Section 12: AWS CLI, SDK, IAM Roles & Policies

Question 1

• AWS EC2 Instance Metadata (IMDS) allows EC2 instances to “learn about themselves” without using an IAM Role for that purpose.
• URL is http://169.254.169.254/latest/meta-data (I suppose you reach this from an ec2 instance aws console?) m
• you can retrieve a lot of things from the metadata, IAM Role name included, but you cannot include IAM policy
• This url allows us to both access the metadata and the userdata (ec2 instance launch script)

Answer 1

Subsection: AWS EC2 Instance Metadata

Question 2

IMDSv1 accesses http://169.254.169.254/latest/meta-data directly, but is less secure.

IMDSv2 is more secure and uses two steps:
* 1) get session token using headers & PUT: $ TOKEN=curl -X put "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
* 2) use session token in IMDSv2 call using headers: $ curl http://169.254.169.254/latest/meta-data/profile -H “X-aws-ec2-metadata-token: $TOKEN”

Question 3

not useful for exam -_-

Add another aws account to your local aws cli. Here’s a hint.

~/.aws $ cat credentials

[default]

aws_access_key_id = asdf

aws_secret_access_key = zxcv

Answer 3

~/.aws $ aws configure –profile my-other-aws-account
AWS Access Key ID [None]: qwer
AWS Secret Access Key [None]: poiu
Default regoin name [None]: us-west-2
Default output format [None]:

now if you

~/.aws $ cat credentials

you see

[default]
aws_access_key_id = asdf
aws_secret_access_key = zxcv
[my-other-aws-account]
aws_access_key_id = qwer
aws_secret_access_key = poiu

and if you

$ ~/.aws $ cat config
[default]
region = eu-west-3 (or whatever it is)
[profile my-other-aws-account]
region = eu-west-2

Question 4

not useful for exam -_-

Using AWS cli, how you execute the following line using an already local-cli-configured non-default profile named “my-other-aws-account”?

~/.aws $ aws s3 ls –profile my-other-aws-account

Question 5

can come up on exam

MFA WITH CLI
1. What’s the api you have to call if you want to run MFA with the CLI?
2. What’s the command line command for it?

Answer 5

1. STS GetSessionToken
2. $ aws sts get-session-token –serial-number-arn-of-the-mfa-device –token-code code-from-token –duration-seconds 3600

Subsection: AWS CLI with MFA

Question 6

Say you run this on locally configured aws cli (possibly also using aws cli). Assume you already have the serial-number-arn-of-the-mfa-device and code-from-token-no-dash-separating-token-halves values.
1. Give an example of the kind of response you are expecting.
2. Give an example of how to use that response to run something like “$ aws s3 ls –profile mfa”. Just make up the values, but try to get the cli commands and keys correct.

$ aws sts get-session-token –serial-number-arn-of-the-mfa-device –token-code code-from-token-no-dash-separating-token-halves –duration-seconds 3600

Answer 6

1. {“Credentials”: {
   “SecretAccessKey”: “secret-access-key”,
   “SessionToken”: “temporary-session-token”,
   “Expiration”: “expiration-date-time”,
   “AccessKeyId”: “access-key-id”
   }}
2. $ aws configure –profile mfa
   AWS Access Key ID [None]: “access-key-id”
   AWS Secret Access Key [None]: “secret-access-key”
   Default region name [None]:
   Default output format [None]:
   ~ $ open ~/.aws/credentials -a TextEdit

[default]
whatever my default values are
[mfa]
aws_access_key_id = “access-key-id”
aws_secret_access_key = “secret-access-key”
aws_session_token = “temporary-session-token”

now after you save that you should be able to run “$ aws s3 ls –profile mfa” in your local aws cli and get results.

