BrainyBeeBrainyBee
Hands-On Lab923 words

AWS Security Foundation: Implementing Security Components and Resources

Identify components and resources for security

AWS Security Foundation: Implementing Security Components and Resources

[!NOTE] Estimated Time: 30 minutes | Difficulty: Guided | Cloud Provider: AWS

Welcome to this hands-on lab! Based on the AWS Certified Cloud Practitioner objectives (Domain 2.4), this lab will walk you through deploying essential security components and resources. You will configure network firewalls, enable automated threat detection, and securely store sensitive credentials.

Prerequisites

Before you begin, ensure you have the following ready:

  • AWS Account: An active AWS account with administrator or PowerUser access.
  • AWS CLI: Installed and configured with your credentials (aws configure).
  • Basic Knowledge: Familiarity with basic terminal commands and the concept of AWS Regions.

[!IMPORTANT] Throughout this lab, we will use placeholders like <YOUR_REGION> and <YOUR_VPC_ID>. Be sure to replace them with your actual values.

Learning Objectives

By completing this lab, you will be able to:

  1. Deploy a Security Group to control inbound and outbound network traffic.
  2. Enable Amazon GuardDuty to leverage machine learning for continuous threat detection.
  3. Store and retrieve credentials securely using AWS Secrets Manager.

Security Formula to Remember: Overall Security Posture=Preventative Controls (SGs)+Detective Controls (GuardDuty)+Confidentiality (Secrets Manager)\text{Overall Security Posture} = \text{Preventative Controls (SGs)} + \text{Detective Controls (GuardDuty)} + \text{Confidentiality (Secrets Manager)}

Architecture Overview

This diagram illustrates the security components we will deploy and how they interact within your AWS environment.

Loading Diagram...

We can also visualize the conceptual relationship of these services using a block structure:

Compiling TikZ diagram…
Running TeX engine…
This may take a few seconds

Step-by-Step Instructions

Step 1: Retrieve Your Default VPC ID

To create a Security Group, we first need to know the ID of the Virtual Private Cloud (VPC) where it will reside. We will use the default VPC for this lab.

bash
aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query "Vpcs[0].VpcId" --output text

📸 Screenshot: Your terminal should output a string like vpc-01a2b3c4d5e6f7g8h.

Console alternative
  1. Log in to the AWS Management Console.
  2. Search for VPC in the top search bar.
  3. Click Your VPCs in the left sidebar.
  4. Look for the VPC with Default VPC set to Yes and copy its VPC ID.

Step 2: Create a Security Group

Security Groups act as virtual firewalls at the instance level. We will create a security group designated for a web server.

bash
aws ec2 create-security-group \ --group-name brainybee-lab-sg \ --description "Lab Security Group for Web Traffic" \ --vpc-id <YOUR_VPC_ID>

[!TIP] Replace <YOUR_VPC_ID> with the ID you retrieved in Step 1. The output will provide a GroupId (e.g., sg-0abcd1234efgh5678).

Console alternative
  1. Navigate to the EC2 dashboard.
  2. In the left sidebar under Network & Security, click Security Groups.
  3. Click Create security group.
  4. Enter brainybee-lab-sg for the name, provide a description, select your default VPC, and click Create.

Step 3: Enable Amazon GuardDuty

Amazon GuardDuty is a continuous threat detection service that monitors malicious activity. First, we must create a "detector" to enable the service.

bash
aws guardduty create-detector --enable
Console alternative
  1. Search for GuardDuty in the AWS Console search bar.
  2. Click Get Started.
  3. Click the Enable GuardDuty button.

Step 4: Store a Secret Securely

Hardcoding passwords in your application code is a major security risk. We will use AWS Secrets Manager to store a dummy database password.

bash
aws secretsmanager create-secret \ --name brainybee-db-password \ --description "Database password for lab" \ --secret-string '{"username":"admin","password":"SuperSecretPassword123!"}'

📸 Screenshot: The console will return a JSON object containing the ARN and Name of your newly created secret.

Console alternative
  1. Search for Secrets Manager in the AWS Console.
  2. Click Store a new secret.
  3. Choose Other type of secret.
  4. Under Key/value pairs, add username / admin and password / SuperSecretPassword123!.
  5. Click Next, name it brainybee-db-password, and click Next until stored.

Checkpoints

Time to verify that our resources were deployed correctly!

Checkpoint 1: Verify the Security Group exists Run this command to check the details of your new security group:

bash
aws ec2 describe-security-groups --group-names brainybee-lab-sg

Expected Result: A JSON output describing brainybee-lab-sg and its associated VPC ID.

Checkpoint 2: Retrieve the securely stored secret Verify that you can retrieve the sensitive credential data:

bash
aws secretsmanager get-secret-value --secret-id brainybee-db-password --query "SecretString" --output text

Expected Result: {"username":"admin","password":"SuperSecretPassword123!"}

Troubleshooting

If you run into issues, refer to this troubleshooting table:

Error Message / IssueLikely CauseSolution
InvalidVpcID.NotFoundThe VPC ID entered in Step 2 is incorrect or missing.Re-run Step 1 to carefully copy the VpcId exact string.
ResourceExistsExceptionA secret with the name brainybee-db-password already exists.Use a different name, or run the teardown command to delete the old one.
BadRequestException (GuardDuty)GuardDuty is already enabled in this region.No action needed! You are already covered by GuardDuty.
AccessDeniedExceptionYour IAM user lacks permissions to create these resources.Ensure you are logged in with a user that has Admin or PowerUser access.

Clean-Up / Teardown

[!WARNING] CRITICAL: Do not skip this section! While these resources are minimal, AWS Secrets Manager and GuardDuty incur ongoing charges if left running outside of the free tier.

Execute the following commands to destroy all the resources provisioned in this lab.

1. Delete the Secret:

bash
aws secretsmanager delete-secret \ --secret-id brainybee-db-password \ --force-delete-without-recovery

2. Disable GuardDuty: (First, find your detector ID)

bash
aws guardduty list-detectors

(Then delete it, replacing <DETECTOR_ID> with your output)

bash
aws guardduty delete-detector --detector-id <DETECTOR_ID>

3. Delete the Security Group:

bash
aws ec2 delete-security-group --group-name brainybee-lab-sg

Run the Checkpoint commands again to ensure the resources return an error (meaning they are successfully deleted)!

Cost Estimate

If you tear down the environment immediately after the lab, the cost will be:

  • AWS Secrets Manager: ~$0.00 (Prorated for 30 minutes, otherwise $0.40/secret/month).
  • Amazon GuardDuty: ~$0.00 (Offers a 30-day free trial for new accounts; otherwise priced per GB of logs analyzed).
  • Security Groups: Free.
  • Total Estimated Cost: $0.00
All AWS Certified Cloud Practitioner (CLF-C02) Study Resources

Ready to study AWS Certified Cloud Practitioner (CLF-C02)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free