Overview
You are a Security Engineer working at UnicornLimited. Your company has recently acquired BlackHatUnicorns. As part of the technical due diligence team, you need to audit (and possibly fix) some of the AWS IAM policies. Your task is to build a batch job to analyze and report on existing findings and remediate any violations to prevent damages to UnicornLimited.
Challenge Progress
Task Status Possible Points Clue Deduction Points Total Earned
Completed! 80 0 80
Completed! 40 0 40
Completed! 80 0 80
Total Points Earned: 200
Task 1: Build your IAM evaluation Lambda function
Possible Points: 80 Clue Penalty: 0 Points Earned: 80
Completed!
Background
The first task is to build an AWS Lambda function to programatically use IAM Access Analyzer policy validation feature.
You can validate your policies using AWS IAM Access Analyzer policy checks. You can create or edit a policy using the AWS CLI, AWS API, or JSON policy editor in the IAM console. Access Analyzer validates your policy against IAM policy grammar and best practices. You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy. These findings provide actionable recommendations that help you author policies that are functional and conform to security best practices.
Inventory
You have one Lambda function jam-validate-iam-policy-with-access-analyzer.
Your Task
Update the AWS Lambda function jam-validate-iam-policy-with-access-analyzer to use IAM Access Analyzer policy validation capability.
Where to Start
From the AWS Management Console, go to the AWS Lambda console and review the Lambda function’s jam-validate-iam-policy-with-access-analyzer source code. The challenge will be automatically approved once you update the source code.
Task 2: Add a scheduled event to your Lambda function
Possible Points: 40 Clue Penalty: 0 Points Earned: 40
Completed!
Background
You have now a Lambda function able to evaluate IAM policies using IAM Access Analyzer. You want to run this function periodically to ensure that new or updated IAM policies are evaluated.
Inventory
You have one Lambda function jam-validate-iam-policy-with-access-analyzer.
Your Task
Create a scheduled task to trigger the Lambda function each day.
Where to Start
You can start exploring Amazon EventBridge capabilities by going to the Amazon EventBridge console. The challenge will be automatically validated once the correct EventBridge rule is created.
Task 3: Remediate IAM Access Analyzer findings
Possible Points: 80 Clue Penalty: 0 Points Earned: 80
Completed!
Background
Now, you have an AWS Lambda function able to evaluate AWS IAM policies using IAM Access Analyzer on a daily basis.
Inventory
You have one Lambda function jam-validate-iam-policy-with-access-analyzer.
You have one Amazon EventBridge scheduled event rule.
Your Task
Investigate and remediate the IAM Access Analyzer findings generated after the evaluation of existing IAM policies. The task will be automatically approved when all issues are resolved.
Where to Start
You can start by running the Lambda function jam-validate-iam-policy-with-access-analyzer and visualizing its outputs. The challenge will be automatically validated once jam-validate-iam-policy-with-access-analyzer execution results does not contain any IAM Access Analyzer findings.
In fact, it’s very simple. The first question is to carefully read boto3. The second question is to create a daily plan (0 0 * *? *). The third question is to limit the permissions of Iam to specify the Iam policy.