Engineering

Experiment 7
Title: Study and Implementation of AWS IAM and NACL LO4

Objectives:

Lab Objectives: Study and implement.

• AWS Identity and Access Management (IAM).

• AWS Access Control List (ACL).

1. AWS Identity and Access Management (IAM)
AWS IAM (Identity and Access Management) is a web service that allows you to manage access to
AWS resources. It is a powerful tool that enables you to create and manage users, groups, and roles
that can access your AWS resources. With IAM, you can control who has access to your resources and
what they can do with those resources.
Features of AWS IAM
• You can grant other people permission to administer and use resources in your AWS account
without having to share your password or access key.
• You can grant different permissions to different people for different resources. • You can
use IAM features to securely provide credentials for applications that run on EC2 instances
which provide permissions for your applications to access other AWS resources. • You can
add two-factor authentication to your account and to individual users for extra security.
• You can allow users to use identity federation to get temporary access to your AWS
account.
• You receive AWS CloudTrail log records that include information about IAM identities who
made requests for resources in your account.
• You use an access key (an access key ID and secret access key) to make programmatic
requests to AWS. An Access Key ID and Secret Access Key can only be uniquely generated
once and must be regenerated if lost.
• IAM has been validated as being compliant with Payment Card Industry (PCI) Data Security
Standard (DSS).
• IAM is eventually consistent. IAM achieves high availability by replicating data across
multiple servers within Amazon’s data centers around the world.
• IAM and AWS Security Token Service (STS) are offered at no additional charge. • You can
use IAM tags to add custom attributes to an IAM user or role using a tag key–value pair.
• You can generate and download a credential report that lists all users on your AWS account.
The report also shows the status of passwords, access keys, and MFA devices.
Infrastructure Elements
Principal
• An entity that can make a request for an action or operation on an AWS resource. Users,
roles, federated users, and applications are all AWS principals.
TE VI Computer Engg. Cloud Computing Lab
Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
• Your AWS account root user is your first principal.

Request
• When a principal tries to use the AWS Management Console, the AWS API, or the AWS
CLI, that principal sends a request to AWS.
• Requests includes the following information:
o Actions or operations – the actions or operations that the principal wants to perform.
o Resources – the AWS resource object upon which the actions or operations are
performed.
o Principal – the user, role, federated user, or application that sent the request.
Information about the principal includes the policies that are associated with that
principal.
o Environment data – information about the IP address, user agent, SSL enabled
status, or the time of day.
o Resource data – data related to the resource that is being requested.
Authentication
• To authenticate from the console as a user, you must sign in with your user name and
password.
• To authenticate from the API or AWS CLI, you must provide your access key and secret key.

Authorization
• AWS uses values from the request context to check for policies that apply to the request. It
then uses the policies to determine whether to allow or deny the request.
• Policies types can be categorized as permissions policies or permissions boundaries. o
Permissions policies define the permissions for the object to which they’re attached. These
include identity-based policies, resource-based policies, and ACLs.
o Permissions boundary is an advanced feature that allows you to use policies to limit
the maximum permissions that a principal can have.
• To provide your users with permissions to access the AWS resources in their own account,
you need identity-based policies.
• Resource-based policies are for granting cross-account access.

• Evaluation logic rules for policies:

o By default, all requests are denied.
o An explicit allow in a permissions policy overrides this default.
 o A permissions boundary overrides the allow. If there is a permissions boundary that
applies, that boundary must allow the request. Otherwise, it is implicitly denied. o An
explicit deny in any policy overrides any allows.
Actions or Operations
• Operations are defined by a service, and include things that you can do to a resource, such as
viewing, creating, editing, and deleting that resource.
Resource
• An object that exists within a service. The service defines a set of actions that can be
performed on each resource.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
Users
IAM Users
• Instead of sharing your root user credentials with others, you can create individual IAM
users within your account that correspond to users in your organization. IAM users are not
separate accounts; they are users within your account.
• Each user can have its own password for access to the AWS Management Console. You can
also create an individual access key for each user so that the user can make programmatic
requests to work with resources in your account.
• By default, a brand new IAM user has NO permissions to do anything.

• Users are global entities.

Federated Users
o If the users in your organization already have a way to be authenticated, you can
federate those user identities into AWS.

IAM Groups
o An IAM group is a collection of IAM users.
 o You can organize IAM users into IAM groups and attach access control policies to a
group.
o A user can belong to multiple groups.
o Groups cannot belong to other groups.
o Groups do not have security credentials, and cannot access web services directly.
IAM Role
• A role does not have any credentials associated with it.

