SEC549: Enterprise Cloud Security Architecture

  • In Person (2 days)
  • Online
12 CPEs

The age of cloud computing has arrived as organizations have seen the advantages of migrating their applications from traditional on-premises networks. However, the rapid adoption of cloud has left architects scrambling to design on this new medium. A shift to the cloud requires cybersecurity professionals to reorient their security goals around a new threat model to enable business requirements while improving their organization's security posture. SEC549 is here to help enable this shift. The course takes an architectural lens to enterprise-scale, cloud infrastructure challenges, addressing the security considerations architects need to address when tasked with business expansion into the cloud, from the secure usage of shared cloud-hosted data to the centralization of workforce identity.

What You Will Learn


Without a mental model for threats in the cloud, architects attempt to strong-arm design patterns intended for the on-premise world onto cloud systems, hindering the speed of cloud adoption and modernization. Worse yet, failure to identify trust boundaries in the cloud results in missing security controls at the identity or network-planes and poor security outcomes. In the SEC549, students are introduced to security architecture as it applies to the cloud. Students take away from this course a clear mental model of the cloud and the controls available to them, allowing students to shift their threat models to this new, vastly different world with distributed perimeters and unfamiliar trust boundaries.

The course is constructed around the cloud migration journey of a fictional company and the challenges they encounter along the way. Students are tasked with phasing in a centralized identity plan and designing secure patterns for enabling cloud-hosted applications. Both network-layer and identity-layer controls are covered in-depth as complementary mechanisms for securing access to distributed resources. The importance of centralizing identity is a core take-away of this course as showcased through the discussion of fragmented identity and its perils, especially with the rise of the Cloud and the adoption of multiple cloud service providers. Students are taught the foundational concepts used when designing for phased identity consolidation so they can confidentially tackle similar challenges on the job.

"The book, material, labs allow for a very interactive learning experience regarding building and understanding cloud architecture. I am somewhat new to this side of the industry and have been able to follow along and keep up with everything discussed and taught in this module." - Nevan Beal, Raymond James


  • Mitigate the risk posed by nascent cloud technologies and their rapid adoption
  • Decrease the risk of cloud migrations by planning for phased approach
  • Help your organization prevent identity sprawl and tech debt through centralization
  • Enable business growth by creating high-level guardrails
  • Prevent costly anti-patterns from becoming entrenched
  • Move your organization towards a Zero-Trust posture through the uplifting of existing access patterns


  • Enable business through secure cloud architectural patterns
  • Connect the dots between architectural patterns and real-life infrastructure
  • Build a secure, scalable identity foundation in the cloud
  • Centralize your organization's workforce identity to prevent sprawl
  • Learn how to incorporate both network-based and identity-based controls
  • Ability to create data perimeters for cloud-hosted data repositories
  • Strategically approach a phased cloud migration


The hands-on portion of the SEC549 is unique and especially suited to the student who wants to architect for the cloud. Each lab is performed by observing and correcting an anti-pattern presented as an architectural diagram. The correct version of each diagram is implemented as live infrastructure in AWS and made available to the student to explore the configurations. In this course, the students have access to an enterprise-scale AWS Organization and can observe all details discussed in the labs and throughout the course.

Each of the sections of the course discusses security design considerations for all three major clouds, however there is an emphasis on working with AWS and labs are structured around concepts in AWS.

  • Section 1: Structuring Accounts to Create Effective Hierarchies, Transitioning Access from IAM Users to Roles, AWS SSO for Permission Management
  • Section 2: Integrating Modern Authentication into Legacy Applications, Creating a Shared VPC Architecture, Access Control for Shared Data Sets

"All three of today's labs were helpful in cementing the concepts. The "See It In Action" portions were particularly useful." - Oritse Uku

"The lab was straightforward and didn't require much existing AWS cloud knowledge. The lab demonstrated the how and why policies need to be manageable." - Andrew Guggenberger


  • Section 1: A foundational section covering IAM in the cloud, the higher-level resource containers in each of the 3 major cloud providers, and how to use restrictive policy to enforce guardrails on an enterprise-scale cloud estate.
  • Section 2: A heavy emphasis on zero-trust and how to use cloud services to employ a ZT strategy, dividing the content into three categories, identity-layer controls, network-layer controls and controls used when building a data perimeter.



