Public Cloud Security: AWS, Azure, and GCP

Organizations are becoming multi cloud by choice or by chance. However, although each cloud provider is responsible for the security of the cloud, its customers are responsible for what they do in the cloud. Unfortunately, this means that security professionals must support hundreds of different services across multiple clouds. Many of these services are insecure by default, and few of them are consistent across the different clouds. Security teams need a deep understanding of the of each cloud’s services to lock them down. As the multicloud landscape rapidly evolves, security is constantly playing catch-up to avert disaster.

Course Key Learnings:

• Make informed decisions in the Big 3 clouds by understanding the inner workings of each of their Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings
• Implement secure Identity and Access Management (IAM) with multiple layers of defense-in-depth
• Build and secure multicloud networks with segmentation and access control
• Encrypt data at rest and in-transit throughout each cloud
• Control the confidentiality, integrity, and availability of data in each cloud storage service
• Support non-traditional computing platforms like Application Services and serverless Functions as a Service (FaaS)
• Integrate each cloud provider with one another without the use of long-lived credentials
• Automate security and compliance checks using cloud-native platforms
• Guide engineering teams in enforcing these security controls using Terraform and Infrastructure-as-Code (IaC)

Course Content:

Module1:  Cloud Identity and Access Management

Overview

SEC510 starts with a brief overview of the public cloud adoption trends. We will examine the factors driving the rise in popularity of Azure and GCP, which historically have lagged far behind AWS. Students will then initialize their lab environment and deploy a modern web application to each of the Big 3 providers.

This leads into an analysis of one of the most fundamental and misunderstood concepts in cloud security: Identity and Access Management (IAM). Students will compromise real IAM credentials from cloud virtual machines using the Instance Metadata Service (IMDS) to examine firsthand how an attacker can use them to access sensitive cloud data.

The remainder of this section will focus on how to harden the IMDS and leverage well-written IAM policies to minimize the harm caused by such attacks. These strategies are critical to prevent a minor vulnerability from becoming front-page news.

Exercises

• VM Credential Exposure
• Hardening AWS IAM Policies
• Hardening Azure and GCP Policies
• Advanced IAM Features
• Bonus Challenges (Section 1)

Topics

The Multicloud Movement

• Cloud Market Trends
• Multicloud Considerations
• Cloud Procurement through Mergers and Acquisitions
• Shadow Cloud Accounts

Multicloud Security Assessment

• Cyber Defense Matrix
• Center for Internet Security (CIS) Cloud Foundations Benchmarks
• MITRE ATT&CK Cloud Matrix
• Lab Environment Introduction
• HashiCorp Terraform Overview

Identity and Access Management

• Identities
• Policies
• Organization-Wide Controls
• AWS IAM
• Azure Active Directory (Azure AD) and Microsoft Entra ID
• Google Cloud IAM

Cloud Metadata and Credential Services

• The Cloud Instance Metadata Service (IMDS) for each cloud provider
• IMDS Compromise Case Study
• IMDS Hardening

Related Application Vulnerabilities

• Command Injection

SERVER-SIDE REQUEST FORGERY

Module2: Cloud Virtual Networks

Overview

Section 2 covers how to lock down infrastructure within a virtual private network. As the public cloud IP address blocks are well known and default network security is often lax, millions of sensitive assets are unnecessarily accessible to the public Internet. This section will ensure that none of these assets belong to your organization.

It begins by demonstrating how ingress and egress traffic can be restricted within each provider. Students will analyze the damage that can be done without these controls by accessing a public-facing database and creating a reverse shell session in each environment. We will then eliminate both attack vectors with secure cloud configuration.

Exercises

• Network Lockdown
• Analyzing Network Traffic
• Private Endpoint Security
• Cloud VPN and Managed SSH
• Bonus Challenges (Section 2)

Topics

Cloud Virtual Networks

• Network Service Scanning
• Default Network Configuration
• Network Security Groups

Network Traffic Analysis

• Flow Logging
• AWS Traffic Mirroring
• Google Cloud Packet Mirroring
• Google Cloud Firewall Rules Logging

Private Endpoints

• AWS PrivateLink
• Azure Private Link
• Google Cloud Private Google Access
• Google Cloud VPC Service Controls
• Custom Service Endpoints

Advanced Remote Access

• Managed SSH
• Hybrid VPN Gateways
• AWS Session Manager
• Azure Bastion
• Google Cloud OS Login
• Google Cloud Identity-Aware Proxy (IAP)

Command and Control Servers Software Supply-Chain Attacks

Module3: Data Security

Overview

Data security is as important, if not more important, in the cloud than it is on-premises. There are countless cloud data leaks that could have been prevented with the appropriate controls. This section examines the cloud services that enable data encryption, secure storage, access control, data loss detection, policy enforcement, and more.