• An IAM user can assume a role to temporarily take on different permissions for a specific
task. A role can be assigned to a federated user who signs in by using an external identity
provider instead of IAM.
• AWS service role is a role that a service assumes to perform actions in your account on your
behalf. This service role must include all the permissions required for the service to access
the AWS resources that it needs.
o AWS service role for an EC2 instance is a special type of service role that a service
assumes to launch an EC2 instance that runs your application. This role is assigned to
the EC2 instance when it is launched.
TE VI Computer Engg. Cloud Computing Lab
Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
o AWS service-linked role is a unique type of service role that is linked directly to an
AWS service. Service-linked roles are predefined by the service and include all the
permissions that the service requires to call other AWS services on your behalf.
• An instance profile is a container for an IAM role that you can use to pass role information to
an EC2 instance when the instance starts.
• Users or groups can have multiple policies attached to them that grant different permissions.

When to Create IAM User When to Create an IAM Role

You created an AWS account and you’re the You’re creating an application that runs on an
only person who works in your account. Amazon EC2 instance and that application
makes requests to AWS.

Other people in your group need to work in You’re creating an app that runs on a mobile
your AWS account, and your group is using phone and that makes requests to AWS.
no other identity mechanism.

You want to use the command-line interface Users in your company are authenticated in
to work with AWS. your corporate network and want to be able
to use AWS without having no sign in again
(federate into AWS)

Policies
• Most permission policies are JSON policy documents.
 • The IAM console includes policy summary tables that describe the access level, resources,
and conditions that are allowed or denied for each service in a policy.
• The policy summary table includes a list of services. Choose a service there to see the service
summary.
• This summary table includes a list of the actions and associated permissions for the chosen

service. You can choose an action from that table to view the action summary. • To assign
permissions to federated users, you can create an entity referred to as a role and define
permissions for the role.
• Identity-Based Policies
o Permissions policies that you attach to a principal or identity.
o Managed policies are standalone policies that you can attach to multiple users,
groups, and roles in your AWS account.
o Inline policies are policies that you create and manage and that are embedded directly
into a single user, group, or role.
• Resource-based Policies
o Permissions policies that you attach to a resource such as an Amazon S3 bucket.
o Resource-based policies are only inline policies.
o Trust policies – resource-based policies that are attached to a role and define which
principals can assume the role.
AWS Security Token Service (STS)
• Create and provide trusted users with temporary security credentials that can control access to
your AWS resources.
• Temporary security credentials are short-term and are not stored with the user but are
generated dynamically and provided to the user when requested.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
• By default, AWS STS is a global service with a single endpoint at
https://sts.amazonaws.com.
Assume Role Options
• AssumeRole – Returns a set of temporary security credentials that you can use to access
AWS resources that you might not normally have access to. These temporary credentials
consist of an access key ID, a secret access key, and a security token. Typically, you use
AssumeRole within your account or for cross-account access.
o You can include multi-factor authentication (MFA) information when you call
AssumeRole. This is useful for cross-account scenarios to ensure that the user that
assumes the role has been authenticated with an AWS MFA device.
• AssumeRoleWithSAML – Returns a set of temporary security credentials for users who have
been authenticated via a SAML authentication response. This allows you to link your
 enterprise identity store or directory to role-based AWS access without user-specific
credentials or configuration.
• AssumeRoleWithWebIdentity – Returns a set of temporary security credentials for users who
have been authenticated in a mobile or web application with a web identity provider.
Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any
OpenID Connect-compatible identity provider.
STS Get Tokens
• GetFederationToken – Returns a set of temporary security credentials (consisting of an access
key ID, a secret access key, and a security token) for a federated user. You must call the
GetFederationToken operation using the long-term security credentials of an IAM user. A
typical use is in a proxy application that gets temporary security credentials on behalf of
distributed applications inside a corporate network.
• GetSessionToken – Returns a set of temporary credentials for an AWS account or IAM user.
The credentials consist of an access key ID, a secret access key, and a security token. You
must call the GetSessionToken operation using the long-term security credentials of an IAM
user. Typically, you use GetSessionToken if you want to use MFA to protect programmatic
calls to specific AWS API operations.
IAM Access Analyzer
• Provides policy checks that help you proactively validate policies when creating them. These
checks analyze your policy and report errors, warnings, and suggestions with actionable
recommendations that help you set secure and functional permissions.
• IAM Access Analyzer continuously monitors for new or updated resource policies and
permissions granted for S3 buckets, KMS keys, SQS queues, IAM roles, Lambda functions,
and Secrets Manager secrets.
IAM Identity Center
• Manage your workforce’s sign-in security by creating or connecting your users and groups to
AWS in one place.
• Workforce identities
o The members of your organization are also known as workforce users.
o You can only have 1 identity source per AWS organization:
▪ IAM Identity Center identity store
▪ Active Directory
▪ External identity provider
TE VI Computer Engg. Cloud Computing Lab
Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
• Multi-account permissions
o Enables you to assign workforce identities access to AWS accounts.
o By enabling delegated administration, you can get the following benefits: ▪ Reduces
the number of people who need access to the management account, which
helps to alleviate security concerns.
▪ Allows select administrators to assign users and groups to applications as well
 as member accounts in your organization.
o You can manage access to AWS resources across multiple AWS accounts using
attribute-based access control (ABAC).
▪ Requires fewer permission sets.
▪ Permissions for new resources are automatically granted.
▪ You can use employee attributes from the corporate directory.
▪ Keep track of who is accessing your resources.
• Application assignments
o Assign users access to SaaS applications.
o Supports the following types of applications:
▪ Identity Center enabled applications
▪ Cloud applications
▪ Custom SAML 2.0 applications
• You can also integrate AWS CLI version 2 with IAM Identity Center.

