Introduction
This comprehensive lab exercise, created for AWS Student Cloud Club Camp participants, guides you through designing and implementing a secure, scalable grade book system using core AWS services. You'll learn how to implement proper access controls, network security, and data storage while following cloud security best practices.
Learn more about what an AWS Student Cloud Club Camp is by reading this article
Learning Objectives
- Configure Identity and Access Management (IAM) with role-based permissions
- Design a secure Virtual Private Cloud (VPC) architecture
- Implement S3 storage with appropriate bucket policies
- Apply the principle of least privilege in cloud security
- Understand the benefits of cloud migration from on-premises infrastructure
Prerequisites
Ensure you have:
- An active AWS account with administrative access
- Basic understanding of cloud computing concepts
- Familiarity with AWS Management Console navigation
- A text editor for creating JSON policies
and this is what we are going to achieve at the end...
- Identity Layer: IAM users and policies controlling access
- Network Layer: VPC with isolated subnets and security groups
- Storage Layer: S3 buckets with granular access permissions
Step 1: Configure IAM
Creating Student User Account
- Navigate to the IAM service in the AWS Management Console
- Click Users → Create user
- Configure user details:
-
Username:
student-user1 - Access type: Check "Provide user access to the AWS Management Console"
- Select "I want to create an IAM user"
- Choose "Custom password" and create a secure password
- Note: Record the password securely for later use
-
Username:
Attaching Basic Permissions
- In the permissions step, attach the following managed policy:
-
AmazonS3ReadOnlyAccess- Allows read access to S3 resources
-
Creating Custom Restriction Policy
- Click Create policy to create a custom restriction policy
- Select the JSON tab and enter the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyGradebookAccess",
"Effect": "Deny",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::cs-dept-gradebook-2024",
"arn:aws:s3:::cs-dept-gradebook-2024/*"
]
}
]
}
- Name the policy:
Student-Gradebook-Restriction-Policy - Add description: "Prevents students from accessing confidential gradebook data"
- Click Create policy
Finalizing User Creation
- Return to user creation and attach the custom policy
- Review settings and click Create user
- Download or securely store the user credentials
Step 2: Design VPC
Creating the VPC
- Navigate to VPC service in the AWS Console
- Click Create VPC
- Configure VPC settings:
- Resources to create: VPC only
-
Name tag:
cs-dept-vpc -
IPv4 CIDR block:
10.32.0.0/16 - IPv6 CIDR block: No IPv6 CIDR block
- Tenancy: Default
Setting Up Subnets
-
Create a Public Subnet:
-
Name:
cs-dept-public-subnet - VPC: Select your created VPC
- Availability Zone: Choose any AZ
-
IPv4 CIDR block:
10.32.1.0/24
-
Name:
-
Create a Private Subnet:
-
Name:
cs-dept-private-subnet - VPC: Select your created VPC
- Availability Zone: Different from public subnet
-
IPv4 CIDR block:
10.32.2.0/24
-
Name:
Configuring Internet Connectivity
-
Create Internet Gateway:
- Name:
cs-dept-igw - Attach to your VPC
- Name:
Create Route Tables:
Public Route Table:
- Name:
cs-dept-public-rt - Add route:
0.0.0.0/0→ Internet Gateway - Associate with public subnet
Private Route Table:
- Name:
cs-dept-private-rt - Keep default local route only
- Associate with private subnet
Security Groups Configuration
-
Create Web Security Group:
- Name:
cs-dept-web-sg - Description: "Security group for web servers"
- Inbound rules:
- HTTP (80) from 0.0.0.0/0
- HTTPS (443) from 0.0.0.0/0
- SSH (22) from your IP only
- Name:
-
Create Database Security Group:
- Name:
cs-dept-db-sg - Description: "Security group for database servers"
- Inbound rules:
- MySQL/Aurora (3306) from Web Security Group
- SSH (22) from your IP only
- Name:
Step 3: Configure S3 Storage for Grade Book Data
Creating the Grade Book Bucket
- Navigate to S3 service
- Click Create bucket
- Configure bucket settings:
-
Bucket name:
cs-dept-gradebook-2024(must be globally unique) - Region: Same as your VPC
- Block Public Access: Keep all settings checked (secure by default)
- Bucket Versioning: Enable
- Default encryption: Enable with SSE-S3
-
Bucket name:
Creating Bucket Policy for Controlled Access
- After bucket creation, go to Permissions tab
- Edit Bucket policy and add:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TeacherAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::YOUR-ACCOUNT-ID:root"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::cs-dept-gradebook-2024",
"arn:aws:s3:::cs-dept-gradebook-2024/*"
]
},
{
"Sid": "DenyStudentAccess",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::YOUR-ACCOUNT-ID:user/student-user1"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::cs-dept-gradebook-2024",
"arn:aws:s3:::cs-dept-gradebook-2024/*"
]
}
]
}
!!!Note!!!: Replace YOUR-ACCOUNT-ID with your actual AWS account ID.
Creating Public Assets Bucket (Optional)
-
Create a second bucket for public course materials:
-
Bucket name:
cs-dept-public-assets-2024 - Public access: Allow public read access
- Static website hosting: Enable if needed
-
Bucket name:
For public bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::cs-dept-public-assets-2024/*"
}
]
}
Step 4: Testing and Validation
Testing Student Access Restrictions
- Sign in as
student-user1 - Attempt to access the gradebook S3 bucket
- Verify access is denied with appropriate error messages
- Confirm read access to public resources works
Testing Network Connectivity
- Launch an EC2 instance in the public subnet
- Test internet connectivity
- Launch an EC2 instance in the private subnet
- Verify it cannot directly access the internet
- Test communication between subnets through security groups
Step 5: Clean Up Resources
To avoid unnecessary charges:
- Delete EC2 instances
- Empty and delete S3 buckets
- Delete NAT Gateway (if created)
- Delete Internet Gateway
- Delete subnets
- Delete VPC
- Delete IAM user and custom policies
Why Cloud Migration Benefits Universities
1. Reduced Operational Overhead
Universities can focus on education rather than infrastructure management. AWS handles hardware maintenance, security patches, and system updates automatically.
2. Enhanced Scalability
Cloud services automatically scale to handle peak loads during registration periods or exam times, unlike fixed-capacity physical servers with on premises infrastructure.
3. Advanced Security Features
- Multi-factor authentication
- Encryption at rest and in transit
- Automated threat detection
4. Cost Optimization
Pay-as-you-go pricing eliminates large capital expenditures.
5. High Availability and Disaster Recovery
Built-in redundancy ensures 99.99% uptime. Automated backups and multi-region replication protect against data loss.
6. Global Accessibility
Students and faculty can access systems from anywhere with consistent performance through AWS's global infrastructure.
Conclusion
This lab demonstrates how AWS services can create a secure, scalable educational infrastructure. By combining IAM for access control, VPC for network security, and S3 for data storage, we've built a system that protects sensitive academic data while providing appropriate access to different user types.
Top comments (0)