Public Cloud Security: AWS, Azure, and GCP
Organizations are becoming multi cloud by choice or by chance. However, although each cloud provider is responsible for the security of the cloud, its customers are responsible for what they do in the cloud. Unfortunately, this means that security professionals must support hundreds of different services across multiple clouds. Many of these services are insecure by default, and few of them are consistent across the different clouds. Security teams need a deep understanding of the of each cloud’s services to lock them down. As the multicloud landscape rapidly evolves, security is constantly playing catch-up to avert disaster.
Course Key Learnings:
- Make informed decisions in the Big 3 clouds by understanding the inner workings of each of their Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings
- Implement secure Identity and Access Management (IAM) with multiple layers of defense-in-depth
- Build and secure multicloud networks with segmentation and access control
- Encrypt data at rest and in-transit throughout each cloud
- Control the confidentiality, integrity, and availability of data in each cloud storage service
- Support non-traditional computing platforms like Application Services and serverless Functions as a Service (FaaS)
- Integrate each cloud provider with one another without the use of long-lived credentials
- Automate security and compliance checks using cloud-native platforms
- Guide engineering teams in enforcing these security controls using Terraform and Infrastructure-as-Code (IaC)
Course Content:
Module1: Cloud Identity and Access Management
Overview
SEC510 starts with a brief overview of the public cloud adoption trends. We will examine the factors driving the rise in popularity of Azure and GCP, which historically have lagged far behind AWS. Students will then initialize their lab environment and deploy a modern web application to each of the Big 3 providers.
This leads into an analysis of one of the most fundamental and misunderstood concepts in cloud security: Identity and Access Management (IAM). Students will compromise real IAM credentials from cloud virtual machines using the Instance Metadata Service (IMDS) to examine firsthand how an attacker can use them to access sensitive cloud data.
The remainder of this section will focus on how to harden the IMDS and leverage well-written IAM policies to minimize the harm caused by such attacks. These strategies are critical to prevent a minor vulnerability from becoming front-page news.
Exercises
- VM Credential Exposure
- Hardening AWS IAM Policies
- Hardening Azure and GCP Policies
- Advanced IAM Features
- Bonus Challenges (Section 1)
Topics
The Multicloud Movement
- Cloud Market Trends
- Multicloud Considerations
- Cloud Procurement through Mergers and Acquisitions
- Shadow Cloud Accounts
Multicloud Security Assessment
- Cyber Defense Matrix
- Center for Internet Security (CIS) Cloud Foundations Benchmarks
- MITRE ATT&CK Cloud Matrix
- Lab Environment Introduction
- HashiCorp Terraform Overview
Identity and Access Management
- Identities
- Policies
- Organization-Wide Controls
- AWS IAM
- Azure Active Directory (Azure AD) and Microsoft Entra ID
- Google Cloud IAM
Cloud Metadata and Credential Services
- The Cloud Instance Metadata Service (IMDS) for each cloud provider
- IMDS Compromise Case Study
- IMDS Hardening
Related Application Vulnerabilities
- Command Injection
SERVER-SIDE REQUEST FORGERY
Module2: Cloud Virtual Networks
Overview
Section 2 covers how to lock down infrastructure within a virtual private network. As the public cloud IP address blocks are well known and default network security is often lax, millions of sensitive assets are unnecessarily accessible to the public Internet. This section will ensure that none of these assets belong to your organization.
It begins by demonstrating how ingress and egress traffic can be restricted within each provider. Students will analyze the damage that can be done without these controls by accessing a public-facing database and creating a reverse shell session in each environment. We will then eliminate both attack vectors with secure cloud configuration.
Exercises
- Network Lockdown
- Analyzing Network Traffic
- Private Endpoint Security
- Cloud VPN and Managed SSH
- Bonus Challenges (Section 2)
Topics
Cloud Virtual Networks
- Network Service Scanning
- Default Network Configuration
- Network Security Groups
Network Traffic Analysis
- Flow Logging
- AWS Traffic Mirroring
- Google Cloud Packet Mirroring
- Google Cloud Firewall Rules Logging
Private Endpoints
- AWS PrivateLink
- Azure Private Link
- Google Cloud Private Google Access
- Google Cloud VPC Service Controls
- Custom Service Endpoints
Advanced Remote Access
- Managed SSH
- Hybrid VPN Gateways
- AWS Session Manager
- Azure Bastion
- Google Cloud OS Login
- Google Cloud Identity-Aware Proxy (IAP)
Command and Control Servers Software Supply-Chain Attacks
Module3: Data Security
Overview
Data security is as important, if not more important, in the cloud than it is on-premises. There are countless cloud data leaks that could have been prevented with the appropriate controls. This section examines the cloud services that enable data encryption, secure storage, access control, data loss detection, policy enforcement, and more.
The first half of Section 3 covers all you need to know about encryption in the cloud. Students will learn about each provider’s cryptographic key management solution and how it can be used to apply multiple layers of encryption at rest. Students will also learn how in-transit encryption is performed throughout the cloud, such as the encryption between clients, load balancers, applications, and database servers. These techniques will improve your organization’s security while satisfying its legal and compliance needs.