Lab Activity
Steps To create IAM users
1. In the AWS console, type IAM in the search box, then click on the IAM service that pops up, as
shown below. Your browser will redirect to the IAM dashboard.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering

Searching for IAM service

IAM is a global service, which indicates users and their permissions are applied to your entire AWS
account/region. If multiple people share one AWS account (which is very common, for example in
the case of a company-wide dev team), you will need to ensure proper IAM workforce rotation.
Also, you may create an EC instance inside the us-east region. Instances are regional. However, the
AWS Identity and Access Management controls are not regional. The permissions assigned to a user
will apply regardless of the region the EC instance the users connect to.

Previewing the global option

2. On the IAM dashboard, click on Users on the left pane, then click on Add users at the top-right
of the page to initialize adding users.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering

Adding a new user

Now configure the user details with the following:

• Provide a username in the User name field shown below. For this example, the username is
set to user-1.
• Enable the Password – AWS Management Console access option to allow users to sign in
to the AWS Management Console.
• Select the Custom password option for the Console password, and provide a secure
password in the text field.
• Uncheck the Require password reset option so the user won’t be prompted to create a new
password at the next sign-in, then click on Next: Permission.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Setting the username and password

3. Skip setting permission and click on Next: Tags since you’re creating a user that doesn’t have
permissions.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Skipping setting permissions

4. Skip adding tags too and click Next: Review.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Skipping settings tags

5. Review the user details and click on Create user to finalize creating the user.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Creating a new user

After creating the user, you’ll get a Success screen like the one below.

Previewing the Success screen

6. Now return to the Users page in your IAM dashboard, and click on the newly created user
(user-1) to view the user’s information.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
 Engineering
Opening your user-1

Opening your user-1

Below, under the Permissions and Groups tab, you can see that user-1 doesn’t have any
permissions associated with it, and is not a member of any groups.

Previewing the new user’s (user-1) permissions

Previewing the new user’s (user-1) group

In the Security credentials tab, you’ll see different access keys that user-1 might have. You can
upload an SSH public key on this tab, which is great for your AWS EC2 instances.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
 Department of Computer Engineering

Previewing the user-1 security credentials

The Access Advisor tab shows you the services that user-1 has accessed, either directly or via other
services, along with when user-1 last accessed that service.

Previewing the user-1 Access Advisor

7. Finally, repeat the process (steps three to seven) to create two more users (user-2 and user-3).
Return to your IAM dashboard’s Users page and you’ll see a list similar to the one below.

Previewing lists of users (user-1, user-2, and user-3)

Steps for Creating the User Groups

Now that you’ve created the users, it’s time to create groups. You’ll create groups using the AWS
managed policy and a JSON file.
For this tutorial, you’ll create three groups:

• EC2-Admin: Provides permissions to view, start, and stop EC2 instances

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
 Engineering Department of Computer
Engineering
• EC2-Support: Provides read-only access to EC2

• S3-Support: Provides read-only access to S3

To start creating user groups:

1. In your IAM dashboard, click on the User groups on the left pane, then click on Create group.
2. Provide a User group name (EC2-Admin) on the Create user group page, as shown below.

Provide a User group name (EC2-Admin)

Keep the default permissions and click Create group to finalize creating the EC2-Admin group.

Creating a new group

Once you’ve created the new group, you’ll get the EC2-Admin user group created message at the
top of the page, as shown below. Your browser then redirects to the User groups page automatically
(step three).
Showing successful group creation notification

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
3. Click on the EC2-Admin group under the Group name column to view the group’s summary
 info where you can add inline policies (step four).
Previewing the EC2-Admin group

4. Now click on the Permissions tab —> Add Permissions —> Create inline policy to create an
inline policy. Inline policies are usually associated with users directly and typically used to apply
for permissions in one-off situations.
For example, your team is migrating an old EC2 environment to a new one. You want to ensure that
the admin of the old EC2 instance has access to start/stop and copy the security group settings to the
new EC2 instance.