The first half of Section 3 covers all you need to know about encryption in the cloud. Students will learn about each provider’s cryptographic key management solution and how it can be used to apply multiple layers of encryption at rest. Students will also learn how in-transit encryption is performed throughout the cloud, such as the encryption between clients, load balancers, applications, and database servers. These techniques will improve your organization’s security while satisfying its legal and compliance needs.

The second half of Section 3 is primarily focused on cloud storage services. After briefly discussing the most basic storage security technique, turning off public access, it will cover more advanced controls like organization-wide access control, file versioning, data retention, secure transit, and more. It concludes with a discussion of additional data exfiltration paths and how to automatically detect sensitive data storage.

Exercises

• Audit Decryption Events
• Encrypt All The Things!
• Storage Service Lockdown
• Sensitive Data Detection and Exfiltration
• Bonus Challenges (Section 3)

Topics

Cryptographic Key Management

• AWS KMS
• Azure Key Vault
• Google Cloud KMS
• Overview of Single-Tenant Alternatives: AWS CloudHSM, Azure Dedicated HSM, and Azure Key Vault Managed HSM
• Key Usage Audit Logging

Encryption with Cloud Services

• Disk-Level Encryption
• Service-Level Encryption
• Column-Level Encryption
• In-Transit Encryption

Cloud Storage Platforms

• Access Control
• Audit Logs
• Data Retention

Sensitive Data Detection and Exfiltration

• Data Exfiltration Paths
• Signed URLs
• Amazon Macie
• Amazon CloudWatch Logs Data Protection
• Overview of Microsoft Purview and Azure Information Protection
• Google Cloud Data Loss Prevention

Module4: Cloud Application Services and User Security

Overview

This section teaches students how to secure the infrastructure powering their cloud-based applications and how to protect the users of those applications. It begins with App Services, platforms that simplify the process of running and scaling cloud applications. This leads into a computing paradigm taking the industry by storm: serverless Functions as a-Service (FaaS). It balances the discussion of the challenges serverless introduces with the advantages it provides in securing product development and security operations. After introspecting the serverless runtime environments using Serverless Prey (an open-source tool written by the course authors), students will examine and harden practical serverless functions in a real environment. They will also learn how FaaS security impacts App Service security.

Exercises

• App Service Security
• Serverless Prey
• Hardening Serverless Functions
• Login with the Microsoft Identity Platform
• Broken Firebase Database Access Control
• Bonus Challenges (Section 4)

Topics

App Services

• Overview of AWS Elastic Beanstalk
• Azure App Service
• Google App Engine

Cloud Serverless Functions

• Security Advantages and Concerns
• Function as a Service Defense
• Persistence with Serverless

Cloud Customer Identity and Access Management (CIAM)

• Overview of OAuth 2.0, OpenID Connect (OIDC), and SAML
• Amazon Cognito User Pools
• Microsoft Identity Platform
• Overview of Azure AD Business-to-Consumer (B2C) and Microsoft Entra External ID for Customers
• Google Cloud Identity for Customers and Partners (CICP)
• Firebase Authentication

Firebase Databases and Google Cloud Implications

• Realtime Database
• Cloud Firestore
• Google Cloud Privilege Escalation via Firebase
• Compliance Concerns

Module5: Multicloud and Cloud Security Posture Management

Overview

The course concludes with practical guidance on how to operate an organization across multiple cloud providers. Many of the topics discussed in the sections become more complicated if an organization’s cloud providers are integrated with one another. We begin by discussing how multicloud integration impacts Identity and Access Management (IAM). Many organizations use long-lived credentials to support multicloud integrations. These credentials are much more valuable to attackers than those that are short-lived. Although students will learn best practices for long-lived credentials, this will only mitigate the risk, not eliminate it. This module goes one step further by demonstrating novel ways to use Workload Identity Federation to authenticate from one cloud provider to another with short-lived cloud credentials.

Exercises

• Secure Multicloud Integration
• Automated Benchmarking
• Microsoft Defender and Multicloud
• Bonus Challenge Finale
• Lab Teardown
• Bonus Challenges (Section 5)

Topics

Multicloud Access Management

• Risks from Long-Lived Credentials
• Workload Identity Federation
• Cross-Cloud Authentication Without Long-Lived Credentials

Cloud Security Posture Management

• AWS Security Hub
• Azure Security Center
• Google Cloud Security Command Center
• Open-Source Solutions

Multicloud Security Posture Management

• Third-Party Multicloud Security Posture Management
• Microsoft Defender for Cloud CSPM

Summary

Additional Resources

Who Should Attend?