GIAC Public Cloud Security (GPCS)
What You Will Learn
Multiple Clouds Require Multiple Solutions
SEC510: Public Cloud Security: AWS, Azure, and GCP teaches you how the major cloud providers work and how to securely configure and use their services and Platform as a Service (PaaS) offerings.
Organizations in every sector are increasingly adopting cloud offerings to build their online presence. However, although cloud providers are responsible for the security of the cloud, their customers are responsible for what they do in the cloud. Unfortunately, the providers have made the customers job difficult by offering many services that are insecure by default. Worse yet, with each provider offering hundreds of different services and with many organizations opting to use multiple providers, security teams need a deep understanding of the underlying details of the different services in order to lock them down. As the landscape rapidly evolves and development teams eagerly adopt the next big thing, security is constantly playing catch-up in order to avert disaster.
SEC510 provides cloud security practitioners, analysts, and researchers with an in-depth understanding of the inner workings of the most popular public cloud providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Students will learn industry-renowned standards and methodologies, such as the MITRE ATT&CK Cloud Matrix and CIS Cloud Benchmarks, then apply that knowledge in hands-on exercises to assess a modern web application that leverages the cloud native offerings of each provider. Through this process students will learn the philosophies that undergird each provider and how these have influenced their services.
The Big 3 cloud providers alone provide more services than any one company can consume. As security professionals, it can be tempting to limit what the developers use to the tried-and-true solutions of yesteryear. Unfortunately, this approach will inevitably fail as the product development organization sidelines a security entity that is unwilling to change. Functionality drives adoption, not security, and if a team discovers a service offering that can help get its product to market quicker than the competition, it can and should use it. SEC510 gives you the ability to provide relevant and modern guidance and guardrails to these teams to enable them to move both quickly and safely.
This Course Will Prepare You To:
- Understand the inner workings of cloud services and Platform as a Service (PaaS) offerings in order to make more informed decisions in the cloud
- Understand the design philosophies that undergird each provider and how these have influenced their services in order to properly prescribe security solutions for them
- Discover the unfortunate truth that many cloud services are adopted before their security controls are fully fleshed out
- Understand Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) in depth.
- Understand the intricacies of Identity and Access Management, one of the most fundamental concepts in the cloud and yet one of the last understood
- Understand cloud networking and how locking it down is a critical aspect of defense-in-depth in the cloud
- Analyze how each provider handles encryption at rest and in transit in order to prevent sensitive data loss
- Apply defense-in-depth techniques to protect data in cloud storage
- Compare and contrast the serverless platforms of each provider
- Explore the service offering landscape to discover what is driving the adoption of multiple cloud platforms and to assess the security of services at the bleeding edge (such as the Firebase platform)
- Utilize multicloud IAM and cloud Single Sign-On to provide secure access to resources across cloud accounts and providers
- Automate security and compliance checks using cloud-native platforms and open-source solutions
- Understand Terraform Infrastructure-as-Code well enough to share it with your engineering team as a starting point for implementing the controls discussed in the course
- Read and understand Terraform Infrastructure as Code configuration for the AWS, Azure, and GCP clouds
- Perform security reviews on Terraform Infrastructure as Code to identify cloud misconfigurations
SEC510 also offers students an opportunity to participate in CloudWars Bonus Challenges each day in a gamified environment, while also providing more hands-on experience with the cloud security and relevant tools.
NOTICE TO STUDENTS
- As of May 10, 2021, SEC510 will have extended lab hours on Sections 1-4, running 8 hours per section. Section 5 runs for 6 hours.
- Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) accounts are needed in order to do the hands-on exercises during this course. Students must create their cloud accounts prior to the start of class. See Laptop Requirements below for details.
SEC510: Public Cloud Security: AWS, Azure, and GCP consolidates all of the concepts discussed in the lectures through hands-on labs. In the labs, students will assess a modern cloud infrastructure created using Terraform Infrastucture as Code. Each cloud provider will host a multicloud web application written in Next.js, Reach, and Sequilize that leverages the cloud native offerings of each provider. Each lab includes step-by-step guide as well as a no hints option for students who want to test their skills without further assistance. This allows students to choose the level of difficulty that is best for them and fall back to the step-by-step guide as needed.
