Hands-On Lab: Implementing Core AWS Security Controls

Prerequisites

Before starting this lab, ensure you have the following:

AWS Account: An active AWS account with Administrator (AdministratorAccess) permissions.
CLI Tools: AWS CLI installed and configured locally (aws configure) with an IAM user's access keys.
Prior Knowledge: Basic understanding of the AWS Shared Responsibility Model and Identity and Access Management (IAM).
Region: We will use us-east-1 (N. Virginia) for this lab. Ensure your CLI is configured for this region.

Learning Objectives

By completing this lab, you will be able to:

Enforce strict password requirements using AWS IAM Password Policies.
Enable continuous threat detection using Amazon GuardDuty.
Securely store and retrieve sensitive credentials using AWS Secrets Manager.
Audit account activity using AWS CloudTrail.

Architecture Overview

This lab provisions security guardrails across your AWS account to ensure confidentiality, integrity, and availability.

Loading Diagram...

Step-by-Step Instructions

Step 1: Configure an IAM Password Policy

A strong password policy is the first line of defense for identity management. We will enforce a 14-character minimum with complexity requirements.

bash

aws iam update-account-password-policy \
    --minimum-password-length 14 \
    --require-symbols \
    --require-numbers \
    --require-uppercase-characters \
    --require-lowercase-characters \
    --allow-users-to-change-password

▶Console alternative

Navigate to IAM in the AWS Management Console.
In the left navigation pane, choose Account settings.
Under Password policy, click Edit.
Select Custom and check the boxes for uppercase, lowercase, numbers, and non-alphanumeric characters.
Set the minimum password length to 14.
Check Allow users to change their own password.
Click Save changes.

📸 Screenshot: The IAM Account Settings page showing custom password policy checkboxes.

[!TIP] The Principle of Least Privilege states that users should only be granted the permissions necessary to perform their specific job functions. Combining strict password policies with Multi-Factor Authentication (MFA) is a critical best practice.

Step 2: Enable Amazon GuardDuty for Threat Detection

Amazon GuardDuty is a machine-learning-powered threat detection service that continuously monitors malicious activity and unauthorized behavior.

bash

aws guardduty create-detector --enable

Note: This command will output a DetectorId. You do not need to save it for this lab.

▶Console alternative

Navigate to GuardDuty in the AWS Management Console.
Click Get Started.
Click the Enable GuardDuty button.

📸 Screenshot: The GuardDuty welcome screen with the blue "Enable GuardDuty" button.

Step 3: Securely Store Credentials in AWS Secrets Manager

Hardcoding passwords in application code is a major security vulnerability. AWS Secrets Manager allows you to securely store, rotate, and manage API keys and database passwords.

bash

aws secretsmanager create-secret \
    --name brainybee-lab-db-secret \
    --description "Database password for BrainyBee application" \
    --secret-string '{"username":"admin","password":"SuperSecretPassword123!"}'

▶Console alternative

Navigate to Secrets Manager in the console.
Click Store a new secret.
Choose Other type of secret.
Under Key/value pairs, add row 1: Key = username, Value = admin.
Add row 2: Key = password, Value = SuperSecretPassword123!.
Click Next.
Enter the Secret name as brainybee-lab-db-secret and click Next.
Leave rotation disabled, click Next, then click Store.

📸 Screenshot: The Secrets Manager configuration screen showing key-value pairs.

Step 4: Verify Activity in AWS CloudTrail

CloudTrail automatically logs all API calls made in your account for the last 90 days. We will use it to audit the secret we just created.

bash

aws cloudtrail lookup-events \
    --lookup-attributes AttributeKey=EventName,AttributeValue=CreateSecret \
    --query 'Events[0].CloudTrailEvent'

▶Console alternative

Navigate to CloudTrail in the console.
In the left pane, click Event history.
In the Lookup attributes filter, select Event name and type CreateSecret.
Click on the event to view the JSON record showing your IAM user identity and the time the API call was made.

📸 Screenshot: The CloudTrail Event history table showing the CreateSecret event.

Checkpoints

Verify that your resources have been provisioned correctly before proceeding.

Checkpoint 1: Verify Password Policy

bash

aws iam get-account-password-policy

Expected Result: A JSON output detailing your strict password policy parameters (e.g., "MinimumPasswordLength": 14).

