| Criteria | Submission Requirements |
|---|---|
| The project shows updated IAM policies that match the permissions in the Access Control Matrix. | Provide a screenshot of each updated policy with the proper statements removed to meet the organizational requirements. If needed, copy the JSON policy into a text file and take a screenshot to ensure the whole policy can be reviewed. |
| IAM policies to be changed/reflected in screenshots: - enterprise-analyst-policy - enterprise-developer-policy - enterprise-finance-policy - enterprise-restrictions-policy |
| Criteria | Submission Requirements |
|---|---|
| The project displays evidence that the appropriate IAM policies are attached to the proper IAM roles. | Provide a screenshot of the IAM policies attached to IAM roles in the AWS console. |
| Roles and attached policies: enterprise-analyst-role: enterprise-analyst-policy, enterprise-restrictions-policy enterprise-developer-role: enterprise-developer-policy, enterprise-restrictions-policy enterprise-finance-role: enterprise-finance-policy, enterprise-restrictions-policy |
|
| The project includes evidence that permissions are properly configured for each service accessible on the role. | While assuming each role in the AWS console, take a screenshot of the results of accessing each service or taking action. Ensure the role name is present in the screenshot so permissions can be validated. |
| Role-specific actions and permissions to validate: enterprise-analyst-role: - Screenshot with access denied to non_obfuscated.txt object in S3 - Screenshot of downloaded obfuscated.txt object - Screenshot of uploaded analyst.txt object with supported tags to developer bucket |
|
| enterprise-developer-role: - Screenshot of accessing a CloudWatch Metric - Screenshot of accessing security group under EC2 - Screenshot of uploaded developer.txt to developer bucket - Screenshot of downloaded developer.txt from developer bucket |
|
| enterprise-finance-role: - Screenshot of current usage in the Cost Explorer console |
| Criteria | Submission Requirements |
|---|---|
| The project includes updated Python Lambda code to monitor restricted resources. | Provide a screenshot of the Lambda console with updated code ensuring that the RESTRICTED_RESOURCE variable includes the arn:aws:s3:::super-secret-bucket string in the list. |
| The project shows evidence of a manually remediated AWS Config rule. | Manually remediate the AWS Config rule to indicate that a policy breaking enterprise restrictions is marked as non-compliant. Provide a screenshot of the ConfigRulePolicyEnforcement rule with the bad-policy-that-breaks-enterprise-restrictions marked as non-compliant in the AWS Config service. |
| Criteria | Submission Requirements |
|---|---|
| The project includes an organizational role and policy visualization for documenting the role structure. | Provide a screenshot of a draw.io diagram that reflects the resource-to-permission structure. Ensure each resource defined in the policies is aligned with the appropriate permissions, with each permission located to the right of the corresponding resources in the policy. |
| Suggestions to Make Your Project Stand Out | Use the optional AWS Config diagram to illustrate connections between resources, providing an overview of how AWS Config monitors and alerts on changes. Update Lambda code to deliver notifications via SNS for non-compliant policies, subscribe an email to the SNS topic, and display an email being sent from SNS. |