Major Update

SEC510: Cloud Security Controls and Mitigations™

GIAC Public Cloud Security (GPCS)
GIAC Public Cloud Security (GPCS)
  • In Person (5 days)
  • Online
38 CPEs

Today's organizations depend on complex, multicloud environments which must support hundreds of different services across multiple clouds. These services are often insecure by default and require substantially different methods to protect depending on the Cloud Service Provider (CSP) that hosts them. It is vital that security teams have a deep understanding of AWS, Azure, and Google Cloud services to lock them down effectively.

Checking off compliance requirements is simply not enough to protect the confidentiality, integrity, and availability of your organization's data, nor will it prevent attackers from taking your critical systems down. With the right controls, organizations can reduce their attack surface and prevent security incidents from becoming breaches. Mistakes are inevitable but you can limit the impact.

What You Will Learn

Prevent real attacks with controls that matter

Protecting multicloud environments is challenging; Default security controls often fall short, and controls that work in one of the Big Three CSPs may not work in the others. Rather than focusing solely on compliance, organizations should prioritize attack driven controls to safeguard their most critical Cloud assets.

Whether an application is developed in-house or by a third party, accepting the inevitability of application flaws is key for implementing successful cloud security controls. While few cybersecurity professionals can fix vulnerable code, it's often easier to apply secure cloud configurations to mitigate these risks. Relying solely on CSP defaults and documentation is insufficient. SEC510 reveals numerous instances of incorrect, incomplete, or contradictory CSP controls. Additionally, if there is a zero-day vulnerability in a cloud service used by your organization, you must brace for that impact by controlling what you can.

While standards and frameworks, such as the MITRE ATT&CK Cloud Matrix, the Center for Internet Security (CIS) Cloud Provider Benchmarks, and the Cyber Defense Matrix, are helpful tools of the trade, they still have limits. That's why SEC510 goes beyond them to teach the techniques necessary to protect what matters to your organization. Mitigate the risk of common cloud mistakes with cloud security controls that matter and reduce your attack surface by eliminating misconfigurations.

"The course provided so much information and details about common security misconfigurations and mistakes in the cloud that one would not believe fit into the week. Very comprehensive, but the scary thing is that it feels like it is barely scratching the surface! Awesome job by the course authors." - Petr Sidopulos

What are Cloud Security Controls?

Cloud security controls are options provided by cloud service providers to limit exposure of cloud assets. Each CSP provides default controls that are often insecure, failing to consider the business case and needs of each customer. For secure cloud configuration that truly prevents real risk, the cloud security controls must be implemented based on business strategy, goals, and requirements by a professional who understands the nuances of various CSPs.

Business Benefits

  • Reduce the attack surface of your organization's cloud environments
  • Prevent incidents from becoming breaches through defense in-depth
  • Control the confidentiality, integrity, and availability of data in the Big 3 CSPs
  • Increase use of secure automation to keep up with the speed of today's business environment
  • Resolve unintentional access to sensitive cloud assets
  • Reduce the risk of ransomware impacting your organization's cloud data

Skills Learned

  • Make informed decisions in the Big 3 cloud service providers by understanding the inner workings of each of their Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings
  • Implement secure Identity and Access Management (IAM) with multiple layers of defense-in-depth
  • Build and secure multi cloud networks with segmentation and access control
  • Encrypt data at rest and in-transit throughout each cloud
  • Control the confidentiality, integrity, and availability of data in each cloud storage service
  • Support non-traditional computing platforms like serverless Functions as a Service (FaaS)
  • Integrate each cloud provider with one another without the use of long-lived credentials
  • Automate security and compliance checks using cloud-native platforms
  • Quickly adopt third-party cloud vendors while minimizing the risk introduced by granting them access to cloud resources
  • Guide engineering teams in enforcing security controls using Terraform and Infrastructure-as-Code (IaC)

Hands-On Cloud Security Controls and Mitigations Training

SEC510: Cloud Security Controls and Mitigations reinforces all the concepts discussed in the lectures through hands-on labs in real cloud environments. Each lab includes a step-by-step guide as well as a "no hints" option for students who want to test their skills without assistance. This allows students to choose the level of difficulty that is best for them and fall back to the step-by-step guide as needed. Students can continue to use the lab instructions, application code, and IaC after the course concludes. With this, they can repeat every lab exercise in their own cloud environments as many times as they like.

