Code Red: Repair an AWS Environment with a Linux Bastion Host

Lab Steps

lock
Code Red: Repair an AWS Environment with a Linux Bastion Host
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Your Mission

A security report discovered that administrative access was unintentionally granted to an account in your production AWS environment. The unintended permissions have now been revoked. However, your operations team has informed you that they can no longer connect to the backend instances over SSH via the bastion host. You also have the following environment diagram to remind yourself of the basic architecture:

alt

You must repair the environment (your lab environment) and make all the checks pass before time runs out in order to improve your skill profile in the assessed areas. Follow the instructions below to get started.

 

Instructions

1. To start the Lab experience, open the AWS Management Console by clicking this button: 

 

2. Enter the following credentials created just for your Lab session, and click Sign In:

  • Account ID or alias: Keep the pre-populated value
  • IAM user name
  • Password

 

3. Navigate to the Lab's AWS CloudFormation stacks and wait until the cloudacademylabs stack has a Status of CREATE_COMPLETED:

alt

It takes around fifteen minutes for all the stacks to create. Whether the percentage of the deployment remains stuck to 66% in the CloudAcademy lab page but the CloudFormation stacks are in the CREATE_COMPLETE status, you can proceed.

Tip: The cloudacademylabs stack creates three nested stacks. To make the most of the available time, it is recommended that you begin inspecting the stacks and the environment as the nested stacks are created.

 

4. Click Go to Validation Steps below to complete the tasks and pass the challenge.

Hints:

  • 3 of the 4 checks already pass when the Lab's CloudFormation stack is completely created. Ensure the change you make does not cause passing checks to fail. You can run the checks as often as you like to know when you completed the mission. However, the more times you run the checks, the lower the impact will be on your Skill Profile. 
  • You do not need to connect to any EC2 instance to repair connectivity.
Validation checks
4Checks
Check for best practice 1 (You must make this check pass without causing others to fail)

Repair SSH connectivity to the backend EC2 Instances (named Backend) via the bastion host EC2 instance (named Bastion). Ensure you follow security best practices in implementing the solution and avoid allowing more network access than is necessary.

Networking for AWSSecurity for AWS
Check for best practice 2 (Implemented when Lab finishes provisioning - ensure it remains intact)

This test will pass by default, and must pass after you repair connectivity, meaning you adhered to best practices while repairing the environment.

Check for best practice 3 (Implemented when Lab finishes provisioning - ensure it remains intact)

This test will pass by default, and must pass after you repair connectivity, meaning you adhered to best practices while repairing the environment.

Check for best practice 4 (Implemented when Lab finishes provisioning - ensure it remains intact)

This test will pass by default, and must pass after you repair connectivity, meaning you adhered to best practices while repairing the environment.