Introduction
This hands-on exercise shows how to find non-compliant resources in AWS Config and how to whitelist them for Config.
Part 1 – IAM Users
Goal
Although the use of IAM users in Cornell AWS accounts is discouraged in most situations, there are some valid use-cases where IAM users are necessary. The Cornell AWS Config rule 251-MED-no-iam-users-except-whitelist labels all IAM users as non-compliant unless they are specifically whitelisted.
For this exercise, an IAM user was previously created in cu-training for each training participant. In this exercise, you will find "your" IAM user there and whitelist it for the 251-MED-no-iam-users-except-whitelist Config rule.
Part 1A - Login and get to Config
- Login to the cu-training AWS account using AWS SSO.
- Use this link to initiate login: https://cornell-sso.awsapps.com/start
- On the "Single Sign-on" page, click on "Search" and enter "training".
- Click on the "CU AWS Training" item and click the "Management Console" in the role for "sso-training"
- Once in the AWS Management Console, check which AWS region your console is pointed at. You want "N. Viriginia". If your console is in any other region, change it to "US East (N. Virigina) us-east-1".
- In the AWS Management Console, type "config" in the search box and click on "Config" under "Services".
- In the Config Dashboard, take note of the high numbers of non-compliant resources. (100+ resources)
Part 1B – Find "your" IAM user
- Click on "Resources" from the left-hand navigation panel in the Config console.
- Enter the "netid" form of your Cornell email address (e.g., netid@cornell.edu) in the "Resource identifier" search field and hit "enter" on your keyboard. This will start the search for "your" IAM user.
- Config should show one search result, listing and IAM user named like "netid@cornell.edu". That IAM User resource will be labelled as non-compliant.
- Click on the IAM user name (i.e., netid@cornell.edu) to drill into that resource.