A collection of AWS hands-on labs / challenges with source code solution.
Each challenge has a description and solutions in Cloudformation, AWS CLI and Terraform. You should try to solve the described problem yourself before looking at solutions.
We are aware of our imperfection, so this repository is supposed to bring about a mutual-learning community where everybody can create tickets or, even better, raise pull requests to contribute challenge ideas or solution improvements.
- Getting started
- Common context
- How to contribute
- FAQ
- Challenge index (by AWS service name)
- Challenge index (by compliance)
-
This repository is organized in atomic design structure:
- Atoms: Challenges involving only 1 AWS service, not counting its subordinate resources. For example 1 VPC with 1 subnet, route table, route entry, subnet-route table association, NACL, NACL entry, subnet-NACL association...
- Molecules: Involving 2, up to 3 AWS services, not counting their subordinate resources.
- Organisms: Involving more than 3 AWS services, not counting their subordinate resources.
-
Read the description in README.md file in each challenge folder for problem description and instruction to run solution code.
-
You can reuse the code of solved challenges in later challenges, using Cloudformation Module, Cloudformation exported values, or Terraform Module.
As we aim to design as close to real-life scenarios as possible, some challenges require some of below compliances beside their own requirements:
Single account compliance
You are tasked to implement the infrastructure in a single AWS Account for a company with the following details:
Company name: Sky-As-Code corp.
Company code:sac
#1 department name: Financial
#1 department code:fin
#2 department name: Sales
#2 department code:sales
#3 department name: Security
#3 department code:sec
There are 4 deployment environments:
dev
,sit
,uat
andprod
.
These environments belong to 2 environment types:nonprod
(includesdev
,sit
) andprod
(includesuat
,prod
).
Organization compliance
You are tasked to implement the infrastructure using AWS Organization for an enterprise with the following details:
Enterprise name: Sky-As-Code corp.
Enterprise code:sac
#1 department name: Financial
#1 department code:fin
#2 department name: Sales
#2 department code:sales
#3 department name: Security
#3 department code:sec
Each department has a separate AWS Account, each has 4 deployment environments:
dev
,sit
,uat
andprod
.
These environments belong to 2 environment types:nonprod
(includesdev
,sit
) andprod
(includesuat
,prod
).
All department AWS Accounts are under an AWS Organization whose management account belongs to Security department.
Resource tagging compliance
The organization wants to manage AWS cost allocation using tags, so all AWS resources must have these 3 tags:
CostCenter
: The department code. Not used for free-of-charge resources. E.g: VPC, subnet...Application
: Name of the application using this AWS resource. Optional for shared resources such as VPC, subnet...Environment
: The deployment environment. Optional for shared resources such as VPC, subnet...EnvironmentType
: The deployment environment type. Used for shared resources such as VPC, subnet... Optional for other department-owned resources.
AWS Region compliance
Only AWS services in these AWS Regions are allowed to be used:
us-east-1
US East (N. Virginia)ap-southeast-1
Asia Pacific (Singapore)eu-central-1
Europe (Frankfurt)
Encryption compliance
All communication must be encrypted in-transit.
All stored data must be encrypted at rest.
Kindly refer to CONTRIBUTING.md.
Q: What if I have issues when running the solution code?
A: Please refer to TROUBLESHOOTING.md for common issues, or create a ticket if your problem cannot be found there.
Q: Why does the organization name (Sky-As-Code) have hyphen between words?
A: Because of the same reason why Batman one word, Iron Man two words and Spider-Man two words with a hyphen in between.
Q: What if I find one of the solutions not following best practices?
A: You are welcomed to create a ticket giving links to the best practices, or raise a pull request if you have free time, just make sure to include links to sources where you base your opinion on. And don't forget to read CONTRIBUTING.md.
Q: Are the solutions safe to use in my company's production environment?
A: You are safe to use source code in this repository for your company's commercial purpose under MIT license. However, about security and best practice aspects, although we are trying to make them as safe for real-life use as possible, you had better enrich your own knowledge to decide how to apply the solutions in this repository to your company's production.
Note: Some challenges are indexed multiple times because it involves many AWS services.
- auto-scaling-group-scheduled-policy
- auto-scaling-group-step
- auto-scaling-group-targettracking
- ec2-instance
- ec2-instance-ebs-attached-single
- ec2-instance-ebs-attached-multi
- ec2-instance-ebs-based
- ec2-instance-ebs-create-ami
- ec2-instance-ebs-kms-encrypted
- ec2-instance-ebs-unencrypted-kms-encrypted
- ec2-instance-instancestore-based
- ebs-volume
- ebs-volume-data-lifecycle-manager
- ec2-instance-ebs-attached-single
- ec2-instance-ebs-attached-multi
- ec2-instance-ebs-based
- ec2-instance-ebs-create-ami
- ec2-instance-ebs-kms-encrypted
- ec2-instance-ebs-unencrypted-kms-encrypted
- ec2-instance-ebs-kms-encrypted
- ec2-instance-ebs-unencrypted-kms-encrypted
- kms-asymmetric-key
- kms-asymmetric-datakey
- kms-symmetric-key
- kms-symmetric-datakey
- s3-bucket-sse-kms
- s3-bucket-owner-full-control
- s3-bucket-lifecycle-policy
- s3-bucket-sse-s3
- s3-bucket-sse-kms
- s3-bucket-web-hosting
- All challenges