5. On the Create policy page, click the JSON tab shown below to open a JSON editor where you’ll
create a policy.

6. Paste the code (policy) below on the editor field and click Review policy to create an inline policy.
This inline policy is prebuilt either by AWS or an administrator inside of your AWS account that
you can use, customize, or edit to fit your exact needs.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
With this policy, members of the EC2-Admin group are allowed to start ("ec2:StartInstances"), stop
("ec2:StopInstances"), and view ("ec2:Describe*") EC2 instances. They are permitted (”Effect”:
“Allow”) to perform actions on all resources ("Resource": "*"). These actions are linked to AWS’s
programmatic or API calls in essence.
EC2-Admin group members also have permission to view all elastic load balances (Action":
"elasticloadbalancing:Describe), list metrics (cloudwatch:ListMetrics), get metrics statistics
cloudwatch:GetMetricStatistics, and describe metrics (cloudwatch:Describe).

7. Review the policy summary and click on Save changes to save the policy.

TE VI Computer Engg. Cloud Computing Lab

 Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering

Saving your policy

8. Now, navigate to your IAM dashboard again and initialize creating a group as you did in step
two. But this time, name the User group name as EC2-Support.
Scroll down, search for AmazonEC2ReadOnlyAccess in the Attach permissions policies search
box to attach that policy to the group (EC2-Support):
AmazonEC2ReadOnlyAccess is a managed policy similar to an inline policy as it can also be
attached to multiple users or groups of users. But unlike the inline policy, this type of policy created
by administrators is reusable and can be shared across your organization or with all AWS accounts in
your account.
9. Check the AmazonEC2ReadOnlyAccess option and click Create group to finalize creating the
group.

Setting up the AmazonEC2ReadOnlyAccess policy

10. Now, repeat steps eight to nine to create the S3-Support group with an
AmazonS3ReadOnlyAccess managed policy. Once you’ve created the S3-Support group, you’ll
have a list of groups similar to the one below that shows each group has permissions defined.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering

Previewing the groups

Steps for Adding Users to their Proper Groups

You’ve created the users and groups with defined permissions. Now, it’s time to add the users to
their proper groups. You’ll open each group’s summary page and manually add a user to that
group.
The table below shows the proper groups where you’ll add each user:
USERS IN-GROUP PERMISSIONS

user-1 S3-Support Read-only access to S3 Bucket

user-2 EC2-Support Read-only access to EC2

Instance

user-3 EC2-Admin Full EC2 Access

(View/Start/Stop)

1. In your IAM dashboard, navigate to the User groups page, and click on the S3-Support group
shown below to access the group’s summary page.

Accessing the S3-Support group.

2. Next, click on the Users tab —> Add users to initialize adding users to the group. Your browser
redirects to a page where you’ll see a list of users that don’t belong to any group yet (step three).

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering

Accessing the list of users to add to the S3-Support group.

3. Check the box in front of user-1, then click on Add users to add the user to the S3-Support group.
Your browser then automatically redirects to the S3-Support group’s summary page.

Adding a user (user-1) to the S3-Support group

Below, you can see that user-1 is now a part of the S3-Support group.

user-1 is now a part of the S3-Support group

4. Repeat steps one to three to add user-2 and user-3 to their proper groups.
5. Finally, navigate to the User groups page and you’ll see the groups now have one user each, like
in the screenshot below.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering

Verifying the groups now have one user each

Steps to test if User Permissions are Working Properly

You’ve completely created users in their own groups with defined permissions. But how do you
know if the work? It’s time to verify that the permissions are working as intended, and there are
various ways to do so. One of the most common ways is using the web-based AWS Management
Console.
1. Navigate to your IAM dashboard and copy the IAM user sign-in URL at the right panel, as
shown below.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Noting the IAM user sign-in URL

2. On your web browser, navigate to the sign-in URL you previously noted (step one), and log in
with user-1’s credentials. Google Chrome and Firefox are the most recommended browsers for this
task.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Signing in as user-1

3. Type S3 in the search box, and click on the S3 link shown below to access Amazon S3
Buckets page.

Accessing the S3 bucket

4. Now, click on Create bucket to initialize creating an S3 bucket.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Creating an S3 bucket

5. Enter a bucket name under the General configuration section, then click on Create bucket to
attempt creating an S3 bucket.