  • Printed and electronic courseware
  • architectural diagrams representing secure patterns you can use as reference architecture
  • Access to SANS Cloud Security Alum Slack


Depending on your current role or future plans, one of these courses is a great next step in your cloud security journey:

Syllabus (12 CPEs)

Download PDF
  • Overview

    SEC549 kicks off by defining concepts used throughout the course such as threat modeling the cloud, what makes a secure pattern and how our mental models need to adapt for the cloud.

    This section dedicates a portion of time to foundational concepts of identity in the cloud from users, groups, roles, and machine identities and how those concepts subtly differ across the 3 major cloud providers. Managing identity in the cloud is an over-arching theme of this section. This course teaches students the core concepts of identity federation, single sign-on, and the protocols used in these technologies. Using AWS SSO as an example, students are taught how to enable identity federation in support of a centralized workforce identity, automatically provision users to the cloud and centrally maintain attributes governing access control.

    • Structuring Accounts to Create Effective Hierarchies
    • Transitioning Access from IAM Users to Roles
    • AWS SSO for Permission Management
    • Security Architecture in the cloud with an emphasis on threat modeling cloud-native services
    • Using the large-scale building blocks offered in three CSP to create effective hierarchical designs
    • Implementing an identity foundation  understanding how permissions are granted and patterns of IAM in the cloud
    • Federated access and single sign-on  managing users at scale with the federation of identity

  • Overview

    Opening up Section 2 is an in-depth look at the zero-trust movement, its history and how zero-trust in the cloud can be leveraged to uplift legacy access patterns. Dividing the day are the complementary concepts of network-layer controls and identity-layer controls. Both are covered in detail as we look to build business enabling patterns such as shared VPCs and the connection of VPC-aware to non VPC-aware resources. Finally, to frame the discussion around S3 Bucket controls, several common use cases for cloud-hosted data repositories are outlined and with the use cases, the accompanied controls that can be leveraged to enable them.

    • Integrating Modern Authentication into Legacy Applications
    • Creating a Shared VPC Architecture
    • Access Control for Shared Data Sets
    • Cloud Migrations - considerations and business drivers
    • Zero-Trust Concepts - using cloud services to implement zero-trust patterns in a phased approach
    • Establishing Perimeters in the Cloud for Application Access - Network patterns in the cloud and using network-layer controls to enable application workloads
    • Establishing Perimeters in the Cloud for Application Access - AWS S3 Use Cases and design patterns to secure your data in the cloud


The following are courses or equivalent experiences that are prerequisites for SEC549:

Preparing for SEC549

Students taking SEC549 will have the opportunity to learn identity access management (IAM) patterns in the cloud. A basic familiarity with IAM concepts like role-based access control, attribute-based access control and permission management is helpful but not required.

Additionally, students will delve into cloud-native tools for securing deployments at the network layer. Having a basic understanding of network concepts such as firewalls, network access control lists and IP addressing is helpful but not mandatory.

Laptop Requirements

Prior to class, ensure that the following software is installed on the operating system:

  • Web Browser with internet access (i.e. Chrome, Safari, Edge or Firefox)

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will increase quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact

Author Statement

"The cloud has turned our perimeter increasingly distributed and is often solely enforced with identity-based controls. In the cloud, safeguards have been lifted and the room for error is slim. Even with this grim reality, I am still optimistic. The migration to the cloud has enabled our most innovative technologies and presents an opportunity for the security sector to evolve and mature.

If armed with the correct foundational principles, we can as an industry build a more secure future, with greater availability and confidentiality than ever possible on-premises. If history has taught us anything, transitioning to the new cloud-native, zero-trust world will be bumpy but I am so pleased to help shepherd you along the journey."

- Kat Traxler


The content for day 2 was very solid and organized.
The labs were great! I enjoyed every second of this course and look forward to future SEC549 courses.
Nevan Beal
Raymond James
What was covered in the first day flowed well and seemed well organized. Concepts are explained clearly and concisely.
Nicholas Dray

    Register for SEC549