Introduction
This hands-on exercise shows how to find non-compliant resources in AWS Config and how to whitelist them for Config.
Part 1 – Remove Outside Access to a Resource
Goal
In this exercise, you will use Access Analyzer to find an IAM Role role that allows access from an outside AWS account and remove that access.
We have prepared this AWS accounts with roles named example-role-NETID for each of the training participants.
Part 1A – Login an get to Access Analyzer
- Login to the cu-training AWS account using traditional Shibboleth login.
- Use this link to initiate login: https://signin.aws.cucloud.net/
- If you are given the option of selecting a role, select shib-training under the "cu-training" AWS account, and click on Sign in.
- Once in the AWS Management Console, type "iam" in the search box and click on IAM under Services.
- Click on Access analyzer from the left navigation section.
- Check which AWS region your console is pointed at. You want "N. Virginia". If your console is in any other region, change it to "US East (N. Virigina) us-east-1".
- Unlike other aspects of IAM, Access Analyzers are regional.
Part 1B – Find the Finding for "your" role
- Under Active findings, use the menu integrated into the filter for Resource: example-role-NETID
- Be sure to use the pull-down menu in the search field to select Resource
- Enter example-role-NETID, replacing NETID with your own Cornell NetId (e.g., example-role-pea1)
- Hit "enter" on your keyboard to trigger the actual search.
- Your search should find one Finding that matches. Click on the Finding ID for that record to drill into the finding.
- Note
Part 2 – Archive a Finding
Goal
In this exercise, you will use Access Analyzer to archive a finding allowing public access to an S3 bucket. This indicates one-time review and approval for that access.