Adding an S3 Bucket Name

Attempting to create an S3 Bucket

If you recall, you attached the AmazonS3ReadOnlyAccess policy to user-1, which only gives user-1
read-only permission to view S3 buckets. As a result, if user-1 attempts to create, delete, or update an
S3 bucket, the error message shown below will pop up.
The error message below indicates that the permission you set to user-1 works properly.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Testing if user-1 permission is working

Note that user-1 also does not have any EC2 permissions. So for double-checking, navigate to your
EC2 dashboard, and you will get many API errors that pop up like in the screenshot below.
You get these errors because of the principle of least privilege (PoLP). PoLP is the concept that any
given OS user account or process should have the absolute minimum privileges necessary to
complete a job.

Viewing the EC2 dashboard

6. Now, log out from user-1 and log in as user-2, and navigate to your EC2 dashboard.

Previewing the EC2 dashboard

7. Click on any running EC2 instances to view the user-2 permissions. As shown below, you will get
information about the instance like Instance ID, Public IPv4 address, and so on.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Previewing running EC2 instance

8. Click on the Instance state at the right most part of the page, and choose either Stop instance,
Reboot instance, or Terminate instance option to test if user-2’s permission works.

Stopping/starting/ terminating an EC2 instance

Remember that user-2 only has read-only access for EC2 instances (AmazonEC2ReadOnlyAccess).
So if a user tries to manipulate an EC2 instance, the error message below pops up.
Getting the error below indicates that user-2’s permission works correctly.

Previewing the error message.

9. Finally, log out from user-2, then log in as user-3 and try to manipulate any EC2 instances that are
running in your account. Since user-3 has full EC2 permission, you can start, stop or terminate an
instance without getting an error message.

AWS Network Access Control List (NACL)

AWS NACL (Network Access Control List) is a service provided by Amazon Web Services (AWS)
that acts as a firewall for controlling traffic in and out of AWS resources. NACLs are stateless and can
be associated with subnets, allowing you to control traffic at the subnet level. It is a security layer for
your VPC that controls the traffic in and out of one or more subnets.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
Features and capabilities of AWS NACL:

• Rules: NACLs are made up of rules that define what traffic is allowed or denied. Each rule
consists of a set of criteria, such as source and destination IP addresses, port numbers, and
protocols. Rules are evaluated in order, and the first rule that matches a particular traffic flow
is applied.
• Statelessness: Unlike security groups, NACLs are stateless. This means that if you allow traffic
in one direction, you must also explicitly allow traffic in the opposite direction. For example,
if you allow inbound traffic on port 80 (HTTP), you must also allow outbound traffic on port
80.
• Priority: Each rule in an NACL has a priority number that determines its order in the evaluation
process. Rules with lower numbers are evaluated first, so you can use priority to control the
order in which rules are applied.
• Subnet association: NACLs are associated with subnets, allowing you to control traffic at the
subnet level. Each subnet can be associated with only one NACL at a time.
• Logging: NACLs can be configured to log all traffic that matches a particular rule. This can be
useful for troubleshooting and auditing purposes.
• Default rules: Each NACL has a set of default rules that are applied to all traffic that doesn't
match any of the explicitly defined rules. By default, all inbound and outbound traffic is denied,
so you must explicitly allow the traffic you want to allow.
• A Network ACL contains numbered lists of rules that are evaluated in order, starting from the
lowest numbered rule, to determine whether the traffic goes in or out of the subnet associated
with the Network ACL. The highest numbered rule can be 32766. It is recommended to create
new rules with increments (For example, increments of 10 or 100) so that you can easily add
new rules where you need later on.

Network ACL Components

The following are the components of a Network ACL:

• Rule number: Rule number is

a number associated with

every rule. Rules are evaluated
starting with the lowest-
numbered rule. As soon as the
rule matches traffic, the rule is
applied regardless of whether
the highest-numbered rule
contradicts to it.

• Protocol: You can specify any protocol that has a standard protocol number. For example,

Http, Https, ICMP, SSH, etc.

 • Inbound rules: It specifies the source of the traffic and the destination port. •

Outbound rules: It specifies the destination traffic and destination port.

