AWS Learner Lab Setup with Terraform

Setting up and logging in to your AWS Academy account

Your instructor will create an AWS Academy course that will be used to create sandbox
accounts for you as a student. This sandbox account will be an AWS account with a $50 credit
assigned to you. There are no requirements for you to purchase or provision any account from
AWS. You will not be required to spend any money or provide credit card information.

Your instructor has created a user account in the AWS Academy course for you. As part of the
course creation, you will receive an email invitation to join the course. Please note AWS
Academy uses Canvas like I-Learn; however, this is not the same Canvas account as BYUI.
You will be creating new credentials in AWS Academy with your byui.edu email address. If you
have previously created an AWS Academy account, you will use those AWS Academy
credentials and can skip to step 3 of this section.

1. To set up your AWS Academy account, open your email invitation from AWS
Academy (notifications@instructure.com) and click Get Started.
Note: If you don’t see the email, check your junk, spam, or promotional mail folder.
2. After clicking the Get Started button, you will be redirected to a web page

for creating an account or login using existing AWS Academy credentials.

Please note that while the email being used is your byui.edu email, this is

not your byui.edu password. You should not use the same password for

AWS Academy as your byui.edu I-Learn account. AWS Academy does

not utilize single sign-on services and is an entirely separate service and

account from byui.edu. Unless you already have an AWS Academy

account, select Create My Account. If you already have an AWS

Academy account, select the I Have a Canvas Account option and use

your AWS Academy credentials to login and accept the invitation to this

course. Also, note the AWS Academy Learner Lab number will be different

for your course than the [36035] shown below. This is NOT your I-Learn

credentials. They are separate accounts.

 3. After creating credentials, choose Student Login in the future and log in with your email
address and password at https://awsacademy.instructure.com
Note: Use the email address that received the email invitation from AWS Academy.

Connecting to AWS Learner Lab

▢ Login to the AWS Academy (awsacademy.com) and click “LMS.” You should have received
an invitation from your instructor in your email. Login as ‘student’ and You do not already
have a canvas account for it.

▢ Open the “Courses” and go to “All Courses” to find the Learner Lab for the course.
▢ Open the Learner Lab for the course. The instructor can request a new Learner Lab by
clicking “Account” > “Create a Class.” The list shows “Teacher” to see ownership.
▢ Open the Learner Lab. Click “Modules” > “Launch AWS Academy Learner Lab.”

▢ Click “Start Lab” (arrow #1) and wait for the circle (arrow #2) to turn from yellow to green.

▢ Once the circle is green, click “AWS” (arrow #2 icon) and it will open a new window
(Instructors may see a different option here (click "My classes" and then pick one of the
Educator options).

▢ To stop your EC2 instances. Go to EC2, and To stop most charges when finished, click
“End Lab”.
AWS Cloudshell (Amazon’s terminal/shell)
AWS Cloudshell allows terminal/command prompt access to quickly run scripts for deployment.
To open “Cloudshell,” click on the ‘Cloudshell” icon at the top of the screen and a black window
will appear as a terminal at the bottom of your screen. Paste the commands in that window..

AWS TERRAFORM
Paste this entire code as one line in the SSH Cloudshell window with the following single script:

curl -O https://byui-cloud.github.io/cyber-201-materials/aws-terraform/build201.sh && chmod

a+x build201.sh && ./build201.sh

This script will deploy 3 servers/VMs (VM = Virtual Machine), copy some files for you like private
keys, attempt to install juiceshop or put a script for it, etc, and connect you to two servers. One
server/VM is the bastion host that you will connect to the most often using the Public IP. If you
want to connect to the VM juiceshop it is on an internal IP (10.13.37.201) so you will need to first
connect to the Bastion Host with the public IP (it will be displayed as that script runs) and then
from it, SSH into the juiceshop VM. The 3rd server will be a NAT for the internal juiceshop VM to
have internet access.

Once the script finishes running it will automatically start to connect you to the bastion host.
You have to pick the number show for the bastion_host that has the public IP address.