SEC510 also offers students an opportunity to participate in Bonus Challenges each day in a gamified environment, while also providing more hands-on experience with the Big 3 CSPs and relevant utilities. Can you win the SEC510 Challenge Coin?

  • Section 1: IAM Fundamentals, Virtual Machine Credential Exposure, Broken Access Control and Policy Analysis, IAM Privilege Escalation, Bonus Challenges Section 1
  • Section 2: Control Ingress Traffic, Protecting Public Virtual Machines, Control Egress Traffic with Private Endpoints, Remote Code Execution via Private Endpoint Abuse, Bonus Challenges Section 2
  • Section 3: Detect and Prevent Improper Key Usage, "Encrypt all the Things!", Recover From Ransomeware, Sensitive Data Detection and Exfiltration, Bonus Challenges Section 3
  • Section 4: Serverless Prey, Hardening Serverless Functions, Using and Exploiting CIAM, Broken Firebase Database Access Control, Bonus Challenges Section 4
  • Section 5: Secure Multicloud Integration, Automated Benchmarking, Prevent Cross-Cloud Confused Deputy, Bonus Challenges Section 5

"Last month I took a course by one of the three big providers and almost everyday was a sales pitch for the first couple hours in it. That course also was geared towards clicking around in the console versus utilizing command line and terraform which was really cool." - Philip B, US Military

"This course is a MUST for anyone in this industry. I realized things in the cloud were (potentially) disastrous, but this has opened my eyes to how bad it really is. I already filed like 5 helpdesk tickets for my staff to get things fixed - Anita Simoni, County of Monterey ITD

"The exercises exceeded my expectations. They are practical implementations of the information learned in each section, build on each other, and provide a seamless way to validate your knowledge and learn the intricacies of the issues." - David Wayland

Syllabus Summary

  • Section 1 - Securely Use Cloud IAM and Defending IAM Credentials
  • Section 2 - Restrict Infrastructure and Data Access to Private Cloud Networks, Protect Public Virtual Machines, Use Secure Remote Access Capabilities, Prevent Remote Code Execution, and Enable Traffic Monitoring Capabilities
  • Section 3 - Manage Cryptographic Keys, Apply Encryption at Rest and In-Transit Across Cloud Services, Prevent Ransomware in Cloud Storage Services, Prevent Data Exfiltration, and Detect Sensitive Data in the Clouds
  • Section 4 - Secure Applications Running on Serverless FaaS, Protect Cloud Customer Identity and Access Management (CIAM) Platforms, Manage Application Consumer Identities, and Mitigate Security Issues in Firebase (a Suite of Services Acquired by and Integrated with Google Cloud)
  • Section 5 - Securely Authenticate Clouds to One Another, Automate Misconfiguration Benchmarking, and Mitigate Risks from Integrating with Cloud Vendors, including Cloud Security Posture Management (CSPM) Platforms.

Additional Free Resources

What You Will Receive

  • Printed and Electronic courseware
  • MP3 audio files of the course
  • Access to the SANS Cloud Security Flight Simulator
  • Thousands of lines of IaC and secure configurations for each cloud platform that you can use in your organization

What Comes Next?

SANS offers several courses that are excellent compliments to SEC510 depending on your job role:

Security Engineer

Security Analyst

Learn more about our job role-based training journeys here.

Syllabus (38 CPEs)

Download PDF
  • Overview

    SEC510 starts with a brief overview cloud breach trends, exploring why the vast majority of breaches are now happening in the cloud. We will explore how multicloud makes security harder, why organizations are going multicloud, and how both standardization and cloud agnosticism cannot solve the problem alone. We introduce three of the frameworks we will use throughout the course to implement attack-driven controls and mitigations: the MITRE ATT&CK Cloud Matrix, the Center for Internet Security (CIS) Cloud Foundational Benchmarks, and the Cyber Defense Matrix. Students will then initialize their lab environment and deploy a modern web application to each of the Big 3 providers.

