Internship Report > Worklog > Week 5 Worklog

Week 5 Worklog

Week 5 Objectives:

Understand AWS Shared Responsibility Model and security best practices
Master IAM fundamentals: Users, Groups, Roles, and Policies
Learn AWS security services: KMS, Security Hub, CloudTrail
Implement resource tagging and access control strategies
Practice least privilege principle with IAM policies

Tasks to be carried out this week:

Day	Task	Start Date	Completion Date	Reference Material
1	- Study Shared Responsibility Model + AWS vs Customer responsibilities - Learn IAM fundamentals: + Users, Groups, Roles, Policies + MFA and password policies	2025/10/06	2025/10/06	https://docs.aws.amazon.com/IAM/
2	- Deep dive into AWS security services: + Amazon Cognito for user authentication + AWS Organizations for multi-account management + AWS Identity Center (SSO) + KMS for encryption key management	2025/10/07	2025/10/07	https://docs.aws.amazon.com/kms/
3	- Lab 18: Security Hub implementation + Enable Security Hub + Review security scores - Lab 27: Resource tagging + Create and manage tags + Filter resources by tags + Create Resource Groups	2025/10/08	2025/10/08	https://000018.awsstudygroup.com/ https://000027.awsstudygroup.com/
4	- Lab 28: IAM Policies and Roles + Create IAM users and policies + Configure IAM roles + Switch roles and test permissions + Implement tag-based access control	2025/10/09	2025/10/09	https://000028.awsstudygroup.com/
5	- Lab 30: IAM user restrictions + Create restriction policies + Test limited user permissions - Lab 44: Advanced IAM + Create IAM groups and users + Configure switch role with IP/time restrictions	2025/10/10	2025/10/10	https://000030.awsstudygroup.com/ https://000044.awsstudygroup.com/
6	- Lab 33: KMS and CloudTrail + Create KMS keys + Encrypt S3 data + Enable CloudTrail logging + Query logs with Athena - Lab 48: IAM roles vs Access keys	2025/10/11	2025/10/11	https://000033.awsstudygroup.com/ https://000048.awsstudygroup.com/
7	- Lab 22: Automation with Lambda + Create Lambda functions for EC2 start/stop + Configure Slack notifications - Weekly review and cleanup	2025/10/12	2025/10/12	https://000022.awsstudygroup.com/

Week 5 Achievements:

IAM Mastery:
- Created and managed IAM users, groups, and roles
- Implemented custom IAM policies with least privilege principle
- Configured MFA for enhanced security
- Understood policy evaluation logic and permission boundaries
Security Services:
- Enabled AWS Security Hub for centralized security monitoring
- Reviewed security scores and compliance standards
- Configured AWS Organizations for multi-account governance
- Implemented AWS Identity Center for SSO access
Encryption & Key Management (Lab 33):
- Created and managed KMS customer-managed keys
- Encrypted S3 objects with KMS keys
- Configured key policies and grants
- Enabled CloudTrail for API logging
- Queried CloudTrail logs using Amazon Athena
Resource Tagging (Lab 27):
- Implemented tagging strategy for resource organization
- Created tags using Console and CLI
- Filtered resources by tags
- Created Resource Groups for bulk management
- Used tags for cost allocation and access control
Advanced IAM (Labs 28, 30, 44):
- Implemented tag-based access control (ABAC)
- Created IAM roles with assume role policies
- Configured switch role with IP and time restrictions
- Tested permission boundaries and service control policies
- Limited user actions based on resource tags
IAM Best Practices (Lab 48):
- Compared IAM roles vs access keys
- Implemented IAM roles for EC2 instances
- Eliminated hardcoded credentials
- Configured temporary security credentials
Automation (Lab 22):
- Created Lambda functions for EC2 lifecycle management
- Configured EventBridge rules for scheduling
- Integrated Slack webhooks for notifications
- Implemented tag-based automation

Challenges Encountered:

Policy Syntax: JSON policy syntax errors → Used IAM Policy Simulator to validate policies
Permission Denied: User couldn’t access resources → Added missing permissions and checked SCPs
KMS Key Policy: Unable to use KMS key → Added IAM user/role to key policy
CloudTrail Logs: Logs not appearing in S3 → Waited 15 minutes for log delivery
Switch Role Failed: IP restriction blocking access → Updated condition to allow current IP
Tag Propagation: Tags not applying to new resources → Enabled tag inheritance in Organizations
Lambda Timeout: Function timing out → Increased timeout and optimized code

References:

AWS Official Documentation:

AWS IAM User Guide - Complete IAM documentation
AWS Shared Responsibility Model - Security responsibilities
AWS KMS - Key Management Service guide
AWS Security Hub - Security monitoring
AWS Organizations - Multi-account management
AWS CloudTrail - API logging service
Amazon Cognito - User authentication

AWS Workshops & Labs:

Security Hub Workshop - Lab 18: Security monitoring
Lambda Automation Workshop - Lab 22: EC2 automation
Tagging Workshop - Lab 27: Resource tagging
IAM Workshop - Lab 28: IAM policies and roles
IAM Restrictions Workshop - Lab 30: User limitations
KMS Workshop - Lab 33: Encryption and logging
Advanced IAM Workshop - Lab 44: Advanced IAM
IAM Roles Workshop - Lab 48: Roles vs access keys

Technical Articles:

IAM Best Practices - Security recommendations
IAM Policy Evaluation Logic - How policies work
Tagging Best Practices - Tagging strategies
KMS Best Practices - Key management guide
CloudTrail Best Practices - Logging recommendations