Chapter 3 Use cases

3.1 Problem

You campany just bought a large dataset from a vendor (cloud summit) that can enable new business and capabilities for the company. You are asked to build a secure aws infrastracture to let the vendor securely transfer data to the company. We’ll use your personal aws account as your company’s aws account. Cloud summit will provide an account as the external company’s account in this tutorial.

3.2 Solution

  • You company’s aws account (aka your personal aws account):
    • Create an admin group and an admin user
    • Create an S3 bucket with server side encryption enforced using AWS KMS service.
    • Create a KMS key to be used to encrypt files as rest
    • Ask the vendor to generate a random alpha numeric string for increased security.
    • Create an external role for the vendor
    • Attach permissions to write to the S3 bucket and use the KMS key to the external role
    • Provide the role ARN, KMS key ID and s3 bucket name to the vendor
  • The vendor(cloud summit)’s AWS account:
    • Create a group for the use case
    • Identify or create users for this group
    • Attach a policy to the group to assume the role
    • User setup aws commandline tool or SDK for assume role
    • User upload files to the s3 bucket while specifying the KMS key id.

3.3 Step by step guide

Cloud summit’s aws account is the vendor’s account. Your personal account is your company’s account.

The vendor (cloud summit) has provided the following information:

  • Account number: 743355281737
  • external ID: be740d03293890c9

3.3.1 Collect information on your AWS account

  1. Login to aws console
  2. Write down your aws account number
  3. Create an user admin-user from AWS console
  4. Create access key for admin-user from AWS console. Download the csv file to your local.

3.3.2 Use Cloud Summit EC2 to create resource in your aws account

We have created an EC2 instance for you to use. In order to use, you’ll need an SSH client on your desktop.

  1. Get an ssh client for your laptop.
  • Mac: Just use terminal or iterms
  • Windows: putty
  1. SSH to the EC2 instance with provided username, password and IP
  1. Check if aws command is available

If command is not found, run the following command first.

Note that we are using an ec2 instance inside cloud summit’s aws account. But in this step, we are creating resources in your personal aws account.

  1. Configure AWS default profile

The command will ask for your access keys and default aws settings.

Enter the admin user’s access key and secret access key. Choose us-east-1 for region and json for output.

  1. Clone the git repo
  1. Change the follow values in the file terraform.tfvars

Save the file and exit

  1. Initialize terraform
  1. Plan terraform
  1. Create the resources

Type yes when you are asked if the resources should be created. Output will be like following:

You’ll need to write down the KMS key id, external role arn.

3.3.3 Vendor (cloud summit) AWS

  1. Add a new aws profile named tutorial

The access keys will be provided during the turorial.

  1. Configure assume role profile

    Add the following to the end of ~/.aws/config

  1. Create a dummy file to be uploaded to the s3 bucket
  1. Upload the file using aws command line
  1. Try upload the file without the KMS key ID

The command will fail because the bucket policy would not access file uploading without KMS key.