AWS accounts

Give learners access to AWS accounts.

This guide explains how to access an Amazon Web Services (AWS) account from Instruqt.

An AWS account is a container for your AWS resources. You create and manage your AWS resources in an AWS account, and the AWS account provides administrative capabilities for access and billing.
— AWS documentation

Before you begin

You must have already built a track to which you can add access to an AWS account.

Service Limits AWS accounts have built in service limits. If you plan to deploy complex network infrastructure check to make sure you do not exceed the EC2 service quota defaults.

Access AWS accounts

It is best to add the Instruqt Cloud Client container to your track to give a learner access to an AWS account. Because the Instruqt Cloud Client container:

Exposes links to the AWS Console for the resources configured in the config.yml file, with the credentials required to log in.
Includes the aws CLI, pre-configured with the required credentials.

The AWS Console and the aws CLI make it easy for content developers and learners to access AWS resources from the sandbox.

It takes the following steps to give learners access to an AWS account:

Add an Instruqt Cloud Client container to your track.
Add an AWS account to your track.
Add tabs to your challenges where you want to expose the AWS console or aws CLI.

Additionally, you can use:

A set of environment variables that are available in the aws CLI.
IAM policies and permissions.

Use the AWS Cloud Account template

Instead of building the track yourself, you can create a track with the AWS Cloud Template. The template includes:

The Instruqt Cloud Client container
A pre-defined AWS account
A challenge with tabs for AWS console and aws CLI

Step 1: Add an Instruqt Cloud Client container to your track

Click the track where you want to add an AWS account to. ↳ Instruqt shows the corresponding Track dashboard page.
In the Sandbox section, click Edit to open the Sandbox page.
Click + Add a host.
Pick the Container host type.
Input these values:
Field Value
Click Show optional settings. Enter these values:
Field Value
Click Save host to add the container.

Open the file config.yml in your code editor.

Copy and paste the following code under the containers property:

- name: cloud-client
  image: gcr.io/instruqt/cloud-client
  ports: [80]
  shell: /bin/bash

Step 2: Add an AWS account to your track

Click + Add a cloud account on the Sandbox page. ↳ The Add cloud account pop-up opens.
Select the Amazon provider.
In the Name field, enter awsaccount.
In the Services field, select the services that are going to be enabled.
In the Regions field, select the regions that are going to be enabled.

In the User IAM Policy field, enter an IAM policy in JSON format. For example to allow EC2 access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid":"EC2AllowDescribe",
        "Effect": "Allow",
        "Action": "ec2:Describe",
        "Resource": "*"
    }
  ]
}

In the Admin IAM Policy field, enter an IAM policy in JSON format. For example to allow EC2 access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid":"EC2DefaultAllow",
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*"
    }
  ]
}

In the SCP Policy field, enter an SCP policy in JSON format. This example limits the allowed instance types:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LimitInstanceTypeRun",
      "Action": [
        "ec2:RunInstances"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "ec2:InstanceType": [
            "t2.micro"
          ]
        }
      }
    },
    {
      "Sid": "LimitInstanceTypeModify",
      "Action": [
        "ec2:ModifyInstanceAttribute"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "ForAnyValue:StringNotEquals": {
          "ec2:Attribute/InstanceType": [
            "t2.micro"
          ]
        }
      }
    }
  ]
}

Click Save to add the AWS account. ↳ On the Sandbox page, you will see the new AWS account.
Click Back to track to return to the Track dashboard page.

Copy and paste the following code into config.yml:

aws_accounts:
- name: awsaccount
  services: []
  regions: []
  managed_policies: []

↳ Your config.yml file should be similar to this now:

version: "3"
containers:
- name: cloud-client
  image: gcr.io/instruqt/cloud-client
  ports: [80]
  shell: /bin/bash
aws_accounts:
- name: awsaccount
  services: []
  regions: []
  managed_policies: []

Only enabled services and regions configured by the team administrator can be selected and/or specified. See more details in Cloud services and regions

When specifying Admin Roles, an additional admin user and API Key will be created with the designated roles.

For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.

Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.

Step 3: Add tabs to expose the AWS console and `aws` CLI

In the Challenges section of the Track dashboard, click Add new, and select Assignment.
Input these values:
Field Value
Click Save.
Click Tabs followed by Add new tab.
Select the Your applications tab type.
Enter/select these values to set the AWS console:
Field Value
Click Save to add the tab.
Click Add new tab again.
Select the Terminal tab type.
Enter/select these values to set the aws CLI:
Field Value
Click Save to add the tab.
Click Back to track.
Click Play track and test your AWS account track.

Open a terminal and move to your track directory.
Enter the following command to create a new challenge:
```
instruqt challenge create --title "AWSaccount"
```
↳ Instruqt CLI created a directory for the challenge. And an assignment.md file inside the challenge directory.
Open the assignment.md file in your code editor.

Copy and paste the following code into assignment.md to set the AWS console and aws CLI:

---
slug: aws-ec2
type: challenge
title: AWS account
teaser: Learn to work with an AWS account
tabs:
- title: AWS Console
  type: service
  hostname: cloud-client
  path: /
  port: 80
- title: aws CLI
  type: terminal
  hostname: cloud-client
difficulty: basic
timelimit: 600
---

⇨ You can add the assignment text of your liking in Markdown after line 17.

