Get the Skills you need from Home with SANS Online Training - Special Offers Available Now

Cloud Security Summit & Training - Live Online

Virtual, US Mountain | Thu, May 28, 2020 - Fri, Jun 5, 2020

SEC545: Cloud Security Architecture and Operations Waitlist

Mon, June 1 - Fri, June 5, 2020

As more organizations move data and infrastructure to the cloud, security is becoming a major priority. Operations and development teams are finding new uses for cloud services, and executives are eager to save money and gain new capabilities and operational efficiency by using these services. But, will information security prove to be an Achilles' heel? Many cloud providers do not provide detailed control information about their internal environments, and quite a few common security controls used internally may not translate directly to the public cloud.

The SEC545 course, Cloud Security Architecture and Operations, will tackle these issues one by one. We'll start with a brief introduction to cloud security fundamentals, and then cover the critical concepts of cloud policy and governance for security professionals. For the rest of day one and all of day two, we'll move into technical security principles and controls for all major cloud types (SaaS, PaaS, and IaaS). We'll learn about the Cloud Security Alliance framework for cloud control areas, then delve into assessing risk for cloud services, looking specifically at technical areas that need to be addressed.

The course then moves into cloud architecture and security design, both for building new architectures and for adapting tried-and-true security tools and processes to the cloud. This will be a comprehensive discussion that encompasses network security (firewalls and network access controls, intrusion detection, and more), as well as all the other layers of the cloud security stack. We'll visit each layer and the components therein, including building secure instances, data security, identity and account security, and much more. We'll devote an entire day to adapting our offense and defense focal areas to cloud. This will involve looking at vulnerability management and pen testing, as well as covering the latest and greatest cloud security research. On the defense side, we'll delve into incident handling, forensics, event management, and application security.

We wrap up the course by taking a deep dive into SecDevOps and automation, investigating methods of embedding security into orchestration and every facet of the cloud life cycle. We'll explore tools and tactics that work, and even walk through several cutting-edge use cases where security can be automated entirely in both deployment and incident detection-and-response scenarios using APIs and scripting.

NOTICE: Additional Student Requirements:

  1. An Amazon Web Services (AWS) account is required to do hands-on exercises during this course! The AWS account must be created prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account in class. For detailed instructions on setting up your account:
  2. Estimated additional cost for the week of AWS account usage: $15 - $25

Course Syllabus

Kyle Dickinson
Mon Jun 1st, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT


The first day of the class starts out with an introduction to the cloud, including terminology, taxonomy, and basic technical premises. We also examine what is happening in the cloud today, and cover the spectrum of guidance available from the Cloud Security Alliance, including the Cloud Controls Matrix, the 14 major themes of cloud security, and other research available.

Next we spend time on cloud policy and planning, delving into the changes an organization needs to make for security and IT policy to properly embrace the cloud. After all the legwork is done, we'll start talking about some of the main technical considerations for the different cloud models. We'll start by breaking down Software-as-a-Service (SaaS) and some of the main types of security controls available. A specialized type of Security-as-a-Service (SecaaS) known as Cloud Access Security Brokers (CASBs) will also be explained, with examples of what to look for in such a service. We'll wrap up with an introduction to Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) controls, which will set the stage for the rest of the class.

  • Exploring AWS and Security
  • Evaluating Cloud Policies
  • Evaluating Cloud Contracts
  • Deploying and Securing Cloud Containers
  • SecaaS with Cloud Passage

CPE/CMU Credits: 6

  • Introduction to the Cloud and Cloud Security Basics
  • Cloud Security Alliance Guidance
  • Cloud Policy and Planning
  • SaaS Security
  • Cloud Access Security Brokers (CASBs)
  • Intro to PaaS and IaaS Security Controls

Kyle Dickinson
Tue Jun 2nd, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT


The second day of SEC545 compares traditional in-house controls with those in the cloud today. Some controls are similar and mostly compatible, but not all of them. Since most cloud environments are built on virtualization technology, we walk through a short virtualization security primer, which can help teams building hybrid clouds that integrate with internal virtualized assets, and also help teams properly evaluate the controls cloud providers offer in this area. We'll then break down cloud network security controls and tradeoffs, since this is an area that is very different from what we've traditionally run in-house.

For PaaS and IaaS environments, it's critical to secure virtual machines (instances) and the images we deploy them from, so we cover this next. At a high level, we'll also touch on identity and access management for cloud environments to help control and monitor who is accessing the cloud infrastructure, as well as what they're doing there. We also cover data security controls and types, including encryption, tokenization, and more. Specific things to look for in application security are laid out as the final category of overall controls. We then pull it all together to demonstrate how you can properly evaluate a cloud provider's controls and security posture.