Subsection: AWS CLI with MFA

Question 7

1. How you get the arn number you need to use mfa with cli?
2. Give an exmaple of the arn, making up the numbers, assuming the User you’re doing this for is ‘Anna’

Answer 7

1. AWS -> IAM -> Users -> Anna -> Security credentials -> Assign MFA device -> virtual MFA device -> scan QR code (google authenticator picked it up for me) -> enter MFA codes -> Assign MFA -> Now back in Security credentials there’s an arn for Assigned MFA device.
2. arn:aws:iam::12341234:mfa/anna

Subsection: AWS CLI with MFA

Question 8

What do you use if you want to perform actions on AWS directly for your applications code?
* A) Keep dreaming
* B) Use AWS SDK

Answer 8

B ) Use AWS SDK

Subsection AWS SDK Overview

Question 9

Which of the following are official SDKs?
Java, .NET, Node.js, PHP, Python, Go, Ruby, C++

Answer 9

All

Subsection AWS SDK Overview

Question 10

can be tested on this!

What is the default region chosen for AWS SDK?

Answer 10

us-east-1

Subsection: AWS SDK Overview

Question 11

How many times you can call an AWS API in a row. Ex:

API Rate Limits
* DescribeInstances: API for EC2 with a limit of 100 calls per second
* GetObject: on S2 has a limit of 5500 GET per second per prefix
* for Intermittend Errors: implement an Exponentnial Backoff
* For consistent errros: request an API throttling limit increase
Service Quotas (Service Limits)
* Running on demand standard instances: 1152 vCPY
* you can request a service limit increase bu opening a ticket
* you can request a service quota increase by using the Service Quotas API

Question 12

exam question

If you get a ThrottlingException intermittendly (because you’re doing too many API calls) use exponential backoff
This retry mechanism is already included in the AWS SDK API calls.

Must implement yourself if using the AWS API as-is or in specific cases.

• True/False: You must only implement the retries on 5xx server errors and throttling
• True/False: Do not implement on the 4xx client errors
• True/False: Exponential Backoff works by increasing the amount of wait between request retries. For example. if the first AWS API request fails, there’s a 1 second wait before the second attempt. If that one fails, there’s a 2 second wait before the 3rd attempt. If that one fails, it’s a 3 second wait etc.

Answer 12

True and True and True

Exponential Backoff & Service Limit

Question 13

Can come up in one exam question

CLI will look for credentials in this order:
1. Command line options: –region, –output, –profile
2. Environment vars: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN
3. CLI credentials file: $ aws configure
(possibly at ~/.aws/configure on Linux and MAC and C:\Users\USERNAME.aws\credentials on Windows)
4. CLI configuration file: $ aws configure
(possibly at ~/.aws/configure on Linux and MAC and C:\Users\USERNAME.aws\config on Windows)
5. Container credentials: for ECS tasks
6. Instance profile credentials: for ec2 instance profiles

Answer 13

AWS Credentials Provider & Chain

Question 14

Can come up in one exam question

The Java SDK will look for creds in this order:
1. Java sys props: aws.accessKeyId and aws.secretKey
2. env vars: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
3. the default creds profiles file: ex at ~/.aws/credentials
4. Amazon ECS container creds: for ecs containers
5. instance profile credentials: used on ec2 instances
6.

Question 15

Can come up in one exam question

1. Say you deploy an app on an ec2 instance and you’re using env vars from an iam user to call the amazon s3 api (bad practice but we’re doing it anyway).
2. The IAM user has S3FullAccess permissions (can do whatever they want on any S3 bucket).
3. The app only uses one S3 bucket so according to best praactices an IAM Role and EC2 Instance Profile was created for the EC2 Instance. The Role was assigned the min permissions to access that one S3 bucket.

The IAM Instance Profile was assigned to the EC2 Instance, but it still had access to all the S3 buckets. Why?

Answer 15

The credentials chain (order of operations/order in which it prioritizes which creds get applies) the environmental variables of the IAM user on the EC2 instance are ranked higher (and so take effect) than the IAM Role and EC2 Instance profile permissions.

Question 16

Best practice is for creds to be inherited from the creds chain.