Save file assignment.md.
Push the track to the Instruqt platform:
```
instruqt track push
```
Play and test the track:
```
instruqt track open
```
↳ Your browser opens, showing the Track overview page. Click Start track to play the track.

Environment variables

Adding an AWS account to your track also sets a list of environment variables that you can use in commands and scripts:

Example

This example shows the id of the AWS account from a terminal by using two environment variables. The value of the INSTRUQT_AWS_ACCOUNTS environment variable is inserted in the INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_ID environment variable.

To follow along:

Start your AWS account track and start the first challenge.
Move over to the Cloud CLI terminal and enter the following command:
```
eval echo "\${INSTRUQT_AWS_ACCOUNT_${INSTRUQT_AWS_ACCOUNTS}_ACCOUNT_ID}"
```
↳ The terminal shows the id of your AWS account project.

Setting policies and permissions

AWS accounts have the following settings to configure policies and permissions:

Managed policies
Identity And Access (IAM) policies
Service control policies (SCP) policies

Setting managed policies

An AWS managed policy is a standalone policy that is created and administered by AWS.
— AWS documentation

The managed policies method is easier than the IAM and SCP policies but may grant learners more than the minimum access required to complete a track. The following example grants Virtual Private Cloud (VPC) administrator access, which allows learners to create and manage VPC networks:

Update your AWS account by entering the following in the User Managed Policies field:

arn:aws:iam::aws:policy/AmazonVPCFullAccess

And clicking Add.

Edit your config.yml file to include this content:

aws_accounts:
- name: awsaccount
  managed_policies:
  - arn:aws:iam::aws:policy/AmazonVPCFullAccess

See AWS managed policies on the AWS docs site for more information.

Setting IAM policies

IAM policies define permissions for an action regardless of the method that you use to perform the operation.
— AWS documentation

For more fine-grained control, you can set IAM policies. The following example sets a managed policy that limits the EC2 instance types to only several t2 and t3 instances. Note the use of the pipe symbol | to indicate that a multi-line JSON policy will follow.

Update your AWS account by entering the following pin the IAM policy field:

|
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "RequireLessThanXLInstanceType",
          "Effect": "Deny",
          "Action": "ec2:RunInstances",
          "Resource": "arn:aws:ec2:*:*:instance/*",
          "Condition": {
            "StringNotEquals": {
              "ec2:InstanceType": [
                "t2.nano",
                "t2.micro",
                "t2.small",
                "t2.medium",
                "t2.large",
                "t3.nano",
                "t3.micro",
                "t3.small",
                "t3.medium",
                "t3.large"
              ]
            }
          }
        }
      ]
    }

Edit your config.yml file to include this content:

aws_accounts:
- name: awsaccount
  iam_policy: |
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "RequireLessThanXLInstanceType",
          "Effect": "Deny",
          "Action": "ec2:RunInstances",
          "Resource": "arn:aws:ec2:*:*:instance/",
          "Condition": {
            "StringNotEquals": {
              "ec2:InstanceType": [
                "t2.nano",
                "t2.micro",
                "t2.small",
                "t2.medium",
                "t2.large",
                "t3.nano",
                "t3.micro",
                "t3.small",
                "t3.medium",
                "t3.large"
              ]
            }
          }
        }
      ]
    }

See IAM on the AWS docs site for more information.

Setting SCP policies

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
— AWS documentation

For more fine-grained control, you can also set SCP policies. The following example disallows EC2 instance types except t2.large.

Update your AWS account by entering the following in the SCP policy field:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireLessThanXLInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t2.large"
          ]
        }
      }
    }
  ]
}

Edit your config.yml file to include this content:

aws_accounts:
- name: awsaccount
  scp_policy: |-
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "RequireLessThanXLInstanceType",
          "Effect": "Deny",
          "Action": "ec2:RunInstances",
          "Resource": "arn:aws:ec2:::instance/*",
          "Condition": {
            "StringNotEquals": {
              "ec2:InstanceType": [
                "t2.large"
              ]
            }
          }
        }
      ]
    }

See Service control policies on the AWS docs site for more information.

Example SCP policies:

Limiting the instance types that can be used in EC2

To limit the allowed instance types, both the ec2.RunInstances as the ec2.ModifyInstanceAttributes actions need to be specified. The example below limits instance types to t2.micro only.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LimitInstanceTypeRun",
      "Action": [
        "ec2:RunInstances"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "ec2:InstanceType": [
            "t2.micro"
          ]
        }
      }
    },
    {
      "Sid": "LimitInstanceTypeModify",
      "Action": [
        "ec2:ModifyInstanceAttribute"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "ForAnyValue:StringNotEquals": {
          "ec2:Attribute/InstanceType": [
            "t2.micro"
          ]
        }
      }
    }
  ]
}

Awesome! Your learners can now access AWS accounts. But there is more. You can also give them access to:

PreviousCloud accounts NextAzure subscriptions

Last updated 4 months ago

Before you begin

Access AWS accounts

Step 1: Add an Instruqt Cloud Client container to your track

Step 2: Add an AWS account to your track

Step 3: Add tabs to expose the AWS console and aws CLI

Environment variables

Example

Setting policies and permissions

Setting managed policies

Setting IAM policies

Setting SCP policies

Example SCP policies:

Step 3: Add tabs to expose the AWS console and `aws` CLI