    This leads into an analysis of one of the most fundamental and misunderstood concepts in cloud security: Identity and Access Management (IAM). This module will ensure that all students have a foundation of IAM knowledge on which the rest of the section is built. It covers the goals fulfilled by properly provisioning access, each cloud's IAM service (AWS IAM, Microsoft Entra ID, and Google Cloud Identity), and the various types of access control provided by each.

    The next module shifts the discussion from human identities to machine identities. Students will learn how workloads running on AWS Elastic Compute Cloud (EC2), Azure Virtual Machines (VMs), and the Google Cloud Compute Engine (GCE) are given temporary IAM credentials. They will then compromise real IAM credentials from their cloud virtual machines using the Instance Metadata Service (IMDS) to examine firsthand how an attacker can abuse them to access sensitive cloud data and consume cloud resources.

    With this foundation, students will discuss the primary vulnerability caused by granting permissions improperly: Broken Access Control (BAC). They will learn how to detect improper access and implement better permissions using a variety of tools. They will learn about the cloud-native tools designed for this purpose: the AWS IAM Access Analyzer, Microsoft Entra ID Permissions Management, and Google Cloud IAM Policy Intelligence. They will also explore how Large Language Models (LLMs) and Generative AI (GenAI) can augment this analysis. These strategies are critical to prevent a minor vulnerability from becoming front-page news.

    The section concludes by discussing a critical way that attackers can obtain improper permissions: Privilege Escalation. They will examine the many escalation paths that are available by default in each cloud provider. By implementing policy guardrails, they will drastically minimize the likelihood of privilege escalation being effective.

    Exercises
    • IAM Fundamentals
    • Virtual Machine Credential Exposure
    • Broken Access Control and Policy Analysis
    • IAM Privilege Escalation
    • Bonus Challenges (Section 1)
    Topics
    • Introduction
      • Cloud Breach Trends
      • Insecure Defaults
      • Multicloud Considerations
      • Shadow Cloud Accounts
      • Cloud Procurement Through Mergers and Acquisitions
      • Standardization and Cloud Agnosticism
      • MITRE ATT&CK Cloud Matrix
      • Center for Internet Security (CIS) Cloud Foundations Benchmarks
      • Cyber Defense Matrix
      • Lab Environment Introduction
      • HashiCorp Terraform Overview
    • Cloud Identity and Access Management (IAM)
      • AWS IAM
      • Microsoft Entra ID
      • Google Cloud Identity
      • Identity-Based Policies
      • Resource-Based Policies
      • Attribute-Based Access Control
      • Built-In vs. Custom Policies and Roles
      • AWS Organization Service Control Policy (SCP)
      • AWS Permissions Boundaries
      • AWS Session Policy
      • Azure Role-Based Access Control (RBAC)
      • Google Cloud Allow Policy
      • Google Cloud Deny Policy
    • Cloud Managed Identity and Metadata Services
      • Cloud Compute Services
      • Machine Identities
      • AWS Elastic Compute Cloud (EC2)
      • AWS IAM Roles
      • AWS Instance Profiles
      • Azure Virtual Machines (VMs)
      • Azure Managed Identity
      • Google Cloud Compute Engine (GCE)
      • Google Cloud Service Accounts
      • Instance Metadata Services (IMDS)
      • IMDS Exploits
      • Server-Side Request Forgery
      • Command Injection
      • IMDS Hardening
    • Broken Access Control and Policy Analysis
      • Exploiting Built-In Policies and Roles
      • Cloud Resource Hijacking
      • Using Custom Policies to Meet Business Requirements
      • Finding Broken Access Control
      • AWS IAM Access Analyzer
      • Microsoft Entra ID Permissions Management
      • Google Cloud IAM Policy Intelligence
      • Large Language Model (LLM) and Generative AI (GenAI) Overview
      • Using Large Language Models (LLMs) for IAM Policy Analysis
      • Effective and Ineffective Use-Case for Applying LLMs to Security
      • Broken Access Control via LLM Hallucinations
    • IAM Privilege Escalation
      • IAM Permission Editor
      • Transitive Identity Impersonation
      • Dangerous Built-In Policies and Roles
      • Default Machine Identity Permissions
      • Preventing Privilege Escalation
      • Policy Guardrails
  • Overview

    Section 2 covers how to lock down infrastructure and data using virtual private network controls. As the public cloud IP address blocks are well known and default network security is often lax, millions of sensitive assets are unnecessarily accessible to the public Internet. This section will ensure that none of these assets belong to your organization.