Run ./update.sh (once connected to the bastion host) and it will require you to change the
password so that you can remote desktop into the server. Once that update.sh script finishes, it
will run security updates and connect you to the internal juiceshop machine.

The script should connect you to the Bastion and then to the internal VM of the Juiceshop
OWASP VM. You can type “sudo docker ps” to see if the docker is running. If you don’t see
docker, you may need to run “./installjuiceshop.sh” to install OWASP juiceshop.

Next time you turn the systems back on, run this in the Cloudshell window/terminal to
connect:
./run201.sh

That will reconnect via SSH or you could instead RDP into the same public IP.

Take note of the IP addresses that are listed when you run the scripts above. Those are the IP
addresses you will need to either SSH or RDP in below.

CONNECTING
The first script above (build201.sh), when finished, also connects via ssh if a key is pressed to
continue (it executes run201.sh). Once connected via SSH, enable RDP for the AWS Linux Mate if
desired:

● Open ‘Microsoft Remote Desktop’ (Apple/Mac installer: https://aka.ms/rdmacbeta) on your

laptop and put in the public IP of the server to connect. Make sure to use the ‘ec2-user’
and the password set above.
● Run update scripts on the server for security the first time you connect (‘sudo yum
update’).
● To see the OWASP juiceshop (if that option was selected), open the Chromium browser
(once in the RDP session) and click on “Applications > Internet > Chromium Web Browser”

● To SSH into the juiceshop from the bastion host:

○ ssh -i private_key.pem ec2-user@10.13.37.201
● Type “http://10.13.37.201/” for the internal IP address of the juiceshop VM in the URL of the
browser to see this (make sure no (s) on http(s) for http://10.13.37.201)
ENDING SESSION & MANAGING BUDGET
Make sure to stop your instances and end your Learner Lab to save on budget when you are
done working on it for that day/class. End the Lab in AWS by clicking the “End Lab” button in
the Learner Lab so your budget will not run out.

ONLY DO THIS AT THE END OF THE SEMESTER: If you want to delete everything, you
can end the terraform session in your cloudshell terminal with ./terminate.sh, which
will delete all data on the server and all 3 servers. You will need to run the build scripts
above if you want the servers back.

To monitor spending, see the area at the top of the lab instructions. Note: This information is
provided by the AWS Budgets service and might be delayed by up to 8 hours. This is an
approximate view of spending.
Note: If you spend the entire budget, you will lose all of your work, and the system will
deactivate your temporary AWS account. Your $50 budget is sufficient for most academic
projects, as long as you take care to stay within the budget guidelines.

To delete all resources that you have configured in a lab and start with a fresh AWS account,
choose Reset. Important: All work will be lost and cannot be recovered. This option will
not reset your budget. Any spending that you have incurred will continue to be tracked.

When you are finished with the session, choose End Lab.
Any running Amazon Elastic Compute Cloud (Amazon EC2) virtual machine instances will be
stopped. If you return and restart the lab, any stopped EC2 instances will restart and any other
resources that you configured will still be available. Ending the lab will stop some charges for
your virtual machine until you start the lab at a later time.

TROUBLESHOOTING
Multiple AWS classes: If you have multiple courses using AWS, make sure to click on the correct
course in canvas/instructure.

Website not loading Part 1: Did you run the ./run201.sh from the bastion host? If you never did, it
normally tries to run automatically if you hit “enter” after the build script. If not, run ./run201.sh
from the bastion host. If you already did that, check to see if Docker is running while in the owasp
internal VM with ‘docker ps’.

Website not loading Part 2 - Make sure that the docker is running. Once you are ssh’ed into the
internal VM owasp, type ‘docker ps’ to see if the docker is running. If docker is not running, install
juiceshop with the command ./installjuiceshop.sh from the internal VM.

Many things are broken: Delete all servers/files from this setup, by running ./deleteeverything.sh
from your cloudshell. You can also download and run that file with this command:

curl -O
https://byui-cloud.github.io/cyber-201-materials/aws-terraform/deleteeverything.sh &&
chmod a+x deleteeverything.sh && ./deleteeverything.sh