Designing Access to Shared Datasets in the Cloud
This workshop is structured around teaching students how to construct access to shared datasets in S3 and more broadly, cementing in their minds the threats to consider when using cloud-native storage. Students will dive headlong into a case study where they will serve as the Cloud Security Architect Consultant for a fictional company undergoing the growing pains of a nascent cloud migration. Tasks in this workshop challenge the student to first understand a tangled web of access controlled via a single policy document and subsequently dissect the access pattern, creating new policy attachment points for each data consumer. Finally, students will demonstrate how to restrict access to data subsets at the network-level.Lab work is initially done in a browser-based diagramming tool to complete the desired pattern. The real fun begins when students log into the AWS console to “See It in Action”. Students are encouraged to have a trust but verify mentality and ensure their requirements have been met. Investigating the implementation of the diagramed pattern is prompted through a CTF style game that runs all through the workshop - prompting students to inspect corners of the architecture for clues and controls, earning points along the way.
Instructor Led Exercises:
- Threat modeling S3
- Access control for Shared Datasets
Workshop Objectives
- Review the data flow diagram of an external ingestion pattern using S3
- Evaluate the Attack Surface and the Trust Boundaries crossed when data is both written and read from S3
- Consider possible threats to a system using S3 as an ingestion point
- Delegate bucket-level access control to access points
- Segment object access by data consumer through access point policy.
- Depicted the layering of policy to restrict access at the network layer to specific data classes.
- Diagram the new access model and log into the AWS console to verify the real-life implementation.
Prerequisite Knowledge:
- A cursory understanding of the AWS access model is helpful as the basics of Identity and Access Management in AWS will not be covered, however, in-depth knowledge is not required.
- Familiarity with AWS Management Console
System Requirements
- Current Web Browser with internet access (i.e. Chrome, Safari, Edge, or Firefox)
- In this environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