Types of Network ACL

There are two types of Network ACL:

• Custom Network ACL

• Default Network ACL

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
Default Network ACL
The default Network ACL allows all the traffic to flow in or out of the subnet which is
associated with it. Each Network ACL also includes a rule whose rule number is asterisk
which determines if traffic does not match any of the numbered rules, then it is denied. This
rule cannot be modified or removed.
Rule # Type Protocol Port range Source Allow/Deny

100 All Traffic ALL ALL 0.0.0.0/0 Allow

101 All Traffic ALL ALL ::/0 Allow

* All Traffic ALL ALL 0.0.0.0/0 Deny

* All Traffic ALL ALL ::/0 Deny

The above table is a default Network ACL table which is associated with a subnet. Rule
number 100 says that all IPv4 traffic is allowed. Rule number 101 says that all IPv6 traffic is
allowed. The rule number '*' says that all the traffiic is denied
Custom Network ACL
Custom Network ACL is a user-defined Network ACL, and by default, it denies all the
inbound and outboud traffic until you add rules.
Rule # Type Protocol Port range Source Allow/Deny

* All Traffic ALL ALL 0.0.0.0/0 Deny

 * All Traffic ALL ALL ::/0 Deny

The above table is a default table of Network ACL that denies all the traffic. You need to add
the rule yourself to allow or deny the traffic.

Steps to create a new Network ACL

1. Create a new Network ACL: Go to VPC, Select NACLs

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
2.
Create Network ACL
 TE VI Computer Engg. Cloud Computing Lab
Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
3.
4. Note: By default, all inbound and outbound rules deny for newly created Network ACL
Associate Subnet to Network ACL
5. Associate Subnet to Network ACL
Note: You can associate a network ACL with multiple subnets. but a subnet can be associated
with only one network ACL at a time.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
 Configure Inbound and Outbound rules
6. Configure Inbound and Outbound rules: First, try to access your Public/Application server. It should
not be accessible, due to no inbound and outbound rules configured yet. Now, Edit and add a new

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
 Engineering
inbound and outbound rule.

Note: Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it
gets executed regardless of any higher-numbered rule that might contradict it. For example, If rule
100 allows port 80, and rule 99 denies port 80, finally, port 80 will be denied as rule 99 is evaluated
before 100.
Block IP address
7. Block IP address: Edit inbound rule and try to block your own IP, After that that you should not be
able to access your public/Application server.

AWS Virtual Private Cloud(VPC)

Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud
where you can launch AWS resources in a virtual network that you define. You have complete control
over your virtual networking environment, including a selection of your own IP address ranges,
creation of subnets, and configuration of route tables and network gateways. You can also create a
hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC
and leverage the AWS cloud as an extension of your corporate datacenter.
Components of Amazon VPC
Amazon VPC comprises a variety of objects that will be familiar to customers with existing
networks:

• A Virtual Private Cloud: A logically isolated virtual network in the AWS cloud. You define a
VPC’s IP address space from the ranges you select.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
 Engineering
• Subnet: A segment of a VPC’s IP address range where you can place groups of isolated
resources.
• Internet Gateway: The Amazon VPC side of a connection to the public Internet. • NAT
Gateway: A highly available, managed Network Address Translation (NAT) service for your
resources in a private subnet to access the Internet.
• Route Table: A route table contains a set of rules, called routes, that are used to determine where
network traffic from your subnet or gateway is directed.
• DNS Hostname: The Amazon DNS server resolves a public DNS hostname to the public IPv4
address of the instance outside the network of the instance.
• CIDR: Classless Inter-Domain Routing

Architecture / Block Diagram

10 steps to Create and Verify your VPC

Step 01. Create a VPC

Step 02. Create 2 Public Subnet & Create 2 Private Subnet
Step 03. Create IGW (Internet Gateway) & Attach to the VPC
Step 04. Create Public and Private Route Table
Step 05. Add IGW in Public Route table (0.0.0.0/0)
Step 06. Add Public Subnet (1a & 1b) in Route table
Step 07. Create a NAT Gateway in Public Subnet
Step 08. Add NAT GW into the Private Route Table
Step 09. Add Private Subnet in Private Route Table
Step 10. Launch EC2 in this VPC & Validate your Connection
Optional Steps:
Step 11. Edit DNS Resolution and Hostname
Step 12. Cleanup the VPC Resources

Step 01. Create a VPC

1. Login to your AWS Console.
2. Create your VPC with Valid CIDR and name.

Step 02. Create 2 Public Subnet & Create 2 Private Subnet

1. Click Subnet and create your Subnet with:

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
2. Public Subnet 1 and Public Subnet 2 valid Name & VPC.
3. Valid Subnet range which is valid IPv4 CIDR Block.
4. Repeat steps 2 & 3, with Private Subnet too.

Step 03. Create IGW (Internet Gateway) & Attach to the VPC

• Once IGW create, then attached this IGW in VPC

Step 04. Create Public and Private Route Table

Route table concepts
The following are the key concepts for route tables.

• Main route table — The route table that automatically comes with your VPC. It controls the

routing for all subnets that are not explicitly associated with any other route table. • Custom

route table — A route table that you create for your VPC.

• Edge association — A route table that you use to route inbound VPC traffic to an appliance.