If using AWS, use IAM Roles:
* EC2 INSTANCE roles for EC2 instances
* ecs roles for ecs tasks
* lambda roles for lambda functions

Question 17

Signing AWS API requests. Which of the following is false?
* when you call AWS HTTP API, YOU SIGN THE REQUEST SO THAT AWS CAN identify you, using your aws creds
* some requests to S3 don’t need to bsigned
* if you use SDK or CLI, the HTTP requests are signed for you
* You should sign an AWS HTTP request using Signature v5 (SigV5)

Answer 17

The last one. It’s supposed to be * You should sign an AWS HTTP request using Signature v4 (SigV4)

Subsection: AWS Signature v34 Signing (Sigv4)

Question 18

What you need to know

There are two ways to get your set your signature for AWS.

1. HTTP header option (signature in “Authorization” header). I think AWS CLI does this automatially for you. (like the regular request header “Authorization”)
2. Query string option (like the “&whatever” in “https://awssomething&whatever”). The header used for this one is X-Amz-Signature

Answer 18

Subsection: AWS Signature v34 Signing (Sigv4)

Question 19

Answer 19

Correct answer: B. Ask an admin to attach an IAM poilcy to the IAM role on your EC2 instance that authorizes it to do the required API call. Notes are: success alert
Good job!
IAM Roles are the right way to provide credentials and permissions to an EC2 instance.

**Incorrect answers and Notes:
**

A. The one about running aws configure and using your personal IAM creds from inside the EC2 instance is incorrect.
Notes are: Never insert your IAM credentials in an EC2 instance.

C: the one about using your own credentials, is wrong.
Notes are: Never insert your IAM credentials in an EC2 instance.

D: Use the EC2 Metadata API call.
Notes are: This will not help with IAM credentials. The EC2 Metadata API call allows the EC2 instance to learn more about itself (e.g., AWS Region, AZ, public IPv4, …)

Question 20

Answer 20

Correct answer: C. Compare IAM Policies in AWS policy simulator

Incorrect answers:

A, B and D are incorrect. Never send your IAM credentials to your colleagues, or recieve their credentials from them, and never insert anyone’s personal credentials into an EC2 instance.

Question 21

Answer 21

Correct answer:
* D) Query the user data at http://169.254.169.254/latest/meta-data
No notes.

Incorrect answers:
* A) Create an IAM Role and attach it to your EC2 Instance so you can perform a describe-instances API call
Notes: This would work but it would imply that each EC2 instance should have an IAM Role attached to it allowing it to perform describe-instances API calls.

• B) Query the user data at http://169.254.169.254/latest/user-data
  Notes: EC2 User Data represents the bootstrap script that will be executed when the EC2 instance starts.
• C) is wrong. the numbers in the url are incorrect

Question 22

Answer 22

C) Python

Question 23

Answer 23

Correct:

A) Create an IAM user to be used by the application, then generate IAM creds and put the creds into env vars.

Notes: Here, it’s about creating a dedicated IAM user for the application, as using your own personal IAM credentials would blur the lines between actual users and applications. Or, you can run aws configure on the on-premises server.

Incorrect:
* B) Incorrect Notes: Never insert your IAM credentials in an on-premises server. Use only in your personal machines.
* C) Incorrect notes: Never put IAM credentials in your code.
* D) Incorrect Notes: IAM Roles can not be attached to on-premises servers.

Question 24

Answer 24

Correct: B) Instance meta data temporary

No notes on correct or incorrect.

Question 25

Answer 25

Correct:
* A) False. Notes: You can retrieve the IAM role name attached to your EC2 instance using the Instance Metadata service, but you can not retrieve the IAM policies themselves.

Go back and choose B to see if there are notes.

Question 26

Answer 26

B) Use Exponential Backoff Strategy

Question 27

Answer 27

A) STS GetSessionToken

No notes on correct or incorrect answers.

Question 28

Answer 28

B) CLI options, env vars, ec2 instance profile.

Notes:
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#config-settings-and-precedence

No notes for incorrect answers.

Question 29

Answer 29

D) Signature Version 4 (SigV4)

no notes on correct or incorrect answers.