SEC541: Cloud Security Monitoring and Threat Detection

  • Online
18 CPEs

SEC541 is a cloud security course that examines how attackers are attacking the Amazon Web Services (AWS) and Microsoft Azure environments, the characteristics of those attackers, and how to detect them and investigate suspicious activity in your cloud infrastructure. Every course section, the class will analyze a real world set of attacks, break down how they happened, and show how to detect them in their environment. The course will then dive into the AWS and Azure services, analyzing logs and behaviors and building analytics that the students can bring back to their own cloud infrastructure.

What You Will Learn

Attackers Can Run But Not Hide. Our Radar Sees All Threats.

Cloud infrastructure provides organizations with new and exciting services to better meet the demands of their customers. However, these services bring with them new challenges, particularly for organizations struggling to make sense of the cloud native logs, keeping ahead of fast-moving development teams, and trying to learn about how threats are adapting to cloud services. Securely operating cloud infrastructure requires new tools and approaches.

SEC541 starts by walking through a real world attack campaign against a cloud infrastructure. We will break down how it happened, what made it successful, and what could have been done to catch the attackers in the act. We spend the first section of the course dissecting the attacks, learning how to leverage cloud native and cloud integrated capabilities to detect, hunt, or investigate similar attacks in a real environment, and building our arsenal of analytics, detections and best practices for you to bring back to work as soon as the course is over.

SEC541: Cloud Monitoring and Threat Detection Will Prepare You To:

  • Research attacks and threats to cloud infrastructure and how they could affect you
  • Effectively use AWS and Azure core logging services effectively to detect suspicious behaviors
  • Move beyond the cloud provided Graphic User Interfaces (GUI) to perform complex analysis
  • Perform network analysis with cloud provided network logging
  • Integrate container, operating system, and deployed application logging into cloud logging services for more cohesive analysis
  • Make the most of managed security services such as AWS GuardDuty, AWS Detective and Azure Sentinel


This course formerly had only one course section. Two additional course sections have been added that focus on AWS and Azure, with additional labs added as well.


The labs in this course are hands-on explorations into AWS logging and monitoring services. Each lab will start by researching a particular threat and the data needed to detect it. Then the student will use native services within AWS to extract, transform, and analyze the threat. The course lecture coupled with the labs will give students a full picture of how those services within AWS work, the data they produce, and common ways to analyze those data.

Section 1 and 2 labs will center around the infrastructure you will build in class. You will perform your own attacks, and gather those logs. Section 3 opens up to a larger shared AWS environment leveraging managed security services.


  • Printed and Electronic courseware
  • Virtual machine with all lab resources
  • MP3 of the course



Depending on your current job role or future plans, any of the following SANS courses could be an excellent follow-on to SEC541:

Syllabus (18 CPEs)

Download PDF
  • Overview

    Section 1 will look at how attackers took over the infrastructure from the company CodeSpaces, and investigate how the AWS and Azure management plane and network logging can be used to detect similar techniques.

    • SEC541 Environment Deployment
    • Analyzing Cloud API logs with CloudTrail
    • Parsing JSON-Formatted Logs with JQ
    • Network Analysis

    Debrief: Codespaces

    • Story Overview
    • Course Overview
    • Introduce MITRE ATT&CK
    • Walk through of the Attack
    • Definitions of Threat, Hunting, Detection, Monitoring

    Detecting T1526 with Application Programming Interface (API) Logging

    • AWS CloudTrail
    • Azure Activity Log

    Log Parsing with JQ

    Detecting T1499, T1078.004 with Cloud-Native Logging Services

    • AWS CloudWatch
    • Azure Log Analytics
    • Proxying Services and Log Generation

    Detecting T1048.001 with Network Flow Logging

    • AWS VPC Flow Logs
    • AWS Athena
    • Azure Flow Logs
    • Capturing Packets with AWS VPC Mirroring and Azure Virtual Tap
  • Overview

    Section 2 of the course will investigate how bitcoin miners snuck into Teslas Kubernetes infrastructure. We will investigate ways to use cloud native services, application logs, managed container telemetry, and operating system logs to assemble together data from across your organization to analyze for attack behavior.

