
Enter the "netid" form of your Cornell email address (e.g., netid@cornell.edu) in the "Resource identifier" search field and hit "enter" on your keyboard. This will start the search for "your" IAM user.
Config should show one search result, listing and IAM user named like "netid@cornell.edu". That IAM User resource will be labelled as non-compliant.
Click on the IAM user name (i.e., netid@cornell.edu) to drill into that resource.
Review the "Rules" at the bottom to confirm that "your" IAM user is inded non-compliant with respect to the 251-MED-no-iam-users-except-whitelist rule.
In the top right of that page, click on "Manage Resource".

Part 1C – Whitelist "your" IAM user

You should now be viewing "your" IAM user in the the IAM console.
Click on the "Tags" tab.
Click on "Add tags".
Add a tag with the following settings:
1. Key: cit:config:251-MED-no-iam-users-except-whitelist
2. Value: exception

Space shortcuts