- Virtual Machine Credential Exposure
- Harden AWS IAM Policies
- Harden Azure and GCP IAM Policies
- Advanced IAM Features
- Network Lockdown
- Analyzing Network Traffic
- Private Endpoint Security
- Cloud VPN and Managed SSH
- Audit Decryption Events
- Encrypt All The Things!
- Storage Service Lockdown
- Unauthorized File Sharing
- Serverless Prey
- Harden Serverless Functions
- App Service Security
- Broken Firebase DB Access Control
- Multicloud Integration
- Login with Azure AD
- Automated Benchmarking
- CloudWars Daily Bonus Challenges
- Lab Tear Down
WHAT YOU WILL RECEIVE
- Printed and Electronic courseware
- MP3 audio files of the course
- Course virtual machine (VM) with all lab exercises that can be redone outside of class
- Thousands of lines of Infrastructure-as-Code for each cloud platform that you can use at your organization
- Head in the Clouds, Episode 11: Importing Resources into the Terraform State File
- Secure Service Configuration: AWS, Azure, & GCP poster
- Multicloud Command-Line Interface Cheat Sheet
- Firebase: Google Clouds Evil Twin, by Brandon Evans
- Detecting and Locking Down Malware in Azure, by Brandon Evans
- Top 5 Considerations for Multicloud Security, by Brandon Evans
- Multiple Clouds Require Multiple Solutions: AWS, Azure, and GCP, withBrandon Evans and Eric Johnson
WHAT TO TAKE NEXT
SANS courses that are good follow-ups to SEC510:
- SEC584: Cloud Native Security: Defending Containers and Kubernetes
- SEC541: Cloud Security Monitoring and Threat Detection
- SEC588: Cloud Penetration Testing
- SEC540: Cloud Security and DevSecOps Automation
Although SEC510 uses Terraform Infrastructure-as-Code to deploy and configure services in each cloud for the labs, students will not need in-depth knowledge of Terraform or need to understand any of the syntax used. However, students will be introduced at a high level to what this code accomplishes.
GIAC Public Cloud Security
“SEC510: Public Cloud Security: AWS, Azure, and GCP covers a large array of topics across each of the Big 3 Cloud providers. Certification is crucial to prove that an individual can navigate through the nuances of each platform to defend the data and infrastructure within. The GPCS distinguishes itself from the certifications offered by each provider because it remains vendor neutral. GPCS emphasizes the security strengths and weaknesses of each provider, highlighting that they are not secure by default and require professional reconfiguration. Any organization using one or more of these providers will find the knowledge and experience of GPCS holders to be indispensable to their security strategy.” – Brandon Evans, SANS SEC510 course co-author
The GPCS certification validates a practitioner’s ability to secure the cloud in both public cloud and multi cloud environments. GPCS-certified professionals are familiar with the nuances of AWS, Azure, and GCP and have the skills needed to defend each of these platforms.
- Evaluation and comparison of public cloud service providers
- Auditing, hardening, and securing public cloud environments
- Introduction to multi-cloud compliance and integration
The following are courses or equivalent experiences that are prerequisites for SEC510:
- SANS SEC488: Cloud Security Essentials or hands-on experience using the AWS and Azure Cloud.
- Students must have basic familiarity with cloud IAM and networking.
- Students must also be comfortable working with the Bash commands.
- Students should have basic familiarity with the HashiCorp Configuration Language (HCL) or review the Terraform Language Documentation prior to the course https://www.terraform.io/docs/language/index.html
- For hands on Terraform practice, consider following Kenneth Hartman’s Tech Tuesday Workshop – Use Terraform to Provision You Own Cloud-Based Remote Browsing Workstation https://github.com/Resistor52/terraform-cloud-workstation
!!! IMPORTANT NOTICE !!!
