This repository contains a demo project created as part of my DevOps studies in the TechWorld with Nana – DevOps Bootcamp.
https://www.techworld-with-nana.com/devops-bootcamp
Demo Project: Interacting with AWS CLI
Technologies used: AWS, Linux
Project Description:
- Install & configure AWS CLI to connect to our AWS account
- Create EC2 Instance using AWS CLI with all configurations like Security Group
- Create SSH key pair
- Create IAM resources like User, Group, Policy using the AWS CLI
- List and browse AWS resources using the AWS CLI
AWS CLI installation documentation: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Configure the AWS CLI with a named profile:
aws configure --profile adminEnter the credentials from the downloaded .csv for the admin account:
AWS Access Key ID [None]: <from csv>
AWS Secret Access Key [None]: <from csv>
Default region name [None]: <region> # e.g. us-east-1
Default output format [None]: json
aws ec2 describe-vpcs --profile admin
aws ec2 create-security-group \
--profile admin \
--group-name app-96-sg \
--description "SG App 96" \
--vpc-id "<YOUR_VPC_ID>"
Grab your public IP:
curl ipinfo.io/ipAllow SSH from your IP only:
aws ec2 authorize-security-group-ingress \
--profile admin \
--group-id "<YOUR_GROUP_ID>" \
--protocol tcp \
--port 22 \
--cidr "<YOUR_IP>/32"
aws ec2 create-key-pair \
--profile admin \
--key-name app-96-key \
--query "KeyMaterial" \
--output text > app-96-key.pemaws ec2 describe-subnets --profile adminUse the SubnetId from the euc1-az1 availability zone.
Go to EC2 → Images → AMI Catalog and search for the desired Amazon Linux image.
Note: AMI IDs are region-specific. The example below is for
eu-central-1.
Image ID: ami-096a4fdbcf530d8e0
aws ec2 run-instances \
--profile admin \
--image-id <YOUR_AMI_ID> \
--count 1 \
--instance-type t2.micro \
--key-name app-96-key \
--security-group-ids <YOUR_SECURITY_GROUP_ID> \
--subnet-id <YOUR_SUBNET_ID>
Get the instance's public IP:
aws ec2 describe-instances --profile adminRestrict access to the key file and connect via SSH:
chmod 400 app-96-key.pem
ssh -i app-96-key.pem ec2-user@<YOUR_INSTANCE_IP>
aws iam create-group --group-name group-cli --profile admin
aws iam create-user --user-name user-cli --profile admin
aws iam add-user-to-group \
--user-name user-cli \
--group-name group-cli \
--profile adminVerify the user belongs to the group:
aws iam get-group --group-name group-cli --profile admin
Grab the AmazonEC2FullAccess policy ARN:
-
Option A — AWS Console: Go to IAM → Policies, search for
AmazonEC2FullAccess, and copy the ARN. -
Option B — AWS CLI:
aws iam list-policies \
--query 'Policies[?PolicyName==`AmazonEC2FullAccess`].Arn' \
--output text \
--profile adminARN: arn:aws:iam::aws:policy/AmazonEC2FullAccess
Attach the policy to the group:
aws iam attach-group-policy \
--group-name group-cli \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess \
--profile adminVerify the policy is attached:
aws iam list-attached-group-policies --group-name group-cli --profile admin
Assign a temporary password (user must reset on first login):
aws iam create-login-profile \
--user-name user-cli \
--password P@ssw0rd \
--password-reset-required \
--profile adminCreate a policy that allows users to change their own password. See password-policy.json for the policy document.
aws iam create-policy \
--policy-name ChangePassword \
--policy-document file://password-policy.json \
--profile admin
Attach the new policy to the group (use the ARN returned by the previous command):
aws iam attach-group-policy \
--group-name group-cli \
--policy-arn <CHANGE_PASSWORD_POLICY_ARN> \
--profile adminLog in as user-cli and reset the password when prompted:
aws iam create-access-key --user-name user-cli --profile adminSet the returned credentials as environment variables to use user-cli as the default identity:
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_DEFAULT_REGION=<your-region> # e.g. us-east-1Verify the access keys work (EC2 is permitted):
aws ec2 describe-instances
Verify that unauthorized operations are blocked:
Run the following commands in order to remove all created resources. Replace all <placeholders> with your actual values.
- Terminate EC2 instance
aws ec2 terminate-instances --instance-ids <INSTANCE_ID>- Delete access keys for
user-cli
aws iam delete-access-key \
--user-name user-cli \
--access-key-id <ACCESS_KEY_ID> \
--profile admin- Delete login profile (console password) for
user-cli
aws iam delete-login-profile --user-name user-cli --profile admin- Detach policies from the group
aws iam detach-group-policy \
--group-name group-cli \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess \
--profile admin
aws iam detach-group-policy \
--group-name group-cli \
--policy-arn <CHANGE_PASSWORD_POLICY_ARN> \
--profile admin- Delete the custom ChangePassword policy
aws iam delete-policy --policy-arn <CHANGE_PASSWORD_POLICY_ARN> --profile admin- Remove user from the group
aws iam remove-user-from-group \
--user-name user-cli \
--group-name group-cli \
--profile admin- Delete user
aws iam delete-user --user-name user-cli --profile admin- Delete group
aws iam delete-group --group-name group-cli --profile admin- Delete key pair
aws ec2 delete-key-pair --key-name app-96-key --profile admin- Delete security group
aws ec2 delete-security-group --group-id <YOUR_SECURITY_GROUP_ID> --profile admin