alexpulver

How to manage access to AWS?

• https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/basic-organization.html
• https://aws.amazon.com/controltower/
• https://aws.amazon.com/iam/identity-center/
• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

How to develop for AWS?

• https://aws.amazon.com/cdk/
• https://docs.aws.amazon.com/cdk/v2/guide/core_concepts.html
• https://cdkworkshop.com/

alexpulver

Legend

> - stack name
>> - stack resource name

Story 1

Needed to build identity provider. Decided to use Cognito for all functionality. Created identity provider app with a single identity provider component.

alexpulver

Instructions

git clone https://github.com/alexpulver/aws-cdk-project-structure-python-basic.git
cd aws-cdk-project-structure-python-basic

# Deploy both stacks to default AWS account and Region
sed -i '' 's/"111111111111"/os.environ["CDK_DEFAULT_ACCOUNT"]/' app.py
sed -i '' 's/"eu-west-1"/os.environ["CDK_DEFAULT_REGION"]/' app.py

# Install project dependencies (including local installation of AWS CDK Toolkit)

alexpulver

Running the example

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
cdk synth --app "python app.py"

alexpulver

pipeline = pipelines.CodePipeline(...)

kubectl = pipelines.ShellStep(
    "Kubectl",
    commands=["kubectl apply -f deployment.yml"],
)
pipeline.add_wave("Kubernetes", post=[kubectl])

alexpulver

synth_codebuild_step = pipelines.CodeBuildStep(...)
codepipeline = pipelines.CodePipeline(
    self,
    "CodePipeline",
    synth=synth_codebuild_step,
)
# That should be called at the end of the pipeline definition, because the pipeline can't be changed afterwards
codepipeline.build_pipeline()
synth_cfn_project: codebuild.CfnProject = codepipeline.synth_project.node.default_child
synth_cfn_project.cache = codebuild.CfnProject.ProjectCacheProperty(type="LOCAL", modes=["LOCAL_SOURCE_CACHE"])

alexpulver

aws ec2 create-fleet --cli-input-json file://config.json
aws ec2 describe-fleets
aws ec2 describe-fleet-instances --fleet-id fleet-3110fe2c-6589-4a42-8f75-12c1746e50a9
aws ec2 delete-fleets --fleet-ids fleet-3110fe2c-6589-4a42-8f75-12c1746e50a9 --terminate-instances

alexpulver

import boto3

client = boto3.client('s3')

response = client.select_object_content(
    Bucket='string',
    Key='string',
    SSECustomerAlgorithm='string',
    SSECustomerKey='string',
    Expression='string',

alexpulver

Deploying the demo

Global configuration

export AWS_PROFILE=NAME
export AWS_DEFAULT_REGION=REGION
git config --global credential.helper '!aws --profile '$AWS_PROFILE' codecommit credential-helper $@'
git config --global credential.UseHttpPath true

alexpulver

Use case

Below is an example for IAM policy and commands to allow IAM users (could be federated users as well) create EC2 instances in self-service manner, while enforcing the following:

• The IAM user must provide "owner" tag with their currently logged-in IAM username as value. Otherwise they won't be able to create the instance.
• Each IAM user can start, stop and terminate their own instances only. The enforcement is based on currently logged-in IAM username.
• The IAM user can only apply "owner" tag when creating the instance and cannot modify any tag later.

Documentation

Supported Resource-Level Permissions for Amazon EC2 API Actions