  • Hypervisor Security
  • Setting Up VPCs and Cloud Networks
  • Configuration Control and Assessment with AWS Config
  • Cloud Risk Assessment

CPE/CMU Credits: 6

  • Cloud Security: In-House versus Cloud
  • A Virtualization Security Primer
  • Cloud Network Security
  • Instance and Image Security
  • Identity and Access Management
  • Data Security for the Cloud
  • Application Security for the Cloud
  • Provider Security: Cloud Risk Assessment

Kyle Dickinson
Wed Jun 3rd, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT


Instead of focusing on individual layers of our cloud stack, we start day three by building the core security components. We'll break down cloud security architecture best practices and principles that most high-performing teams prioritize when building or adding cloud security controls and processes to their environments. We start with infrastructure and core component security - in other words, we need to look at properly locking down all the pieces and parts we covered on day two!

This then leads to a focus on major areas of architecture and security design. The first is building various models of access control and compartmentalization. This involves breaking things down into two categories: identity and access management (IAM) and network security. We delve into these in significant depth, as they can form the backbone of a sound cloud security strategy. We then look at architecture and design for data security, touching on encryption technologies, key management, and what the different options are today. We wrap up our third day with another crucial topic: availability. Redundant and available design is as important as ever, but we need to use cloud provider tools and geography to our advantage. At the same time, we need to make sure we evaluate the cloud provider's DR and continuity, and so this is covered as well.

  • IAM within S3
  • EC2 and IAM Roles
  • Managing Cloud Instances with EC2 Systems Manager
  • Complex IAM with Container Secrets
  • Secure Network Architecture with Bastion Hosts

CPE/CMU Credits: 6

  • Cloud Security Architecture Overview
  • Cloud Architecture and Security Principles
  • Infrastructure and Core Component Security
  • Access Controls and Compartmentalization
  • Confidentiality and Data Protection
  • Availability

Kyle Dickinson
Thu Jun 4th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT


There are many threats to our cloud assets, so the fourth day of the course begins with an in-depth breakdown of the types of threats out there. We'll look at numerous examples. The class also shows students how to design a proper threat model focused on the cloud by using several well-known methods such as STRIDE and attack trees and libraries.

Scanning and pen testing the cloud used to be challenging due to restrictions put in place by the cloud providers themselves. But today it is easier than ever. There are some important points to consider when planning a vulnerability management strategy in the cloud, and this class touches on how to best scan your cloud assets and which tools are available to get the job done. Pen testing naturally follows this discussion, and we talk about how to work with the cloud providers to coordinate tests, as well as how to perform testing yourself.

On the defensive side, we start with network-based and host-based intrusion detection, and how to monitor and automate our processes to better carry out this detection. This is an area that has definitely changed from what we're used to in-house, so security professionals need to know what their best options are and how to get this done. Our final topics on day four include incident response and forensics (also topics that have changed significantly in the cloud). The tools and processes are different, so we need to focus on automation and event-driven defenses more than ever.

  • Vulnerability Assessment with AWS Inspector
  • Cloud Threat Modeling
  • Deploying Kali in the Cloud for Pen Tests
  • flAWS: A Cloud-Based CTF
  • Logging and Events in the Cloud

CPE/CMU Credits: 6

  • Threats to Cloud Computing
  • Vulnerability Management in the Cloud
  • Cloud Pen Testing
  • Intrusion Detection in the Cloud
  • Cloud IR and Event Management
  • Cloud Forensics

Kyle Dickinson
Fri Jun 5th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT


On our final day, we'll focus explicitly on how to automate security in the cloud, both with and without scripting techniques. We will use tools like the AWS CLI and AWS Lambda to illustrate the premises of automation, then turn our attention toward SecDevOps principles. We begin by explaining what that really means, and how security teams can best integrate into DevOps and cloud development and deployment practices. We'll cover automation and orchestration tools like Ansible and Chef, as well as how we can develop better and more efficient workflows with AWS CloudFormation and other tools.

Continuing some of the topics from day four, we will look at event-driven detection and event management, as well as response and defense strategies that work. While we won't automate everything, some actions and scenarios really lend themselves to monitoring tools like CloudWatch, tagging assets for identification in security processes, and initiating automated response and remediation to varying degrees. We wrap up the class with a few more tools and tactics, followed by a sampling of real-world use cases.

  • AWS CLI Automation
  • Ansible Basics
  • Ansible Roles and Security
  • AWS CloudFormation
  • AWS CloudWatch
  • AWS Lambda Automation

CPE/CMU Credits: 6

  • Scripting and Automation in the Cloud
  • SecDevOps Principles
  • Creating Secure Cloud Workflows
  • Building Automated Event Management
  • Building Automated Defensive Strategies
  • Tools and Tactics
  • Real-World Use Cases
  • Class Wrap-Up

Additional Information

SEC545 students will have the opportunity to install, configure, and utilize the tools and techniques that they have learned. You will be given a USB drive with three virtual machines, but it is critical that you have a properly configured system prior to class. Most labs are done online in the AWS Cloud.

IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VMs to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.

