AWS Assignment– 4

VPC, IAM & Secrets for Linux Learners

Basic Questions

  1. Create a new VPC with CIDR block 10.0.0.0/16.
  2. Create two subnets (one public, one private) inside the VPC.
  3. Attach an Internet Gateway (IGW) to the VPC.
  4. Create a route table and associate it with the public subnet.
  5. Verify that an EC2 instance in the public subnet can access the internet.
  6. Launch an EC2 instance in the private subnet and check internet access (should fail).
  7. Create a NAT Gateway in the public subnet.
  8. Update the private subnet route table to use the NAT Gateway for internet access.
  9. Verify that the private instance now has internet access through NAT.
  10. List all VPCs in your account using the AWS CLI.
  11. Create a new IAM user with programmatic access (access key + secret key).
  12. Configure AWS CLI on Linux with the IAM user’s credentials.
  13. Create an IAM group named LinuxAdmins.
  14. Attach the AmazonEC2FullAccess policy to the group.
  15. Add the new IAM user to the LinuxAdmins group.
  16. Use AWS CLI to check IAM user permissions.
  17. Create an IAM role for EC2 with S3 read-only access.
  18. Attach the role to an EC2 instance and list S3 buckets from it.
  19. Create a parameter in SSM Parameter Store with type String.
  20. Retrieve the parameter value from Linux EC2 using AWS CLI.

Intermediate Questions

  1. Create a custom security group in your VPC that allows only SSH (22) and HTTP (80).
  2. Launch an EC2 instance in the VPC using this security group.
  3. Create a second VPC and configure a VPC peering connection with the first.
  4. Update route tables to allow communication between the two VPCs.
  5. Test connectivity between EC2 instances in peered VPCs (ping test).
  6. Create an IAM policy that allows only read access to S3.
  7. Attach the policy to a new IAM user and verify limited permissions.
  8. Rotate access keys for an IAM user and test both old and new keys.
  9. Create an IAM role with EC2 + CloudWatch permissions.
  10. Launch an EC2 instance with this IAM role and push custom logs to CloudWatch.
  11. Create a SecureString parameter in SSM Parameter Store with KMS encryption.
  12. Retrieve the SecureString parameter value from EC2 using AWS CLI.
  13. Store a database password in Secrets Manager.
  14. Retrieve the secret value using AWS CLI with proper IAM permissions.
  15. Test what happens if IAM user without permissions tries to access Secrets Manager.
  16. Enable MFA (Multi-Factor Authentication) for an IAM user.
  17. Document the steps for connecting to AWS CLI with MFA.
  18. Create a parameter hierarchy in SSM (/dev/db/username, /dev/db/password).
  19. Retrieve multiple parameters using the get-parameters-by-path CLI command.
  20. Write a short note on differences between SSM Parameter Store and Secrets Manager.

Advanced Questions

  1. Design a VPC with 3-tier architecture (public, private-app, private-db subnets).
  2. Configure NAT Gateway for app tier and ensure DB tier has no internet access.
  3. Write a custom IAM policy that allows listing EC2 instances but denies deletion.
  4. Attach this policy to a user and verify via AWS CLI.
  5. Use IAM roles to allow one EC2 instance to access S3 and another instance to access DynamoDB.
  6. Store API keys in Secrets Manager and retrieve them securely from EC via CLI.
  7. Automate retrieval of SSM parameters inside a Linux shell script for app configuration.
  8. Enable CloudWatch logging for VPC flow logs and analyze traffic logs.
  9. Configure cross-account access for an IAM user using trust policies.
  10. Final Hands-on Project:
    • Create a secure VPC with public + private subnets
    • Configure NAT Gateway for private subnet
    • Create IAM users, groups, and roles with least privilege
    • Store app credentials in SSM Parameter Store & Secrets Manager
    • Access secrets securely from EC2 via AWS CLI
    • Enable logging & MFA for compliance