    It begins by demonstrating how ingress and egress traffic can be restricted within each provider. Students will analyze the damage that can be done without these controls using examples like accessing a public-facing database containing sensitive information. They will then eliminate unnecessary ingress traffic with secure cloud configuration.

    The next module dives deeper into protecting virtual machines running in the cloud Infrastructure as a Service (IaaS) platforms. It begins by showing how public IP addresses, administrative ports, and Serial Console services can be removed while allowing for secure administration via the AWS Systems Manager (SSM) Session Manager, Azure Bastion, Google Cloud OS Login, and the Google Cloud Identity-Aware Proxy (IAP). These techniques allow an organization to work effectively while keeping internal systems off the public internet. Then, it covers how VMs that must expose an HTTP(S) server can be protected with Cloud Application Load Balancers (ALBs) and built-in Web Application Firewall (WAF) services.

    With our infrastructure locked down, we pivot to preventing untrusted networks from accessing our Platform as a Service (PaaS) platforms using Private Endpoints. We will demonstrate how defenders can use these endpoints to restrict data access to internal networks. This topic is critical as an organization's most sensitive data is often stored in PaaS instead of IaaS.

    While private endpoints enable powerful protections, they can also be abused. Specifically, AWS Private Endpoints with improperly configured Endpoint Policies can be used to perform Remote Code Execution (RCE) in and data exfiltration from isolated networks without internet access. Students will use a malicious payload to exfiltrate data from a target's AWS account to an attacker's AWS account. They will then fix the Endpoint Policy to prevent this attack vector.

    The section concludes by covering how to enable cloud-based network analysis capabilities to address malicious traffic on network channels that cannot be blocked. Students will analyze cloud flow logs and search for indicators of compromise. This module covers flow logging solutions in all three cloud, Google Cloud Firewall Rules logging, AWS Traffic Mirroring, and Google Cloud Packet Mirroring. Many of these topics have associated Bonus Challenges.

    Exercises
    • Control Ingress Traffic
    • Protecting Public Virtual Machines
    • Control Egress Traffic with Private Endpoints
    • Remote Code Execution via Private Endpoint Abuse
    • Bonus Challenges (Section 2)
    Topics
    • Cloud Virtual Networks
      • Network Service Scanning
      • Default Network Configuration
      • Internet Gateways
      • NAT Gateways
      • AWS Security Groups
      • AWS NACLs
      • Azure Network Security Groups
      • Google Cloud Firewall Rules
    • Protecting Public Virtual Machines
      • Eliminate Public IP Addresses
      • Block SSH and RDP Administrative Access
      • Disable Serial Console Debug Access
      • AWS Systems Manager (SSM) Session Manager
      • Azure Bastion
      • Google Cloud OS Login
      • Google Cloud Identity-Aware Proxy (IAP)
      • Cloud Application Load Balancers (ALBs)
      • Built-In Web Application Firewall (WAF) Services
    • Private Endpoint Security
      • AWS PrivateLink
      • Azure Private Link
      • Google Cloud Private Google Access
      • Google Cloud VPC Service Controls
      • Custom Service Endpoints
      • Supply-Chain Attacks via Software Packages
      • Remote Code Execution (RCE)
    • Private Endpoint Abuse
      • AWS Private Endpoint Policy
      • Remote Code Execution Without Internet Access
      • Malicious Payload Delivery via S3 and Private Endpoints
      • Data Exfiltration via AWS CloudTrail
    • Enabling Traffic Monitoring
      • Flow Logging
      • Google Cloud Firewall Rules Logging
      • AWS Traffic Mirroring
      • Google Cloud Packet Mirroring
  • Overview

    Data security is as important, if not more important, in the cloud than it is on-premises. There are countless cloud data leaks that could have been prevented with the appropriate controls. This section examines the cloud services that enable data encryption, secure storage, ransomware protection, access control, data loss detection, policy enforcement, and more.