The second half of Section 3 is primarily focused on cloud storage services. After briefly discussing the most basic storage security technique, turning off public access, it will cover more advanced controls like organization-wide access control, file versioning, data retention, secure transit, and more. It concludes with a discussion of additional data exfiltration paths and how to automatically detect sensitive data storage.
Exercises
- Audit Decryption Events
- Encrypt All The Things!
- Storage Service Lockdown
- Sensitive Data Detection and Exfiltration
- Bonus Challenges (Section 3)
Topics
Cryptographic Key Management
- AWS KMS
- Azure Key Vault
- Google Cloud KMS
- Overview of Single-Tenant Alternatives: AWS CloudHSM, Azure Dedicated HSM, and Azure Key Vault Managed HSM
- Key Usage Audit Logging
Encryption with Cloud Services
- Disk-Level Encryption
- Service-Level Encryption
- Column-Level Encryption
- In-Transit Encryption
Cloud Storage Platforms
- Access Control
- Audit Logs
- Data Retention
Sensitive Data Detection and Exfiltration
- Data Exfiltration Paths
- Signed URLs
- Amazon Macie
- Amazon CloudWatch Logs Data Protection
- Overview of Microsoft Purview and Azure Information Protection
- Google Cloud Data Loss Prevention
Module4: Cloud Application Services and User Security
Overview
This section teaches students how to secure the infrastructure powering their cloud-based applications and how to protect the users of those applications. It begins with App Services, platforms that simplify the process of running and scaling cloud applications. This leads into a computing paradigm taking the industry by storm: serverless Functions as a-Service (FaaS). It balances the discussion of the challenges serverless introduces with the advantages it provides in securing product development and security operations. After introspecting the serverless runtime environments using Serverless Prey (an open-source tool written by the course authors), students will examine and harden practical serverless functions in a real environment. They will also learn how FaaS security impacts App Service security.
Exercises
- App Service Security
- Serverless Prey
- Hardening Serverless Functions
- Login with the Microsoft Identity Platform
- Broken Firebase Database Access Control
- Bonus Challenges (Section 4)
Topics
App Services
- Overview of AWS Elastic Beanstalk
- Azure App Service
- Google App Engine
Cloud Serverless Functions
- Security Advantages and Concerns
- Function as a Service Defense
- Persistence with Serverless
Cloud Customer Identity and Access Management (CIAM)
- Overview of OAuth 2.0, OpenID Connect (OIDC), and SAML
- Amazon Cognito User Pools
- Microsoft Identity Platform
- Overview of Azure AD Business-to-Consumer (B2C) and Microsoft Entra External ID for Customers
- Google Cloud Identity for Customers and Partners (CICP)
- Firebase Authentication
Firebase Databases and Google Cloud Implications
- Realtime Database
- Cloud Firestore
- Google Cloud Privilege Escalation via Firebase
- Compliance Concerns
Module5: Multicloud and Cloud Security Posture Management
Overview
The course concludes with practical guidance on how to operate an organization across multiple cloud providers. Many of the topics discussed in the sections become more complicated if an organization’s cloud providers are integrated with one another. We begin by discussing how multicloud integration impacts Identity and Access Management (IAM). Many organizations use long-lived credentials to support multicloud integrations. These credentials are much more valuable to attackers than those that are short-lived. Although students will learn best practices for long-lived credentials, this will only mitigate the risk, not eliminate it. This module goes one step further by demonstrating novel ways to use Workload Identity Federation to authenticate from one cloud provider to another with short-lived cloud credentials.
Exercises
- Secure Multicloud Integration
- Automated Benchmarking
- Microsoft Defender and Multicloud
- Bonus Challenge Finale
- Lab Teardown
- Bonus Challenges (Section 5)
Topics
Multicloud Access Management
- Risks from Long-Lived Credentials
- Workload Identity Federation
- Cross-Cloud Authentication Without Long-Lived Credentials
Cloud Security Posture Management
- AWS Security Hub
- Azure Security Center
- Google Cloud Security Command Center
- Open-Source Solutions
Multicloud Security Posture Management
- Third-Party Multicloud Security Posture Management
- Microsoft Defender for Cloud CSPM
Summary
Additional Resources
Who Should Attend?
Security analysts, security engineers, security researchers, cloud engineers, DevOps engineers, security auditors, system administrators, operations personnel, and anyone who is responsible for:
- Evaluating and adopting new cloud offerings
- Researching new vulnerabilities and developments in cloud security
- Handling Identity and Access Management
- Managing a cloud-based virtual network
- Secure configuration management
International Student Fee: 850 US$
Job Interview Preparation (Soft Skills Questions & Answers)
- Tough Open-Ended Job Interview Questions
- What to Wear for Best Job Interview Attire
- Job Interview Question- What are You Passionate About?
- How to Prepare for a Job Promotion Interview
Your FREE eLEARNING Courses (Click Here)
Internships, Freelance and Full-Time Work opportunities
- Join Internships and Referral Program (click for details)
- Work as Freelancer or Full-Time Employee (click for details)
Flexible Class Options
- Week End Classes For Professionals SAT | SUN
- Corporate Group Trainings Available
- Online Classes – Live Virtual Class (L.V.C), Online Training
Related Courses
Introduction to Cloud Computing and Security
Application Security: Securing Web Apps, APIs, and Microservices
Cloud Security and DevSecOps Automation