    • CloudWatch Agent
    • CloudWatch Customization
    • Strange ECS Behavior
    • Metadata Services

    Debrief Tesla Attack

    • Story Overview
    • Introduce MITRE Container Matrix
    • Discuss Threats to Container-based Deployments

    Operating System Logs

    • Windows
    • Linux

    Application Logs

    Log Agents

    • AWS CloudWatch Agent
    • Azure Log Analytics Agent
    • Third-Party Options

    Container Logs

    • Container Challenges
    • AWS ECS (EC2 and Fargate)
    • AWS EKS (EC2 and Fargate)
    • Azure Container Instances
    • Azure AKS

    Cloud Services Logs

    • Metadata Services
  • Overview

    Section 3 will investigate the Capital One attack. We will look at how the attacker gained access and extracted informatino about more than 100 million customers. We'll also examine how AWS's and Azure's inventory services, managed security products, and active vulnerability services can be leveraged to identify potential vulnerabilities and threats in your cloud infrastructure.

    • Lab: Cloud Inventory
    • Lab: Discovering Sensitive Data in Unapproved Location
    • Lab: Inspector
    • Lab: Data Centralization

    Debrief: Capital One

    • Story Overview
    • Walk through of the Attack
    • AWS GuardDuty Overview and AWS provided ThreatIntel
    • AWS Detective

    Detecting T1530 with Cloud Inventory

    • Command Line Discovery
    • AWS Configuration

    Detecting T1105 with Data Discovery

    • Macie

    Detecting T1190 with Vulnerability Analysis Services

    • AWS Inspector
    • AWS ECR

    Data Centralization

    • AWS Event Bus
    • AWS Kinesis Data Firehose
    • AWS Elasticsearch


Students should be familiar with AWS or Azure and have worked with them hands-on, especially security professionals working in the cloud security field who understand basic threats and attack vectors.

The course will assume that students are able to understand or do the following without help:

  • Build a VM
  • Understand how IAM roles/policies work
  • Create key pairs for SSH log-in
  • Understand basic cloud networking capabilities.

Other SANS Courses SEC541 Students Have Taken

Laptop Requirements

SEC541 students will run the exercises from a virtual machine that is configured with all the tools and documentation needed. All exercises will use Amazon Web Services (AWS).

IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the virtual machines to function properly in the classVerify that under BIOS, Virtual Support is ENABLED.

Mandatory System Requirements

  • System running Windows, Linux, or Mac OS X 64-bit version
  • At least 8 GB of RAM
  • 40 GB of available disk space (more space is recommended)
  • Administrator access to the operating system
  • Anti-virus software will need to be disabled in order to install some of the tools
  • An available USB port
  • Wireless NIC for network connectivity
  • Machines should NOT contain any personal or company data
  • Verify that under BIOS, Virtual Support is ENABLED

Mandatory Downloads Prior to Coming to Class

A 64-bit host operating system is installed (Windows is recommended)

Adobe Acrobat or other PDF reader application

Mandatory AWS Account Prior to Coming to Class:

  • An AWS account is required to do the hands-on exercises during this course. The AWS account must be created prior to the start of class. Your ability to execute the exercises will be delayed if you wait to set up the AWS account in class.
  • Estimated additional costs for the AWS account should be less than $20
  • You will receive detailed instructions for setting up your AWS account before the start of class.

Author Statement

"Cloud service providers are giving us new tools faster than we can learn how to use them. As with any new and complex tool, we need to get past the surface-level how-to in order to radically reshape our infrastructure. This course is an overview of the elements of AWS and Azure that we may have used before but are ready to truly explore. By the end of the class, youll be confident knowing that you have the skills to start looking for the threats and building a true threat detection program in AWS and Azure." - Shaun McCullough and Ryan Nicholson

"I really enjoyed learning more about the AWS data sources and then performing relevant attacks against them to generate events that we could hunt for." - Gavin Knapp, Bridewell Consulting

Register for SEC541

  • In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more
  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more
  • OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Learn more