You associate a route table with the internet gateway or virtual private gateway, and specify
the network interface of your appliance as the target for VPC traffic.

• Route table association — The association between a route table and a subnet, internet

gateway, or virtual private gateway.

• Subnet route table — A route table that’s associated with a subnet.

• Gateway route table — A route table that’s associated with an internet gateway or virtual

private gateway.

• Local gateway route table — A route table that’s associated with an Outposts local

gateway. For information about local gateways, see Local Gateways in the AWS Outposts
 User Guide.

• Destination — The range of IP addresses where you want traffic to go (destination CIDR).

For example, an external corporate network with a 172.16.0.0/12 CIDR.

• Target — The gateway, network interface, or connection through which to send the

destination traffic; for example, an internet gateway.

• Local route — A default route for communication within the VPC

1. Create a Route table in the same VPC.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
2. Make sure you selected the right VPC and give a proper tag.

Step 05. Add IGW in Public Route table (0.0.0.0/0)

• Click on the Public route table and click on the edit button.

• Click on Add route from 0.0.0.0/0

• Select Internet gateway from Target drop-down menu.

• Click on save the routes.

Step 06. Add Public Subnet (1a & 1b) in Route table

• Edit the Subnet Association.

• Select the Public Subnet checkbox.

• Click on the Save button.

Step 07. Create a NAT Gateway in Public Subnet

• Select a Public Subnet

• Create a new Elastic IP and associate

• click on Create NAT Gateway

Step 08. Add NAT GW into the Private Route Table

• Click on the Private route table and click on the edit button.

• Click on Add route from 0.0.0.0/0

• Select nat gateway from Target drop-down menu.

• Click on save the routes.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering

Step 09. Add Private Subnet in Private Route Table

• Edit the Subnet Association.

• Select the PrivateSubnet checkbox.

• Click on the Save button.

Step 10. Launch EC2 in this VPC & Validate your Connection

• Download the putty & puttygen software to your windows server.

• Change your pem file to ppk extension.

• Connect from you putty

OR

• Connect with your MAC or Linux Machine with the below command.

chmod 400 file_name.pem

ssh - i file_name.pem ec2-user@your_pubilc_vm_ip

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
Once connected to your public instance you can copy your pem file to this instance and run the
following command to connect to your private instance.

chmod 400 file_name.pem

ssh - i file_name.pem ec2-user@your_private_vm_ip

Then try to connect with the internet in a private instance.

yum update -y

If you are able to connect with a Private instance and able to update the instance. This means
you are successfully Created your VPC and Public & Private subnets with the proper
connection of your IGW/ NGW & Route Table.

In case of any error, Add VPC CIDR Range in your Security Group.
You need to open the port no. 22 from your Home IP address & the VPC CIDR range to access the
Public instance.
TE VI Computer Engg. Cloud Computing Lab
Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
Access your private instance from your public instances.

Optional Steps:
Step 11. Edit DNS Resolution and Hostname
When you launch an instance into a default VPC, we provide the instance with public and private
DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance. When
you launch an instance into a nondefault VPC, we provide the instance with a private DNS hostname
and we might provide a public DNS hostname.

A public (external) DNS hostname takes the form ec2-public-ipv4-address.compute

1.amazonaws.com for the us-east-1 Region, and ec2-public-ipv4-

address.region.compute.amazonaws.com for other Regions. The Amazon DNS server resolves a

public DNS hostname to the public IPv4 address of the instance outside the network of the instance,
and to the private IPv4 address of the instance from within the network of the instance.

1. Click on Action and Edit DNS hostname

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
2. Checkmark on DNS Hostname and click on save.

Before ENABLE DNS HOSTNAME:

There is no Public DNS. Highlighted in yellow color.

After Enable DNS HOSTNAME:

You can see the changes in the blue color, with Public DNS (IPv4)

Step 12. Cleanup the VPC Resources

If you want to delete your VPC after Clicking on Delete button, you will get below errors:

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
There are the hierarchy of steps, available to delete you VPC

1. Terminate EC2 instances, which will remove the network interface card (NIC), attached with
Private or Public IP
2. Remove Elastic IP
3. Terminate NAT Gateway
4. Detached Internet Gateway (IGW)
5. Delete IGW

