Exercises

Creates an IAM user with ec2:DescribeRegions access and outputs the access key and secret access key ID.

Creates a cross-account accessible AWS DynamoDB table with a stream.

Creates a cross-account accessible AWS DynamoDB table.

Creates a cross-account accessible AWS EFS.

Demonstrates the risk of Elastic IP (EIP) takeover by creating an EIP, assigning it to a Route 53 record, and then releasing it.

Demonstrates the risk of nameserver delegation takeover by creating a subdomain and NS records, then simulating deletion.

Creates a private GitHub gist with specified content.

Creates a publicly accessible AWS Backup plan and vault. Requires enabling cross-account backup.

Creates a publicly accessible AWS CloudWatch Logs group.

Creates a public AWS EBS snapshot.

Creates a public AWS AMI. This exercise copies an existing public AMI, ubuntu, to the user's account and sets its launch permissions to public.

Creates a public AWS ECR repository.

Creates a public ECR repository with a resource policy.

Creates a publicly accessible AWS EFS.

Creates a publicly accessible AWS EventBridge rule with an SNS topic as the target.

Creates a public GitHub gist with specified content.

Creates a public GitHub repository with a specified file and content.

Creates a publicly accessible AWS Glacier vault.

Creates an AWS Glue database with a public resource policy. DANGER: This resource can override existing glue policy.

Creates a public Google Calendar event. This allows anyone with the link to view the event.

Creates a public Google Doc. This allows anyone with the link to view the document. Role allows you to specify writer, commenter, or reader publicly.

Creates a public Google Form. This allows anyone with the link to view the form.

Creates a public Google Sheet. This allows anyone with the link to view the sheet.

Creates a public Google Slides presentation. This allows anyone with the link to view the presentation.

Creates a public Google Group that anyone in the organization can join.

Creates an IAM role that allows assumption from any account.

Creates a KMS key with public access. This allows anyone to use the key for encryption and decryption.

Creates a publicly accessible AWS Lambda function that returns a user-defined message.

Creates a publicly accessible AWS Lambda layer.

Creates an AWS MediaStore container with public read access.

Creates a publicly accessible AWS OpenSearch domain. NOTE: This exercise will take a few minutes to complete.

Creates a public S3 bucket with GetObject. Any objects uploaded to this bucket, provided you have the filename, allows anyone to download its objects.

Creates a public S3 bucket with both GetObject and ListObject. This allows anyone to download the entire contents of the bucket.

Creates a public S3 bucket with GetObject, ListBucket, and PutObject permissions. This allows anyone to upload, list, and download the entire contents of the bucket.

Creates a publicly accessible AWS SES identity for sending emails.

Creates a public SNS topic with Publish, Subscribe, and Receive permissions. This allows anyone to publish, subscribe, and receive messages from the topic.

Creates a public SQS queue with ReceiveMessage permissions. This allows anyone to receive messages from the queue.

Creates a public Secrets Manager secret with GetSecretValue permissions. This allows anyone to read the secret.

Creates a Secrets Manager secret with permissions for the root principal. This allows all entities in the account to access the secret.

Demonstrates the risk of S3 bucket takeover by creating a bucket for static website hosting, assigning it to a Route 53 record, and then deleting the bucket.

Simulates a DNS takeover scenario by creating a CNAME record pointing to a non-existent third-party service.