In this lab you’ll set up your access to a cloud provider (Amazon Web Services) and create some resources.
You will be working in pairs or groups of three.
If you get stuck for any reason, or things aren’t working how you expect, please ask an instructor for help.
Everyone in the group should do this section. You will each create your own personal login accounts.
Use your web browser to connect to the AWS console at https://nsrc-training.signin.aws.amazon.com/console (or a different URL given by your instructors).
Login using the user name and password given by your instructors.
After your have logged in, find the search box on the top left. Enter “IAM” into this box, and then click on “IAM” (subtitled “Manage access to AWS resources”).
This should take you to the IAM Dashboard.
On the left side, under Access Management, click Users. This should display a list of users. At the top right, click the button “Create User”.
Create a new user account for yourself to use.
For now, select “I want to create an IAM user” - this is the simpler approach. (We’ll discuss Identity Center, which used to be called Amazon Single Sign-On, later)
Once you’ve selected this, you’ll be offered a choice to auto-generate a password, or to enter your own. You can choose either, but make sure you remember the chosen password.
Please select “Users must create a new password at next sign-in”. This is best practice, especially if you were giving a password to someone else so they could choose their own secret password. It also allows them the ability to change their password in future.
Click on Next.
On this page, select “Add user to group” and check the “StudentsGroup” group, then click Next. (This group is set up to give you full admin access to the account, including read access to charging data)
You will then get a summary page, which shows two permissions:
Click on “Create user”, and you should get a green box saying “User created successfully”. Below this, click on the “Show” button next to Console password, if you have autogenerated it.
On the very top-right of the screen, click on your username @ account name, and then click “Sign out”.
Then click “Log back in”, or just use the URL shown earlier.
At this point, as long as you selected “create a new password at next sign-in”, you will be prompted to choose a new password. Enter the old one, then the new password twice.
You should be back in the AWS console.
Make sure you remember your new password! You will use this login for the rest of the workshop; the original admin login you used will be disabled by the instructors after this session
Since your new account is an administrator, which can create, edit or delete everything in the account, it’s very important that you secure it using multi-factor authentication.
On the very top-right of the screen, click on your username @ account name, and select “Security credentials”.
Click on “Assign MFA” (or “Assign MFA device” lower down). After you have done this, you will see the following screen:
At the top, enter a device name, like “iphone” (spaces are not allowed, but dashes and underscores are). Lower down, select “Authenticator app”, then click Next.
Install an authenticator app on your phone, such as “Google Authenticator”. This needs to be an app which supports Time-based One Time Passwords (TOTP). Talk to the instructors if you’re not sure which app to install.
Click on the blue square that says “Show QR code”.
In the authenticator app, click “+” to add account, then scan the QR code with your camera. The app should show a new 6-digit code every 30 seconds. Enter one of these codes into “MFA code 1”, and then when it changes, enter the next code into “MFA code 2”, then click “Add MFA”.
Now logout, and login again. After entering your username and password, you should be prompted for an MFA code:
You will only create ONE EC2 instance in your group
For this part, choose ONE person in your group to do these steps on their laptop, while the others watch and discuss.
You are going to create a virtual machine, called an EC2 Instance (EC2 = Elastic Compute Cloud)
In the top left bar, enter “EC2” into the search box, and then click on “EC2 - Virtual Servers in the Cloud”
This should take you to the EC2 Dashboard.
On the menu bar, at the top right near your username, check that the region selected says “Asia Pacific (Singapore)”. If not, click on it and select “Singapore ap-southeast-1” - or another region if your instructors tell you to do so.
Next, click on “Launch Instance”.
Under “Name and tags”, enter a name for your VM. We suggest you call it “groupXY-server” where XY is the group number assigned by your instructors.
You need to remember this name, to find your instance later.
To the right of the name, click “Add additional tags”. You can see that the instance name you’ve chosen is actually a tag, whose key is “Name”.
Next you’re going to add two more tags to help with cost management.
Click “Add new tag” again. This time for the key enter “environment”, and for the value enter “test”. Under Resource types, again check Instances, Volumes and Network Interfaces.