Please plan to arrive 30 minutes early before your first session for lab preparation and setup. During this time, students can confirm that each cloud account is properly set up, ensure that laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine. For students taking the course Live Online, the instructor will be available to assist them with laptop prep and setup 30 minutes prior to the start of the course.
Mandatory: Students must bring their own AWS, Azure, and GCP accounts to complete the exercises. Please ensure that you have done the following before class starts:
Amazon Web Services
- Register for a personal free-tier account.
- Activate your new account.
- Log in to the AWS Console with your root account.
- Browse to the EC2 Service and verify that you see the dashboard (not an activation screen).
- In the top right-hand corner of the page, select U.S. East (Northern Virginia).
- From the left navigation bar, select “Limits.”
- Verify that you have at least 10vCPUs for On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances.
- If your limits are less than 10 vCPUs, please start by creating a new t2.micro instance. Creating a new instance often causes the limits to increase automatically. If your limits do not automatically increase (wait 30 minutes to check again), open a ticket with the AWS support team to request an increase. More details can be found in the AWS EC2 Service Limits documentation.
- Browse to the Azure Portal
- Register for a personal 12-month free account
Google Cloud Platform
- Create a Google account
- Sign up for a GCP free trial
BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:
A properly configured system is required for each student participating in this course. Before starting the course, carefully read and follow these instructions exactly:
- Download and install VMware Workstation or VMware Fusion on your system prior to the start of the class.
- If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 15+, VMware Fusion 11+.
- If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
- Students must be in full control of the network running the VM. The VM communicates with several external services (AWS, Azure, GCP, etc.) over HTTPS, SSH, and many non-standard ports. Running the course virtual machine on a host with a VPN, intercepting proxy, or egress firewall filter may cause connection issues communicating with these services. Students must be able to configure or disable these services for the lab environment to function properly.
- Multiple monitors are recommended to make navigating the lab environment easier.
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Mandatory Host Hardware Requirements
- CPU: 64-bit 2.5+ GHz multi-core processor or higher
- BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
- Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
- Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! 16GB of RAM is MANDATORY)
- Working USB 2.0 or higher port
- Wireless Ethernet 802.11 B/G/N/AC
- Local Administrator Access within your host operating system
Mandatory Host Operating System Requirements
You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:
- Windows (8 or 10)
- Mac OS X (Catalina, Mojave)
Mandatory Software Requirements
Prior to class, ensure that the following software is installed on the host operating system:
- VMware Workstation Pro 15+, VMware Fusion 11+
- Zip File Utility (7Zip or the built-in operating system zip utility)
Mandatory Cloud Account Requirements
- Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) accounts are needed in order to do the hands-on exercises during this course. Students must create their cloud accounts prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the accounts during a live class.
- These cloud accounts will incur additional fees from platform usage. The estimated cost for running the lab environment is roughly $25 for the 5-day course.
- If you are taking OnDemand, accommodations for the lab environment have been made to avoid costs incurred for several months. The courseware will go into this in detail.
In summary, before beginning the course you should:
- Have a laptop with a solid-state drive (SSD), 8 GB of RAM, and a 64-bit operating system.
- Install VMware (Workstation or Fusion).
- Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled.
- Download the SEC510 Lab Setup Instructions and Course Media from your sans.org account.
- Register a NEW AWS account prior to the start of the class at https://aws.amazon.com/.
- Register a NEW Azure account prior to the start of class at https://azure.microsoft.com/en-us/free/.
- Register a NEW GCP free-tier account prior to the start of class at https://console.cloud.google.com/freetrial.
“The move to leveraging multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not accurate in all cases. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control.
Why do teams adopt additional cloud solutions in the first place? To make their jobs easier or more enjoyable. Developers are creating products that make money for the business, not for the central security team. If a team discovers a service offering that can help get its product to market quicker than the competition, it can and should use it. Security should embrace the inevitability of the multicloud movement and take on the hard work of implementing guardrails that enable the organization to move quickly and safely.
“Simply outstanding! All the way around. Very well done.” – Ryan Stillions, IBM X-Froce IR