In this lab scenario, you take on the role of a cloud security engineer, working for a business that has implemented a particular business process in AWS using AWS Lambda. Version one (MVP) of the implementation has proven very successful with customers (in this lab - you actually deploy and set up the Lambda function). Due to the immediate success and demand of the serverless workflow, the company has now decided to review the IAM security policies involved in its operation and uptime of it. It is expected that current IAM permissions may be too broad and too permissive.

As a cloud security engineer, it is your responsibility to perform the review and update existing IAM security permissions assigned to the Lambda function's execution role. Your task is to review the current IAM policies and refine them such that they adhere to the rule of least privilege. To understand exactly what the Lambda function does, and in particular, the specific set of AWS API operations it integrates with, you will set up CloudTrail together with Athena. Additionally, this new setup will support another business requirement - being able to audit all AWS API calls made by the Lambda function for auditing and compliance reasons.

Learning Objectives

Upon completion of this lab, you will be able to:

• Configure CloudTrail and Athena together to help you analyze AWS API operations being made within an AWS Account

Intended Audience

• Those interested in learning how to increase their IAM security posture by analyzing existing AWS API calls

Prerequisites

Familiarity with the following will be beneficial but is not required:

• Be comfortable with the AWS console
• Be comfortable with basic Linux command line administration

Lab Environment

This lab will start with the following AWS resources provisioned automatically for you:

• 1 x EC2 instance
  • ops.cloudacademy.platform.instance - used to provide access to a Linux terminal
• 2 x S3 buckets
  • Business Data S3 bucket - used to store business data files generated by the Lambda function
  • Athena Query Results S3 bucket - used to store the results of executing Athena queries

To achieve the lab end state, you will be walked through the process of:

• Setting up a new CloudTrail trail
• Configuring Athena with access to the CloudTrail trail log files stored in S3
• Deploying and configuring a new Python 3-based Lambda function that writes files out to the Business Data S3 bucket
• Use Athena to query the CloudTrail data
• Build a local file containing all current IAM Policy Actions
• Updating an IAM policy assigned to a Lambda function's execution role