    The first half of Section 3 covers all you need to know about encryption in the cloud. Students will learn about each provider's cryptographic key management solution and how it can be used to apply multiple layers of encryption at rest. Students will also learn how in-transit encryption is performed throughout the cloud, such as the encryption between clients, load balancers, applications, and database servers. These techniques will improve your organization's security while satisfying its legal and compliance needs.

    The second half of Section 3 is primarily focused on cloud storage services. After briefly discussing the most basic storage security technique, turning off public access, it will cover more advanced controls like organization-wide access control, ransomware mitigations, file versioning, data retention, and more. It concludes with a discussion of additional data exfiltration paths and how to automatically detect sensitive data storage.

    Exercises
    • Detect and Prevent Improper Key Usage
    • Encrypt All The Things!
    • Recover From Ransomware
    • Sensitive Data Detection and Exfiltration
    • Bonus Challenges (Section 3)
    Topics
    • Cryptographic Key Management
      • AWS KMS
      • Azure Key Vault
      • Google Cloud KMS
      • Overview of Single-Tenant Alternatives: AWS CloudHSM, Azure Dedicated HSM, Azure Key Vault Managed HSM, and Google Cloud Bare Metal (Rack) HSM
      • Key Usage Audit Logging
    • Encryption with Cloud Services
      • Disk-Level Encryption
      • Service-Level Encryption
      • Column-Level Encryption
      • In-Transit Encryption
      • Enforcing Encryption Consistently Across Cloud Services
    • Cloud Storage Platforms
      • Access Control
      • Ransomware Prevention and Recovery
      • Audit Logs
      • Data Retention
      • Supply-Chain Attacks via Developer Tools
    • Sensitive Data Exfiltration
      • Data Exfiltration Paths
      • Signed URLs
    • Sensitive Data Detection
      • Amazon Macie
      • Amazon CloudWatch Logs Data Protection
      • Overview of Microsoft Purview and Azure Information Protection
      • Google Cloud Data Loss Prevention / Sensitive Data Protection
  • Overview

    This section teaches students how to secure the infrastructure powering their cloud-based applications and how to protect the users of those applications. It begins with a computing paradigm taking the industry by storm: serverless Functions as a-Service (FaaS). It balances the discussion of the challenges serverless introduces with the advantages it provides in securing product development and security operations. After introspecting the serverless runtime environments using Serverless Prey (an open-source tool written by the course authors), students will examine and harden practical serverless functions in a real environment.

    The next module covers how Customer Identity and Access Management (CIAM) can help track and authenticate the users of an organization's applications. It does a deep dive into AWS's CIAM solution, Amazon Cognito, and how its default configuration can be exploited to perform user enumeration and account takeover attacks. It also shows how users in Cognito User Pools can obtain dangerous AWS IAM permissions using Cognito Identity Pools. Most importantly, it will demonstrate how these attacks can be prevented.

    This section also covers Google Cloud's CIAM solution, Google Cloud Identity for Customers and Partners (CICP). Google Cloud obtained this service through their acquisition of a company named Firebase. The section concludes with a detailed breakdown of this CIAM and its interplay with Firebase's flagship products, the Realtime Database and Cloud Firestore. These highly popular but rarely reviewed services are serverless databases with many access control considerations and security implications for Google Cloud projects.

