-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.yaml
228 lines (214 loc) · 7.79 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
AWSTemplateFormatVersion: "2010-09-09"
Description: >-
AWS CloudFormation Template for Tokopedia Academy 2022 participants.
There are few resources that are created in this CloudFormation file:
1. 1x S3 Bucket where the Bucket Policy is configured to be public
2. 3x EC2 instances with port 80 & 22 open, and Test VM
3. 3x Security Groups for each EC2 instances to configure firewall
Parameters:
# as the S3 bucket name needs to be globally unique, participants needs to add random digit
# characters to be able to create the bucket
BucketChars:
Description: Please enter 4 random digit characters
Type: String
InstanceType:
Description: EC2 instance type
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
ConstraintDescription: must be a valid EC2 instance type.
# need to create EC2 KeyPair first before proceeding to run the CloudFormation
KeyName:
Default: "EC2 KeyPair"
Description: "The existing of EC2 KeyPair name to enable SSH access to the instance"
Type: "AWS::EC2::KeyPair::KeyName"
ConstraintDescription: The existing of EC2 KeyPair name.
Mappings:
AWSInstanceType2Arch:
t2.micro:
Arch: HVM64
AWSRegionArch2AMI:
# ap-southeast-1: #Singapore region
# HVM64: ami-0ba35dc9caf73d1c7
# HVMG2: ami-0e46ce0d6a87dc979
ap-southeast-2: #Australia region
HVM64: ami-0ae99b503e8694028
HVMG2: ami-0c0ab057a101d8ff2
#us-east-1:
# HVM64: ami-6869aa05
# HVMG2: ami-50b4f047
#us-west-2:
# HVM64: ami-7172b611
# HVMG2: ami-002bf460
#us-west-1:
# HVM64: ami-31490d51
# HVMG2: ami-699ad409
#eu-west-1:
# HVM64: ami-f9dd458a
# HVMG2: ami-f0e0a483
#eu-central-1:
# HVM64: ami-ea26ce85
# HVMG2: ami-d9d62ab6
Resources:
#Create S3 Bucket and enable Public Access to S3 bucket
#set the PublicAccessBlock to FALSE
S3PublicRead:
Type: "AWS::S3::Bucket"
Properties:
BucketName:
!Join ["-", [s3-public-read-cloudsec-academy, !Ref BucketChars]]
PublicAccessBlockConfiguration:
BlockPublicAcls: FALSE #Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket.
BlockPublicPolicy: FALSE #Specifies whether Amazon S3 should block public bucket policies for this bucket.
IgnorePublicAcls: FALSE #Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket.
RestrictPublicBuckets: FALSE #Specifies whether Amazon S3 should restrict public bucket policies for this bucket.
##### 1. EC2 Instance Target 1 ("tkpd-ec2-port-22") #####
# Create EC2 Instance with port 80 open and using the "InstanceSecurityGroup80"
# Security Group to open port 80 for the created instance. Also, add startup
# script to run Welcome page
EC2Instance80:
Type: "AWS::EC2::Instance"
Properties:
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref InstanceSecurityGroup80
ImageId: !FindInMap
- AWSRegionArch2AMI
- !Ref "AWS::Region"
- !FindInMap
- AWSInstanceType2Arch
- !Ref InstanceType
- Arch
Tags:
- Key: Name
Value: tkpd-ec2-port-80
UserData:
Fn::Base64: !Sub |
#!/bin/bash
yum install httpd -y
service httpd start
echo "<html><body><h1>Welcome to Tokopedia Academy 2022. This instance is hosted from Region ${AWS::Region}<h1></body></html>" > /var/www/html/index.html
##### Create Security Group to open port 80 to the whole internet #####
# Note: it is highly discourage to allow 0.0.0.0/0 in your network.
# The best practice is to narrow the CIDR ranges to the needs
# such as 175.126.0.0/28, 175.126.12.12/32, etc
InstanceSecurityGroup80:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: Enable http port open
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "80"
ToPort: "80"
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: tkpd-sg-port-80
##### 2. EC2 Instance Target 2 ("tkpd-ec2-port-80") #####
# Create EC2 Instance with port 80 open and using the "InstanceSecurityGroup22"
# Security Group to open port 80 for the created instance. Also, add startup
# script to run Welcome page
EC2Instance22:
Type: "AWS::EC2::Instance"
Properties:
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref InstanceSecurityGroup22
ImageId: !FindInMap
- AWSRegionArch2AMI
- !Ref "AWS::Region"
- !FindInMap
- AWSInstanceType2Arch
- !Ref InstanceType
- Arch
Tags:
- Key: Name
Value: tkpd-ec2-port-22
# Create Security Group to open port 22 to the whole internet
# Note: it is highly discourage to allow 0.0.0.0/0 in your network.
# The best practice is to narrow the CIDR ranges to the needs
# such as 175.126.0.0/28, 175.126.12.12/32, etc
InstanceSecurityGroup22:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: Enable ssh port (22) open
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: tkpd-sg-port-22
##### 3. EC2 Instance Target 3 ("tkpd-ec2-ext-conn") #####
# Create EC2 Instance that does external connection to the internet
# Security Group to open port 80 for the created instance. Also, add startup
# script to run Welcome page
EC2InstanceTester:
Type: "AWS::EC2::Instance"
Properties:
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref InstanceSecurityGroupTester
ImageId: !FindInMap
- AWSRegionArch2AMI
- !Ref "AWS::Region"
- !FindInMap
- AWSInstanceType2Arch
- !Ref InstanceType
- Arch
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: tkpd-ec2-ext-conn
UserData:
Fn::Base64: !Sub |
#!/bin/bash
mkdir domains && curl https://raw.githubusercontent.com/jasongautama/academy-repo/main/queries.txt > ./domains/queries.txt
curl https://raw.githubusercontent.com/jasongautama/academy-repo/main/guard-duty-tester.sh > guard-duty-tester.sh
chmod a+x guard-duty-tester.sh && ./guard-duty-tester.sh
# Create Security Group to open port 22 to the whole internet
# Note: it is highly discourage to allow 0.0.0.0/0 in your network.
# The best practice is to narrow the CIDR ranges to the needs
# such as 175.126.0.0/28, 175.126.12.12/32, etc
InstanceSecurityGroupTester:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: Sec Group for Tester Instance
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: tkpd-sg-tester
Outputs:
PublicReadBucket:
Description: S3 Bucket that is made to be public
Value: !Ref S3PublicRead
InstanceIdEC2p80:
Description: InstanceId of EC2 instance with port 80 open
Value: !Ref EC2Instance80
InstanceIdEC2p22:
Description: InstanceId of EC2 instance with port 22 open
Value: !Ref EC2Instance22
InstanceIdEC2Tester:
Description: InstanceId of EC2 instance ("tkpd-ec2-ext-conn")
Value: !Ref EC2InstanceTester
PublicDNSport80:
Description: Use this DNS url to visit the welcome page
Value: !GetAtt
- EC2Instance80
- PublicDnsName
PublicIPport80:
Description: Public IP address for EC2 port 80 ("tkpd-ec2-port-80") instance
Value: !GetAtt
- EC2Instance80
- PublicIp
CurrentAvailabilityZone:
Description: Availability Zone of the newly created EC2 instance
Value: !GetAtt
- EC2Instance80
- AvailabilityZone