Steps to deploy all the things — and summary of how I used AI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Security Automation (Pre-AI). The Code.
⚙️ AI Automation. The Code.
🔒 Related Stories: Cybersecurity | Penetration Tests
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I created a tool simply called aws-deploy that can deploy anything on AWS.
It asks you a few questions, generates the code, and then can deploy any AWS resource (in theory — still testing all of them).
I recently added the ability to save the output to your own git repository. That way you have a record of what was deployed and can compare it to what’s on AWS to see if anything changed. You can also use that information to redeploy a stack later.
I also added the ability to store environment configuration information about like name, git repository, and the AWS profile to use for deployments to that environment. That way you don’t have to keep adding those things each time you run the deployment.
Caveat
Note that this is for testing only. A secure deployment process would look very different as I covered in these posts:
I’m thinking about how this can be incorporated into the above batch job process I was working on, but for my purposes I just need to deploy some things quickly in a non-production environment.
This code is designed to run on Amazon Linux.
Try it out
I’d suggest trying it out in CloudShell.
Copy the script in the README.txt
Paste it into CloudShell.
Note: Copy the script above into a file if you want to execute it multiple times without copying and pasting it each time and then execute the file.
The script will download the code into a directory named aws-deploy.
Hit enter to run the deploy.sh script in the aws-deploy directory.
Enter the environment name(which can be whatever name you want).
Type help if you want more information about environment names.
If you want to enter an optional URL for a git repository to store your code you can enter it here.
For more information on how the git repo is used, type help.
I’m going to skip this for now by not entering a repo and hitting Enter.
The next prompt asks you for your AWS CLI Profile.
If you are using CloudShell or the default profile just hit Enter.
Alternatively, enter a AWS CLI profile name configured on your system.
Type help for more information.
Since I simply typed enter and I am using CloudShell, the script configured the default profile in the ~/.aws/config file.
Next the current region is displayed. You can change it or hit Enter.
The script validates the region using the hardcoded us-east-1 region. We need to use a known good region to validate the selected region so you need permission in us-east-1 to run that command, or you can change the region in the code.
Next you are asked to enter a case sensitive AWS service name.
Type help to get a list of AWS services.
Enter a service name.
The script will validate that the service name exists.
Type help at the next prompt to view a list of resources for that service.
Enter a resource name for the selected service.
If the resource is for specific users or a specific application in the environment enter it. This name is added to the resource name and CloudFormation stack name.
I want to create a VPC for developers so I’m adding the name developer.
Next you’ll see a list of variables and values used to deploy your resource.
Note that the stack name and resource names for all resources deployed with this script will be consistent naming convention that includes the environment name, principal that deployed the resource, service, resource type, and your own name or identified that was entered above (developer, in my case):
If you see anything that doesn’t look right type Ctrl-C to exit.
Otherwise, press Enter to deploy the resource.
Next you will be prompted to add a property for each value.
The script displays the property name, description, type, and whether the property is required.
In this case I’m entering the CIDR for my VPC:
Note that there are some unhandled cases like either one of two properties is required but individually neither is required.
I also have not yet found a way to tell if two properties are mutually exclusive (meaning if one is set the other cannot be).
Therefore you still need to know something about the resources you are creating when you fill in these values. You can find information about all CloudFormation resources here if you have issues populating any values:
Fill out the rest of the values, or leave them empty if they are not required and you don’t want to set them. I am going to type enter for the rest of the properties to skip setting them.
Next the script will base64 encode the parameters. This is so they can be passed between functions with spaces, special characters, and other things that might be in the parameters that would cause a problem passing them around in the program. They are decoded when passed to CloudFormation and sent in plain text.
Then the command is executed to deploy the stack and the script tells you it is waiting for the stack to complete.
Once the resource has been deployed you can deploy another one or exit.
If the stack fails and you restart the script, it will delete the failed stack before trying to deploy a new one.
You can view the progress in CloudFormation:
You can check out the resource once deployed:
Now it would be really nice if my VPC had a name, no?
The tags property is an array of objects that is another type. I haven’t implemented some code related to arrays yet so that’s an issue I still need to address. Stay tuned.
Other known issues are in the issues list on the repo. Feel free to add any error messages or problems you have there and I’ll fix if and when I have time.
You can follow 2nd Sight Lab or the repository for updates:
How much did I use AI to write this?
See the next post.
Follow for updates
Teri Radichel | © 2nd Sight Lab 2025
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero Former SANS, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests & Security Research ~ 2nd Sight Lab
Cloud, SAAS, and Application Penetration Testing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ X, Threads, Blusky, Instagram, AWS BuildID: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