    Exercises
    • Serverless Prey
    • Harden Serverless Functions
    • Using and Exploiting CIAM
    • Broken Firebase Database Access Control
    • Bonus Challenges (Section 4)
    Topics
    • Cloud Serverless Functions
      • AWS Lambda
      • Azure Functions and the Azure App Service
      • Google Cloud Functions / Google Cloud Run Functions
      • Security Advantages and Concerns for Serverless
      • Function as a Service Controls
      • Persistence with Serverless
    • Cloud Customer Identity and Access Management (CIAM)
      • Overview of OAuth 2.0, OpenID Connect (OIDC), and SAML
      • Amazon Cognito User Pools
      • User Enumeration Attacks
      • Amazon Cognito User Account Takeover Attacks
      • Amazon Cognito Identity Pools
      • Amazon Cognito AWS IAM Broken Access Control
      • Google Cloud Identity for Customers and Partners
      • Firebase Authentication
    • Firebase Databases and Google Cloud Implications
      • Firebase Realtime Database
      • Cloud Firestore
      • Google Cloud Privilege Escalation via Firebase
      • Compliance Concerns
  • Overview

    The course concludes with practical guidance on how to operate an organization across multiple cloud providers. Many of the topics discussed in the course become more complicated if an organization's cloud providers are integrated with one another. We begin by discussing how multicloud integration impacts Identity and Access Management (IAM). Many organizations use long-lived credentials to support multicloud integrations. These credentials are much more valuable to attackers than those that are short-lived. Although students will learn best practices for long-lived credentials, this will only mitigate the risk, not eliminate it. This module goes one step further by demonstrating novel ways to use Workload Identity Federation to authenticate from one cloud provider to another with short-lived cloud credentials.

    The next module covers the cloud-native Cloud Security Posture Management (CSPM) services. Students will use these services to automate security checks for the CIS Benchmarks covered throughout the course. With these capabilities, an organization can take the lessons learned in SEC510 and apply them at scale.

    The final module ties these two topics together. Most organizations would prefer to use a single platform to secure all of their clouds. This requires a vendor to have access to the organization's cloud accounts. Organizations should distrust external services at least as much, if not more so, than their internal systems and users. This module provides the key requirements for minimizing the level of trust vested in these vendors and reducing the risk that this trust is abused. Students will explore this topic by using Multicloud CSPM services as an example. Specifically, they will learn about Microsoft Defender for Cloud's cross-cloud CSPM capabilities. They will analyze a case study of a critical vulnerability in Microsoft Defender for Cloud, discovered by the authors of this course, that could be used to access sensitive data in an organization's linked AWS accounts. Finally, they will implement mitigations to prevent similar types of exploits from being performed via third-party cloud vendors.

    Exercises
    • Secure Multicloud Integration
    • Automated Benchmarking
    • Prevent Cross-Cloud Confused Deputy
    • Bonus Challenges (Section 5)
    Topics
    • Multicloud Access Management
      • Risks of Long-Lived Credentials
      • Workload Identity Federation
      • Cross-Cloud Authentication Without Long-Lived Credentials
    • Cloud Security Posture Management
      • AWS Security Hub
      • Microsoft Defender for Cloud
      • Google Cloud Security Command Center
    • Vendor Integration and Multicloud Security Posture Management
      • Third-Party Multicloud Security Posture Management
      • Vendor Integration Assessment Criteria
      • Microsoft Defender for Cloud's Cross-Cloud CSPM Capabilities
      • The Confused Deputy Problem
      • Confused Deputy Vulnerability in Microsoft Defender for Cloud
      • Mitigating Cross-Customer Broken Access Control via Cloud Vendors
      • Denying Excessive Permissions to Cloud Vendors
    • Summary
    • Additional Resources

GIAC Public Cloud Security

The GIAC Public Cloud Security (GPCS) certification validates a practitioner's ability to secure the cloud in both public and multi cloud environments. GPCS-certified professionals are familiar with the nuances of AWS, Azure, GCP and have the skills needed to defend each of these platforms.

  • Evaluation and comparison of public cloud service providers
  • Auditing, hardening, and securing public cloud environments
  • Introduction to multi-cloud compliance and integration
More Certification Details

Prerequisites

Although SEC510 uses Terraform Infrastructure-as-Code to deploy and configure services in each cloud for the labs, students will not need in-depth knowledge of Terraform or need to understand any of the syntax used. However, students will be introduced at a high level to what this code accomplishes.

The following are courses or equivalent experiences that are prerequisites for SEC510:

  • SANS SEC488: Cloud Security Essentials or hands-on experience using the AWS and Azure Cloud.
  • Students must have basic familiarity with the high-level concepts of cloud IAM and networking.
  • Students must be comfortable working with the Bash commands.

