Cloud Course CLI Tool - Security Guide

This guide provides important security information for using the Cloud Course CLI tool with your AWS account, explaining how the tool works, what permissions it requires, and how to keep your AWS environment secure while using it.

How the CLI Tool Accesses Your AWS Account

The Cloud Course CLI tool uses AWS SSO (Single Sign-On) for authentication:

  1. Authentication Flow:

    • You authenticate with AWS using your existing AWS SSO credentials
    • AWS provides temporary, scoped access tokens to the CLI Tool
    • These tokens allow read-only access to assess your infrastructure

  2. Credential Handling:

    • Your AWS credentials are managed by the AWS SDK
    • Cloud Course (Not Just Software Inc.) never sees, stores, or has access to your AWS credentials
    • Access tokens are stored according to AWS security standards and expire automatically
    • All credential handling follows AWS best practices for secure authentication

  3. Data Transmission:

    • All communication between the CLI tool and AWS is encrypted using HTTPS
    • Only the minimum necessary metadata about your AWS resources is processed for assessment

Required AWS Permissions

For the CLI Tool to function properly, your AWS SSO configuration should grant read-only access to the following services:

  • EC2: Check instance configurations, security groups, and load balancers
  • S3: Verify bucket configurations, permissions, and website settings
  • Route 53: Check DNS settings and hosted zones
  • CloudFront: Verify distribution settings and origins
  • RDS: Check database configurations, parameter groups, and security settings
  • CloudWatch: Verify logging, monitoring, and alarm configurations
  • IAM: Check identity configurations, roles, and policies
  • VPC: Verify network configurations, subnets, and routing tables
  • Auto Scaling: Verify scaling group configurations and policies
  • Lambda: Check function configurations (for serverless sections)
  • Other services used in specific tutorials

We recommend using the AWS managed policy ReadOnlyAccess which provides the appropriate permissions level.

We recommend using the US East (N. Virginia) region (us-east-1) for all course exercises unless specifically instructed otherwise. This region:

  • Contains all AWS services covered in the course
  • Is generally the most cost-effective region
  • Is the default region for many AWS services and examples

1. Use a Dedicated Learning AWS Account

We strongly recommend using a dedicated AWS account for learning purposes:

  • Separate from production or personal accounts
  • Dedicated to course exercises only
  • With proper budget controls in place
  • Created through AWS Organizations if possible

2. Set Up AWS Budgets

To prevent unexpected charges:

  • Create AWS budgets with alerts (as taught in the Setting Up A Budget lesson)
  • Set reasonable spending limits (we recommend starting with $10-20 for the entire course)
  • Configure email notifications when reaching 50%, 80%, and 100% of your budget
  • Consider setting up AWS Cost Anomaly Detection

3. Follow Least Privilege Principle

When configuring AWS SSO and IAM:

  • Grant only the permissions needed for the assessments
  • Use AWS managed policies like "ReadOnlyAccess" when possible
  • Avoid granting write or delete permissions to the CLI Tool
  • Create separate users for different purposes (CLI, console access, etc.)

4. Regularly Review AWS Resources

After completing tutorials:

  • Clean up resources you no longer need using the cleanup instructions in each lesson
  • Check for unexpected resources that may incur charges
  • Review your AWS bill regularly through the AWS Billing Dashboard
  • Use AWS Cost Explorer to identify cost trends and unexpected expenses

5. Secure Your Environment

Additional security recommendations:

  • Enable multi-factor authentication (MFA) for your AWS account
  • Rotate access keys regularly if using long-term credentials
  • Never commit AWS credentials to version control systems
  • Keep your local environment updated with security patches

6. Follow Course-Specific Security Guidelines

Throughout the course, we provide specific security guidelines for different services. Always follow these service-specific recommendations, especially for:

  • IAM policies and roles
  • S3 bucket permissions
  • Security group configurations
  • Database security settings

Reporting Security Concerns

If you discover any security issues with the CLI Tool or have concerns about its operation:

  • Contact us immediately at support@cloudcourse.dev
  • Include "Security Concern" in the subject line
  • Provide detailed information about the issue

We take security seriously and will investigate all reported concerns promptly.

Questions and Support

For questions about securely using the CLI Tool or configuring your AWS environment:

  • Refer to the Customer Support page
  • Check the course Discord community for peer assistance

Last Updated: April 15, 2025

© 2025 Cloud Course. All rights reserved.