Hands-on lab session:AWS Cross-Account Resource Sharing and Continuous Monitoring Lab

Leave a Comment / By /

Objective:
In this hands-on lab, you will learn how to securely share AWS resources across multiple AWS accounts using resource-based policies. You will also set up continuous auditing and monitoring of policy configurations using AWS Config rules.

Prerequisites:

  • Basic knowledge of AWS services (Amazon S3, AWS KMS, and Amazon ES).
  • Access to two AWS accounts for cross-account resource sharing.

Lab Duration:
2-3 hours

Lab Tasks:

Task 1: Configure Cross-Account Resource Sharing

  1. In the first AWS account, create an Amazon S3 bucket that you want to share with the second AWS account.
  2. Set up an AWS KMS key for encryption in the first account.
  3. Create an Amazon Elasticsearch Service (Amazon ES) domain in the first account.
  4. Create resource-based policies for each resource (S3 bucket, KMS key, and Amazon ES domain) in the first account. These policies should allow access from the second AWS account, specifying the AWS account ID numbers.

Task 2: Set Up Cross-Account Access User

  1. In the second AWS account, create an IAM user with the necessary permissions to access the shared resources in the first account. Attach policies to grant access to the S3 bucket, KMS key, and Amazon ES domain.

Task 3: Test Cross-Account Access

  1. Log in to the AWS Management Console using the IAM user’s credentials from the second account.
  2. Verify that you can access the shared resources in the first account while retaining user permissions from the second account.

Task 4: Implement Continuous Monitoring with AWS Config

  1. Set up AWS Config Rules in the first AWS account to continuously audit changes to IAM policies and monitor the compliance of the configuration of shared resources.
  2. Create custom AWS Config rules that check for the specific policy configurations related to the shared resources.

Task 5: Test Continuous Monitoring

  1. Introduce a change to one of the IAM policies in the first account, such as altering the access permissions to the shared resources.
  2. Observe how AWS Config Rules respond to the policy change and evaluate the compliance status.

Lab Evaluation:

  • Students will be evaluated based on their ability to successfully configure cross-account resource sharing and set up continuous monitoring and auditing of policy configurations using AWS Config Rules.
  • The response to the policy change in Task 5 and its impact on compliance status will also be assessed.

Additional Notes:

  • Encourage students to discuss their experiences, observations, and any issues faced during the hands-on lab.
  • Provide documentation with AWS CLI commands and explanations for each task.
  • Remind students to clean up resources and permissions after completing the lab to avoid unexpected AWS charges.

This lab will help students understand how to securely share AWS resources across multiple AWS accounts using resource-based policies and how to set up continuous auditing and monitoring of policy configurations with AWS Config Rules, ensuring that the shared resources remain secure and compliant with policies.

Below is an example of a JSON-based resource policy that grants cross-account access to an S3 bucket for a specific set of AWS account ID numbers.

In this example, we create a resource-based policy for an S3 bucket. We allow read and write access to the bucket for two AWS accounts (represented by their AWS account ID numbers).

{
  "Version": "2012-10-17",
  "Id": "ExamplePolicyId1",
  "Statement": [
    {
      "Sid": "ExampleStatementId1",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::your-s3-bucket-name/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"  // Replace with the AWS account ID of the first account.
        }
      }
    },
    {
      "Sid": "ExampleStatementId2",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::your-s3-bucket-name/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "987654321098"  // Replace with the AWS account ID of the second account.
        }
      }
    }
  ]
}

Explanation of the JSON policy:

  • "Version": Specifies the policy language version.
  • "Id": An optional field for providing an identifier for the policy.
  • "Statement": An array containing one or more policy statements.
  • "Sid": An optional statement identifier.
  • "Effect": The effect of the statement, which can be “Allow” or “Deny.”
  • "Principal": In this case, we set it to “*”, which means any AWS account.
  • "Action": Lists the AWS actions (permissions) allowed. In this example, we allow “s3:GetObject” and “s3:PutObject.”
  • "Resource": Specifies the resource to which the policy applies. It uses an S3 bucket ARN with a wildcard to allow access to objects in the bucket.
  • "Condition": A condition that must be met for the policy to take effect. Here, we use "aws:SourceAccount" to specify the source AWS account ID for cross-account access. Each statement allows access for a specific AWS account.

Remember to replace "123456789012" and "987654321098" with the actual AWS account IDs that you want to grant access to. Also, replace "your-s3-bucket-name" with the name of the S3 bucket you’re granting access to.

Cross-Account Access with Resource-Based Policy vs. Role-Based Access: A Detailed Explanation

Cross account resource access in IAM

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top