NOTE: This is not an application security course, and it will not teach you how to fix vulnerable application code. Instead, it will teach you practical controls and mitigations that you can use to prevent AppSec incidents from becoming breaches. While knowing how to code is helpful, it is not strictly required for this course.

Laptop Requirements

The SEC510 course labs contain lab exercises for AWS, Azure, and GCP. Most labs can be completed with any one of these providers. However, we strongly recommend completing the labs for all three providers to learn how the services in each differ in small, yet critical ways. Experiencing this nuance in these interactive labs will help you better defend each platform and prepare for the GPCS certification.

SANS will provide students with the AWS accounts, Azure subscription, and Google Cloud project required to complete the labs for those providers.

OnDemand students:

  • Students can dynamically provision access to their AWS accounts, Azure subscription, and Google Cloud project by logging in to their SANS account and visiting the My Labs page.
  • When cloud account provisioning is complete, students can download time-limited credentials for accessing the cloud account.

Live events (In Person or Live Online)

  • Students are automatically provisioned access to their AWS account, Azure subscription, and Google Cloud project 24 hours before class starts.
  • Students can log in to their SANS account and visit the My Labs page to download their cloud credentials the day before class begins.

Mandatory Laptop Requirement:

Students must bring their own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Students must be in full control of their system's network configuration. The system will need to communicate with the cloud-hosted lab environment using a combination of HTTPS, SSH, and SOCKS5 traffic on non-standard ports. Running VPN, intercepting proxy, or egress firewall filters may cause connection issues communicating with the lab environment. Students must be able to configure or disable these services.

Bring Your Own Laptop Configured Using The Following Directions:

A properly configured system is required for each student participating in this course. Before starting your course, carefully read and follow these instructions exactly:

  • Operating system must be the latest version of Windows 10, macOS 10.15.x or later, or a Linux distribution that also can install and run the Firefox browser described below.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Must have the ability to install Firefox, enable a Firefox extension, and install a new trusted root certificate on the machine.
  • Prior to class, ensure that the following software is installed on the host operating system:

In Summary

Before beginning the course, you should:

SANS will be providing access to the following cloud environments: AWS, Azure, and Google Cloud. Unfortunately, due to some cloud security controls we cannot control, sometimes the login you receive requires verification with a valid phone number where you can receive text messages (virtual numbers will not work). Please ensure you have and are willing to provide your phone number to the cloud provider should this situation occur.

After you have completed those steps, access the SANS provider cloud accounts to connect to the SANS Cloud Security Flight Simulator. The SEC510 Flight Simulator server hosts an electronic workbook, terminal, and other services that can be accessed through the Firefox browser.

must access the "Setup Instructions" document in the Course Material Downloads section of your SANS portal and follow its instructions before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"The use of multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not effective in all clouds. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control.

"Why do teams adopt multiple cloud providers in the first place? To make their jobs easier or more enjoyable. Developers are creating products that meet the organization's goals, not for the central security team. If a team discovers that a service offering can help get its product to market faster, it can and should use it. Security should embrace the inevitability of the multicloud movement and take on the hard work of implementing guardrails so the organization can move quickly and safely.

"The multicloud storm is here, whether you like it or not. Prevent the rain from drowning your organization."

- Brandon Evans and Eric Johnson

"Simply outstanding! All the way around. Very well done." - Ryan Stillions, IBM X-Force IR

Reviews

The course content exceeded my expectations regarding the breadth and depth of information and specifics to each cloud. Excellent content.
David Wayland
Brandon gave me the best experience I’ve ever had with labs. I usually fall behind on labs because I try to understand everything I’m doing. I was able to do that but also just copy and paste if I had to catch up.
Aaron Landrum
Oxy
I maintain that this is the single best SANS class available (and I just got my 8th cert). If you can only take one course - this is the one.
Joshua Wiley
TikTok
If you Cloud, you need this course - <period>.
Sean Ayres
UPS
One of the best SANS courses I have taken. I am going to recommend this training to other company InfoSec Professionals in our company.
Randy Freston
BoA

    Register for SEC510

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...