Checkpoint 2: Verify GuardDuty is Active

bash

aws guardduty list-detectors

Expected Result: An array containing at least one Detector ID string.

Checkpoint 3: Retrieve the Secret

bash

aws secretsmanager get-secret-value --secret-id brainybee-lab-db-secret

Expected Result: A JSON response containing your secret string with the username and password.

Clean-Up / Teardown

[!WARNING] Remember to run the teardown commands to avoid ongoing charges. GuardDuty offers a 30-day free trial, but Secrets Manager charges per secret stored.

Execute the following commands to delete the resources created in this lab:

1. Delete the IAM Password Policy (Reverts to AWS defaults):

bash

aws iam delete-account-password-policy

2. Delete the Secret (forces immediate deletion without a recovery window):

bash

aws secretsmanager delete-secret \
    --secret-id brainybee-lab-db-secret \
    --force-delete-without-recovery

3. Delete the GuardDuty Detector: First, retrieve your Detector ID, then pass it to the delete command.

bash

DETECTOR_ID=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
aws guardduty delete-detector --detector-id $DETECTOR_ID

Troubleshooting

Common Error	Cause	Fix
`AccessDeniedException`	IAM user lacks necessary permissions.	Ensure your CLI user has `AdministratorAccess` or specific policies for IAM, GuardDuty, and Secrets Manager attached.
`ResourceExistsException`	A secret with the name `brainybee-lab-db-secret` already exists.	Delete the existing secret or choose a different name for your lab secret.
`InvalidInputException` (IAM)	Invalid password policy parameters.	Ensure you copy the exact CLI arguments or check the correct boxes in the console.

Stretch Challenge

Now that you have enabled GuardDuty, try enabling AWS Security Hub. Security Hub aggregates findings from GuardDuty, Inspector, and Macie into a single pane of glass.

Your Challenge: Use the AWS CLI to enable AWS Security Hub and manually trigger a sample GuardDuty finding to see it appear in the Security Hub console.

▶Show solution

bash

# Enable Security Hub
aws securityhub enable-security-hub --enable-default-standards

# Get your GuardDuty Detector ID
DETECTOR_ID=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)

# Generate sample findings in GuardDuty (which will sync to Security Hub)
aws guardduty create-sample-findings --detector-id $DETECTOR_ID

Navigate to Security Hub in the console to view the aggregated sample findings.

Cost Estimate

This lab falls largely under the AWS Free Tier, assuming your account is eligible and you clean up promptly:

IAM / CloudTrail Event History: Always free.
Amazon GuardDuty: 30-day free trial for new accounts. Afterward, priced based on log volume analyzed.
AWS Secrets Manager: $0.40 per secret per month. If deleted immediately using --force-delete-without-recovery, the prorated cost will be $0.00.

Concept Review

Security and Compliance in the AWS Cloud are governed by the Shared Responsibility Model. AWS is responsible for the security OF the cloud (infrastructure, physical data centers), while you (the customer) are responsible for security IN the cloud (your data, password policies, firewall rules).

The CIA Triad

AWS security measures are built around the CIA Triad:

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Confidentiality: Ensuring data is encrypted (e.g., KMS) and access is strictly controlled (e.g., IAM, Secrets Manager).
Integrity: Ensuring data is not altered.
Availability: Ensuring systems and data remain accessible.

AWS Security Service Comparison

Understanding the differences between AWS threat detection and compliance tools is essential for the Cloud Practitioner exam:

Service	Primary Use Case	Key Mechanism
Amazon GuardDuty	Continuous threat detection	Machine learning analysis of CloudTrail, VPC Flow Logs, and DNS logs.
Amazon Inspector	Vulnerability assessment	Scans EC2 instances and container images for software vulnerabilities.
AWS CloudTrail	API Auditing	Records user activity and API calls for governance and compliance.
AWS Secrets Manager	Credential management	Securely stores and automatically rotates database passwords and API keys.
Amazon Macie	Data privacy and protection	Uses machine learning to discover and protect sensitive data (PII) in Amazon S3.
AWS Artifact	Regulatory compliance	On-demand access to AWS security and compliance reports (e.g., SOC, PCI).

These tools combined allow organizations to build highly secure architectures that adhere strictly to industry compliance standards while leveraging the elastic nature of the AWS cloud.