At last, you can Delete your VPC, and this step will delete all the related VPC resources.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of Engineering
Department of Computer Engineering
Implementation:
192.168.80.135
Post Lab:
Activity 1:
1. Launch the AWS Management Console and go to the VPC dashboard.
2. Click on "Create VPC" and specify the following settings:
a. VPC name: MyVPC
b. IPv4 CIDR block: 10.0.0.0/16
3. Click on "Create Subnet" and create two subnets with the following settings:
a. Name: Subnet1
b. Availability Zone: Select an availability zone
c. IPv4 CIDR block: 10.0.1.0/24
d. Name: Subnet2
e. Availability Zone: Select a different availability zone
f. IPv4 CIDR block: 10.0.2.0/24
4. Click on "Create NACL" and create two NACLs with the following settings:
a. Name: NACL1
b. VPC: MyVPC
c. Inbound rules:
i. Rule 1: Allow all traffic from 10.0.1.0/24
ii. Rule 2: Deny all traffic from 10.0.2.0/24
d. Outbound rules:
i. Rule 1: Allow all traffic to 10.0.1.0/24
ii. Rule 2: Deny all traffic to 10.0.2.0/24
e. Name: NACL2
f. VPC: MyVPC
g. Inbound rules:
i. Rule 1: Allow all traffic from 10.0.2.0/24
ii. Rule 2: Deny all traffic from 10.0.1.0/24
h. Outbound rules:
i. Rule 1: Allow all traffic to 10.0.2.0/24
ii. Rule 2: Deny all traffic to 10.0.1.0/24
TE VI Computer Engg. Cloud Computing Lab
Fr. Conceicao Rodrigues college of
Engineering Department of Computer
 Engineering
5. Associate the subnets with the appropriate NACLs:
a. Associate Subnet1 with NACL1
b. Associate Subnet2 with NACL2
6. Launch two EC2 instances in the subnets:
a. Launch an EC2 instance in Subnet1
b. Launch another EC2 instance in Subnet2
7. Test the connectivity between the subnets:
a. SSH into the EC2 instance in Subnet1 from your local machine or another EC2
instance in Subnet1.
b. Ping the EC2 instance in Subnet2.
c. Repeat the above step from the EC2 instance in Subnet2 to the EC2 instance in
Subnet1.
Expected Results of post lab activity 1:

• The ping from the EC2 instance in Subnet1 to the EC2 instance in Subnet2 should fail due to
the NACL rules.
• The ping from the EC2 instance in Subnet2 to the EC2 instance in Subnet1 should fail due to
the NACL rules.
• The SSH connection to the EC2 instances should work as expected, as the NACL rules only
affect the traffic flow between subnets.
Activity 2:
1. Launch the AWS Management Console and go to the IAM dashboard.
2. Click on "Users" and then "Add User".
3. Specify the following settings for the first IAM user:
 a. User name: User1
b. Access type: Programmatic access
c. Permissions: Attach existing policies directly
d. Policies: AmazonS3FullAccess
4. Repeat step 3 to create the second and third IAM users with the following settings:
a. User name: User2, Permissions: AmazonEC2FullAccess
b. User name: User3, Permissions: AmazonRDSFullAccess
5. Test the permissions of the IAM users:
a. Log out of the AWS Management Console
b. Log back in using the User1 credentials
c. Go to the S3 dashboard and try to access the S3 bucket
d. Attempt to upload a file to the S3 bucket
e. Repeat the same steps for User2 and User3 using their respective credentials and the EC2
and RDS services.
Expected Results Post lab activity 2:

• User1 should be able to access the S3 bucket and upload a file because they have been granted
AmazonS3FullAccess.
• User2 should be able to access the EC2 service and perform actions because they have been
granted AmazonEC2FullAccess.

TE VI Computer Engg. Cloud Computing Lab

Fr. Conceicao Rodrigues college of
Engineering Department of Computer
Engineering
• User3 should be able to access the RDS service and perform actions because they have been
granted AmazonRDSFullAccess.
References:
1. https://adamtheautomator.com/iam-aws/
2. https://docs.aws.amazon.com/pdfs/IAM/latest/UserGuide/iam-ug.pdf
3. https://docs.aws.amazon.com/vpc/
4. https://cloudiofy.com/how-to-control-network-traffic-using-network-acl/ 5.
https://varunmanik1.medium.com/how-to-create-aws-vpc-in-10-steps-less-than-5-min
a49ac12064aa
6. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Video References:
1. AWS VPC (Playlist- 5 videos):
https://www.youtube.com/watch?v=PEp2D2CyVzg&list=PLt_Rp2KtwDSFlAUrDMrmwVVPk
1 lobyIAP&index=2
2. AWS IAM (Playlist – 7 Videos):
https://www.youtube.com/watch?v=PjKvwxTTSUk&list=PLzde74P_a04cKnuXyi-
- fkIoY1sxztyqL
3. AWS IAM : https://www.youtube.com/watch?v=o0p04B7-NFY
4. AWS NACL: https://www.youtube.com/watch?v=p0XCg5VhKQA

TE VI Computer Engg. Cloud Computing Lab