Now move to the next section, “Application and OS Images”, and click on “Ubuntu”.
On the drop-down menu under “Amazon Machine Image (AMI)”, select “Ubuntu Server 24.04 LTS (HVM), SSD Volume Type” if it’s not already selected.
Ensure that architecture is “64-bit (x86)”
Under “Instance type” select “t2.small”. This is a small instance with 1 vCPU and 2 GiB of memory. (The default of “t2.micro” does not have enough RAM for the later exercises, so make sure you change it).
Under “Key pair (login)”: if you had already uploaded an SSH public key then you could select it here. However, for this exercise you should click “Create new key pair”.
Enter a name like “groupXY key” (replace XY with your group number), select ED25519 (these keys are smaller and faster), and format “.pem for OpenSSH”. Click Create key pair.
The private key file will be downloaded to the laptop of the person who is doing the exercise. The private key is not stored in the cloud, and cannot be retrieved if lost. Normally it should be kept safely, but for the purposes of this lab, we will not need it.
Under “Network settings”, you should find that “Create security group” is already selected. Check “Allow SSH traffic from anywhere”, “Allow HTTPS traffic from the internet”, “Allow HTTP traffic for the internet”.
A security group (a list of firewall rules) that allows the selected traffic to your instance will be created automatically, but unfortunately in this simple view you cannot select its name - and it can’t be renamed later.
So now click the “Edit” button to the right at the top of the Network Settings block.
The screen will change to something like this:
Under VPC, check that the selected entry has name “nsrc-lab”. If it’s something else, then use the drop-down to select the correct one.
Change the name of your security group to “groupXY-webserver”, replacing XY with your group number. You should also change the description to say “allow inbound web traffic”.
Make sure that you can see rules that allow HTTPS and HTTP from anywhere:
If these are missing then add them by hand:
- Click “Add security group rule”
- Select Type: HTTPS; Source type: Anywhere
- Click “Add security group rule” again
- Select Type: HTTP; Source type: Anywhere
Now look at the “Configure storage” section. Increase the volume size from 8 GiB to 20 GiB. Leave the storage class as gp3 (this is for an EBS volume with general purpose SSD)
Then on the right-hand side, under Summary, click “Launch instance”
You will see a progress bar for a few seconds, and then “Success” with your instance ID.
On the top left, click the hamburger icon if necessary to open the side menu, then under “Instances” click “Instances”. You should see your instance listed amongst those created by other groups.
You’re now going to login to the instance. There are several methods, including using an SSH client on your local machine with the private key previously generated. But for simplicity, you’re going to use “EC2 Instance Connect” via the AWS console interface, which uses its own keys.
In the next page, the defaults should be correct (“Connect using a Public IP”, username “ubuntu”)
Click the “Connect” button, and you should be logged in, with a prompt like this:
ubuntu@ip-10-30-0-74:~$ (The actual IP address you see will be different; this is the internal private IP address of the instance)
This command line is called the “shell”, where you can type Linux
commands. You are logged in as the user ubuntu.
Type sudo -s to get a root shell, which gives you full
permissions. The prompt should change:
ubuntu@ip-10-30-0-74:~$ sudo -s
root@ip-10-30-0-74:/home/ubuntu# Now type the following commands:
apt update
apt install apache2If you see a prompt “Do you want to continue?”, type “y” and hit Enter.
To test your webserver, you need to find your instance’s public IP address. You can get via the AWS console, or you can type at the shell prompt:
curl ip4.me/api/The response will contain the public IP in the second column:
IPv4,3.26.202.235,v1.1,,,See http://ip6.me/docs/ for api documentation
^^^^^^^^^^^^Once you know the public IP address, everyone in the group can open a new tab within their laptop’s web browser, and type in the IP address as a URL, for example:
http://3.26.202.235/You should see an Ubuntu Apache2 Default Page saying “It works!”
