Ending Soon: Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Best Offers of the Year!

SEC510 Beta One 2020 - Live Online

Virtual, US Mountain | Mon, Aug 17 - Wed, Aug 19, 2020

Because this course is offered as a beta including discounted pricing, seating is limited to a maximum of two seats per organization. No additional discounts apply.

SEC510: Multicloud Security Assessment and Defense Sold Out

Mon, August 17 - Wed, August 19, 2020

SEC510: Multicloud Security Assessment and Defense provides cloud security practitioners, analysts, and researchers with an in-depth understanding of the inner workings of the most popular public cloud providers: Amazon Web Services (AWS), Microsoft Azure, and the Google Cloud Platform (GCP). Students will learn industry-renowned standards and methodologies, such as the MITRE ATT&CK Cloud Matrix and CIS Cloud Benchmarks, then apply that knowledge in hands-on exercises to assess a modern web application that leverages the cloud-native offerings of each provider. Through this process students will learn the philosophies that undergird each provider and how these have influenced their services.

Organizations in every sector are increasingly adopting cloud offerings to build their online presence on the shoulders of giants. However, although cloud providers are responsible for the security of the cloud, their customers are responsible for what they do in the cloud. Unfortunately, the providers have made the customer's job difficult by offering many services that are insecure by default. Worse yet, with each provider offering hundreds of different services and with many organizations opting to use multiple providers, security teams need a deep understanding of the underlying details of the different services in order to lock them down. As the landscape is rapidly evolving and development teams are eager to adopt the next big thing, security is constantly playing catch-up in order to avert disaster.

The Big 3 cloud providers alone provide more services than any one company can consume. As security professionals, it can be tempting to limit what the developers use to the tried-and-true solutions of yesteryear. Unfortunately, this approach will inevitably fail as the product development organization sidelines a security organization that is unwilling to change. Functionality drives adoption, not security, and if a team discovers a service offering that can help get its product to market quicker than the competition, it can and should use it. SEC510 gives you the ability to provide relevant and modern guidance and guardrails to these teams to enable them to move both quickly and safely.

This Course Will Prepare You To:

  • Understand the inner workings of Platform-as-a-Service offerings in order to make more informed decisions in the cloud
  • Understand the design philosophies that undergird each provider and how these have influenced the providers' services in order to properly prescribe security solutions for them
  • Discover the unfortunate truth that many cloud services are adopted before their security controls are fully fleshed out
  • Understand Azure and the Google Cloud Platform, both of which we will cover extensively
  • Receive thousands of lines of Infrastructure-as-Code for each platform that you can plug into your organization

Student Notices and Requirements

  • Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) accounts are needed in order to do the hands-on exercises during this course. Students must create their cloud accounts prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the accounts during a live class.
  • These cloud accounts will incur additional fees from platform usage. The estimated cost for running the lab environment is roughly $25 for the course.

You Will Be Able To:

  • Understand the intricacies of Identity and Access Management, one of the most fundamental concepts in the cloud and yet one of the most commonly misunderstood
  • Understand cloud networking and how locking it down is a critical aspect of defense-in-depth in the cloud
  • Analyze how each provider handles encryption at rest and in transit in order to prevent sensitive data loss
  • Explore the service offering landscape to discover what is driving the adoption of multiple cloud platforms and to assess the security of the services at the bleeding edge
  • Understand the complex connections between cloud accounts, providers, and on-premises systems and the cloud
  • Perform secure data migration to and from the cloud
  • Understand Terraform Infrastructure-as-Code well enough to share it with your engineering team as a starting point for implementing the controls discussed in the course

Hands-on Labs

SEC510 solidifies every concept discussed in the lectures through hands-on labs. In the labs, students will assess a modern web application written with Next.js, React, and Sequelize that leverages the cloud-native offerings of each provider. Each lab includes a step-by-step guide as well as a "no hints" option for students who want to test their skills without further assistance. This allows students to choose the level of difficulty that is best for them and fall back to the step-by-step guide as needed.

You Will Receive With This Course:

  • Electronic courseware
  • Digital download package

What Courses to Take Next:

Courses that are good follow-ups to SEC510:

  • SEC540: Cloud Security and DevOps Automation
  • SEC588: Cloud Penetration Testing

Additional Resources:

Top 5 Considerations for Multicloud Security by Brandon Evans

SANS@MIC Talk - SEC510: Multicloud Security Assessment and Defense with Brandon Evans and Eric Johnson

Course Syllabus

Brandon Evans ,
Eric Johnson
Mon Aug 17th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT


SEC510 starts with a brief overview of the Big 3 cloud providers. We will examine the factors driving adoption of multiple cloud providers and the rise in popularity of Azure and GCP, which historically have lagged far behind AWS. Students will then initialize their lab environment and deploy a modern web application to each of the Big 3 providers.