Mandatory System Requirements

  • System running Windows, Linux, or Mac OS X 64-bit version
  • At least 8 GB RAM
  • 40 GB of available disk space (more space is recommended)
  • Administrator access to the operating system
  • Anti-virus software will need to be disabled in order to install some of the tools
  • An available USB port
  • Wireless NIC for network connectivity
  • Machines should NOT contain any personal or company data
  • Verify that under BIOS, Virtual Support is ENABLED

Mandatory Downloads Prior to Coming to Class:

  • Installed 64-bit host operating systems (Windows is recommended)
  • Download and install VMware Workstation 11, VMware Fusion 7, or VMware Workstation Player 7 or higher versions on your system prior to the start of class
  • Adobe Acrobat or other PDF reader application
  • Microsoft Excel (OpenOffice is OK for Mac OS X or Linux)

Mandatory Amazon Web Services (AWS) Account Prior to Coming to Class:

  • An Amazon Web Services (AWS) account is required to do hands-on exercises during this course! The AWS account must be created prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account in class.
  • Estimated additional cost for the week of AWS account usage: $15 - $25
  • For detailed instructions on how to create and/or setup this account, please visit the following URL:

It is critical that your CPU and operating system support 64-bits so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Workstation Player 7 or higher versions on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

SEC545 Checklist:

I have confirmed that:

  • The system is running a 64-bit operating system
  • I have administrator access to the operating system
  • Anti-virus is disabled
  • The system includes a working USB port
  • I downloaded and installed the VMWare Workstation, Fusion, or Workstation Player

If you have additional questions about the laptop specifications, please contact

  • Security Analysts
  • Security Architects
  • Senior Security Engineers
  • Technical Security Managers
  • Security Monitoring Analysts
  • Cloud Security Architects
  • DevOps and DevSecOps Engineers
  • System Administrators
  • Cloud Administrators

A basic understanding of TCP/IP, network security, and security architecture are helpful for this course. Comfort with the command line is a must, as many exercises are conducted there (Linux command line skills are useful). Comfort with VMware virtualization is a plus.

Other Courses People Have Taken

Courses that are good follow-ups to SEC545:

  • Several virtual machines that include a hypervisor, Ansible platform, and more
  • MP3 audio files of the complete course lectures
  • All policy and configuration files that can be used to automate security in AWS
  • A threat-modeling template that can be used for SEC545 and beyond
  • USB 3.0 stick that includes the above and more
  • Revise and build internal policies to ensure cloud security is properly addressed
  • Understand all major facets of cloud risk, including threats, vulnerabilities, and impact
  • Articulate the key security topics and risks associated with SaaS, PaaS, and IaaS cloud deployment models
  • Evaluate Cloud Access Security Brokers (CASBs) to better protect and monitor SaaS deployments
  • Build security for all layers of a hybrid cloud environment, starting with hypervisors and working to application layer controls
  • Evaluate basic virtualization hypervisor security controls
  • Design and implement network security access controls and monitoring capabilities in a public cloud environment
  • Design a hybrid cloud network architecture that includes IPSec tunnels
  • Integrate cloud identity and access management (IAM) into security architecture
  • Evaluate and implement various cloud encryption types and formats
  • Develop multi-tier cloud architectures in a Virtual Private Cloud (VPC), using subnets, availability zones, gateways, and NAT
  • Integrate security into DevOps teams, effectively creating a DevSecOps team structure
  • Build automated deployment workflows using AWS and native tools
  • Incorporate vulnerability management, scanning, and penetration testing into cloud environments
  • Build automated and flexible detection and response programs using tools like AWS-IR, CloudWatch, CloudTrail, and AWS Lambda
  • Leverage the AWS CLI to automate and easily execute operational tasks
  • Set up and use an enterprise automation platform, Ansible, to automate configuration and orchestration tasks
  • Use CloudWatch, CloudFormation, and other automation tools to integrate automated security controls into your cloud security program

SEC545: Cloud Security Architecture and Operations reinforces knowledge transfer through the use of numerous hands-on labs. This approach goes well beyond traditional lectures and delves into literal application of techniques. Hands-on labs are held every day to reinforce the skills covered in class and to provide students experience with the tools used to implement effective security. The labs are designed to enable students to apply what they are learning in an instructor-led environment. Labs are wide-ranging and include:

  • Policy and governance labs
  • Security-as-a-Service labs
  • Architecture and design labs
  • Security automation labs
  • Offensive and defensive labs in the cloud
  • Log collection and review labs
  • Playing flAWS, a challenging cloud CTF

Author Statement

The cloud is happening - face it, security teams need to adapt to moving assets to the cloud, and it's happening fast. Unfortunately, many security teams aren't comfortable with the tools, controls, and design models needed to properly secure the cloud, and they need to get up to speed fast. In addition, many DevOps teams are building automated deployment pipelines, and security teams aren't integrated into those workflows. This class is going to help you. We'll take you from A to Z in the cloud, with everything ranging from policy, contracts, and governance to controls at all layers. We'll design cloud architectures, cover IAM and encryption, and look at how offense and defense differ in the cloud. We'll wrap it all up with automation tactics that will help you work effectively with the DevOps teams, and build a sustainable cloud security program in your environment.

- Dave Shackleford