You can customize this web page. Back at the Linux root shell, open a text editor:
nano /var/www/html/index.htmlUsing Page Down, scroll down past the stylesheet data until you find
the <body> tag, after which you will see:
<div>
<span style="margin-top: 1.5em;" class="floating_element">
Apache2 Default Page
</span>
</div>
<div class="banner">
<div id="about"></div>
It works!
</div>Edit it: for example, change the string “It works!” to “Welcome to group XY webserver!”
After making your changes, to exit and save:
Since you no longer need to be root, type “exit”. This will return
you to the login shell for the ubuntu user, and your prompt
will change back:
root@ip-10-30-0-74:/home/ubuntu# exit
exit
ubuntu@ip-10-30-0-74:~$ For this section, a DIFFERENT person in your group should perform these steps, while the others watch
In this section, you’re going to learn how to interact with the AWS API using a command line tool.
Just as the first person in your group did before, you need to use EC2 Instance Connect to get a shell on your instance.
You should be logged in with a shell prompt:
ubuntu@ip-10-30-0-74:~$ This time, don’t start a root shell.
Now enter the following commands to install version 2 of the aws cli tool. Copy-paste each line to ensure they are accurate.
sudo apt install -y unzip
curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip
unzip awscliv2.zip
sudo ./aws/install(The “unzip” step scrolls a large number of filenames to the screen, and can take a minute or two)
If you get a warning about “Pending kernel upgrade”, just hit Enter to select
<Ok>If you get a warning about “Daemons using outdated libraries”, hit Tab to select
<Ok>, then hit Enter
You should be back at the shell prompt. Type the following commands to check that it has installed successfully:
aws --version
aws helpThe help command gives detailed information about the options available. You don’t need to read it, but hit Space to get to the next page. Then hit “q” to quit. (Other Linux commands can usually be stopped using Ctrl+C)
Warning: do not use Ctrl+Z to stop a Linux command. If you do, the command is suspended but remains in memory, waiting to be restarted. If you do this by accident, type
fgat the shell to bring it back into the (f)ore(g)round.
“aws” is a command-line front-end to the AWS API, which you can use to control resources in the cloud.
Try running the following command:
aws iam list-usersYou should see an error message:
Unable to locate credentials. You can configure credentials by running "aws configure".That’s because the tools doesn’t yet have any credentials to talk to the API. We can’t use our existing web console login, because username+password (or username+password+MFA) are not suitable for API logins.
The insecure way to solve this problem is to create an “API key” in the console and install it where it’s needed. The trouble is, an API key attached to an administrator account has full administrator access - from anywhere in the Internet - and there is no multi-factor authentication! The risk of someone else getting hold of this key is very high.
However, there’s a much better approach when the client is running inside EC2 (as we are here). We can use Amazon’s own permissions system to grant permissions to this VM and nobody else.
A “role” represents a collection of permissions that is needed by an application to function. You should create roles for each application, with the minimum permissions needed by that application, to limit the damage if the application is compromised.
Here, we’re going to create a role which has the access we’ll need for later exercises, suitable for use by an EC2 VM.
Now we need to select which permission policies to apply
In the next page, enter a role name “groupXY-awscli” (replacing “XY” with your group number). You can also enter a description.
Lower down, check that the permissions are correct:
Optionally create a tag for this role.
Finally, click “Create role” at the bottom.
We want your groupXY-server VM to have the permissions that this role grants.
Go back to EC2, Instances. Click the checkbox next to your groupXY-server. Then click Actions > Security > Modify IAM Role.
Underneath “IAM role”, select the IAM role you just created, and click “Update IAM role”.
That’s it!
Return to the Linux shell for your groupXY-server instance. Now repeat the command you tried before:
aws iam list-usersYou should now get a long list of users:
{
"Users": [
{
"Path": "/",
"UserName": "johnsmith",
"UserId": "AIDAQ3EGUL3QHSGIU7KYB",
"Arn": "arn:aws:iam::058264411872:user/johnsmith",
"CreateDate": "2025-08-17T05:30:14+00:00",
"PasswordLastUsed": "2025-08-20T03:04:53+00:00"
},
...etcWhen there is a large amount of output, a pager is used by default. Hit Space for next page, and “q” to quit.
Behind the scenes, the “aws” command has “assumed” the role you gave it, by fetching an API token from AWS, which authorizes this request.
The “ARN” (Amazon Resource Name) in the response is a globally unique identifier for the resource (in this case, a user), and the long number within the ARN is the AWS account number.
There are other formats which are easier for humans to read: try these commands as well.
aws iam list-users --output text
aws iam list-users --output tableYou can retrieve information about a single user, by providing an option which specifies the username. Try this with your own username:
aws iam get-user --user-name <YOUR_IAM_USERNAME>for example, if you login to the AWS console as “johnsmith”, then run
aws iam get-user --user-name johnsmithYou can manage all AWS resources this way. To get details of EC2 instances:
aws ec2 describe-instancesTo search for a single instance by its name:
aws ec2 describe-instances --filter Name=tag:Name,Values=groupXY-server --output tableMany other options are available.
If there are three people in your group, then the third person should do this section. Otherwise, one person should create the bucket and upload a file, and the other should use the aws command to retrieve it
S3 is a high-availability object storage system. By default, objects are stored within one region but replicated between multiple Availability Zones in that region.
Make sure you are logged into the AWS console.
Enter “S3” into the search box at the top, and then click on S3. This will take you to the S3 dashboard:
(If the sidebar has collapsed then there will be a hamburger, in which case click on it to expand)
Click on “General purpose buckets”, then click on “Create bucket”
If the bucket name you have chosen is already taken, then modify it until it’s accepted. (All buckets share the same global namespace, even between different regions)
Find a file on your laptop that you want to upload: for example, create a small text file in Notepad and save it. Just ensure that it does not contain sensitive information.
In the bucket listing, click on the bucket name:
Then in the next page, click the “Upload” button.
You can either drag and drop a file, or click “Add files” and select a file from your filesystem. Then click “Upload”.
You will briefly see a progress bar, and then “Upload succeeded”
Now you will retrieve the file using the AWS cli, to simulate an application program retrieving a file via the S3 API.
Get to the Linux shell on your EC2 instance using EC2 Instance Connect, as described previously.
List the contents of the bucket:
aws s3 ls s3://nsrc-groupXY-data(replace “nsrc-groupXY-data” with the name of your bucket)
To retrieve the file:
aws s3 cp s3://nsrc-groupXY-data/name-of-file.txt .
# If the filename contains spaces, you'll need to enclose it in quotation marks:
aws s3 cp 's3://nsrc-groupXY-data/name of file.txt' .(The dot by itself means “copy to the same name in this directory”)
Now check whether the file exists:
ls -lIf it’s a text file, you can type it to the screen:
cat name-of-file.txtYou can use aws s3 help, aws s3 cp help etc
for more details on these commands.
These exercises are optional, but are provided in case you have spare time.
It’s a common requirement to grant someone outside of AWS access to an object in S3. You definitely don’t want to give them an API key.
Instead, S3 provides a mechanism called “pre-signed URLs”. Run the following command in the Linux shell:
aws s3 presign s3://nsrc-groupXY-data/name-of-file.txt --expires-in=900(change the s3 URL to match the one you used before for
aws s3 cp)
This should spit out an extremely long, multi-line URL. Copy it, paste it into a fresh tab in your browser, and the file should appear in your browser.
This link is valid only for that one file, and only for a limited amount of time - in this case 900 seconds, which is 15 minutes. (The default, if you don’t specify it, is 1 hour)
Using this mechanism, a web application can grant a user the ability to download a file, by issuing them with a pre-signed URL, and then the user can download it directly from S3 without having to stream it via the web server.
In this lab, you set up a VM, installed aws cli, and gave it a role with some permissions. You could follow this model for granting different permissions to different VMs.
However, if all you actually want is to use aws cli as a way of managing resources in your cloud, then there a service called “CloudShell” which does that for you. It fires up a temporary VM, with AWS Linux and a number of admin tools pre-installed, and has a suitable role already set up.
We didn’t use it in the lab, because you wouldn’t see how roles can be created and made available to instances.