This leads into an analysis of the intricacies of Identity and Access Management (IAM), one of the most fundamental and misunderstood concepts in cloud security. Playing the role of an attacker in their lab environment, students will compromise real IAM credentials using application vulnerabilities and then use them to access sensitive data.

The remainder of this section will focus on how to leverage well-written IAM policies to minimize the damage caused by such attacks. Although the ultimate solution is to fix the bug in the application, these strategies can prevent a minor incident from becoming front-page news.

  • VM Credential Exposure
  • Harden AWS IAM Policies
  • Harden Azure and GCP Policies
  • Advanced IAM Features

CPE/CMU Credits: 6

  • The Multicloud Movement
    • Cloud Market Trends
    • Multicloud Considerations
    • Shadow Cloud Accounts
  • Multicloud Security Assessment
    • MITRE ATT&CK Cloud Matrix
    • Lab Environment Introduction
    • HashiCorp Terraform Overview
  • Identity and Access Management
    • Identities
    • Policies
    • Organization-Wide Controls
    • AWS IAM
    • Azure Active Directory
    • GCP IAM
  • Cloud Credentials Management
    • Cloud Instance Metadata APIs
    • Credential Management Postmortems (Case Studies)
  • Application Vulnerability Overviews
    • Overly Permissive Permissions
    • Command Injection
    • Server-Side Request Forgery
    • Supply-Chain Attacks

Brandon Evans ,
Eric Johnson
Tue Aug 18th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT


Section 2 covers how to lock down infrastructure within a virtual private network. As the public cloud IP address blocks are well known and default network security is often lax, millions of sensitive assets are unnecessarily accessible to the public Internet. This section will ensure that none of these assets belong to your organization.

The section begins by demonstrating how ingress and egress traffic can be restricted within each provider. Students will analyze the damage that can be done without these controls by accessing a public-facing database and creating a reverse shell session in each environment. We will then eliminate both attack vectors with secure cloud configuration.

In addition to introducing additional network defense-in-depth mechanisms, we will discuss cloud-based intrusion detection capabilities to address the network-based attacks we cannot eliminate. Students will analyze cloud traffic and search for indicators of compromise.

  • Network Lockdown
  • Analyzing Network Traffic
  • Private Endpoint Security
  • Cloud VPN & Managed SSH

CPE/CMU Credits: 6

  • Cloud Virtual Networks
    • Network Service Scanning
    • Default Network Configuration
    • Network Security Groups
  • Network Traffic Analysis
    • Flow Logging
    • Traffic Mirroring
  • Private Endpoints

    • AWS PrivateLink
    • Azure Private Link
    • GCP VPC Service Controls
  • Advanced Remote Access
    • Managed SSH
    • Hybrid VPN Gateway
    • Session Manager
    • Hybrid VPN Gateway
  • Command and Control Servers

    • Reverse Shells

Brandon Evans ,
Eric Johnson
Wed Aug 19th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT


Section 3 covers all topics related to encryption in the cloud. Students will learn about each provider's cryptographic key solution and how it can be used to encrypt data at rest. Students will also learn how end-to-end in-transit encryption is performed in the cloud, such as the encryption between clients, load balancers, applications, and database servers.

Proper encryption is not only critical for security; it is also an important legal and compliance considerations. This section will ensure that your organization has all of the information at its disposal to send the auditors packing.

We round off the course by covering some miscellaneous cloud concepts that every security professional should know: securing cloud storage, attacking and defending serverless functions, and how to use automated tools to assist in the assessments of your cloud environments.

  • Audit Decryption Events
  • Encrypt All The Things!
  • Assess with Serveless Prey
  • Final Assessment
  • Lab Teardown

CPE/CMU Credits: 6

  • Cloud Key Management
    • AWS KMS
    • Azure Key Vault
    • Google Cloud KMS
  • Encryption with Cloud Services

    • Disk-Level Encryption
    • Record-Level Encryption
    • In-Transit Encryption
    • End-to-End Encryption Considerations
  • Cloud Storage Platforms

    • Access Control
    • Logging
  • Cloud Serveless Functions
    • Security Advantages
    • Attacking Serverless Servers
    • FaaS Defense and Auditing
  • Automated Benchmarking
    • CIS Benchmark Automated Scans
    • Cloud Configuration as a Service
  • Summary
  • Additional Resources

Additional Information


Please plan to arrive 30 minutes early before your first session for lab preparation and set-up. During this time, students can confirm that each cloud account is properly set up, ensure that laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine. For students taking the course Live Online, the instructor will be available to assist them with laptop prep and set-up 30 minutes prior to the start of the course.

Mandatory: Students must bring their own AWS, Azure, and GCP accounts to complete the exercises. Please ensure that you have done the following before class starts:

Amazon Web Services

  1. Register for a personal free-tier account.
  2. Activate your new account.
  3. Log in to the AWS Console with your root account.
  4. Browse to the EC2 Service and verify that you see the dashboard (not an activation screen).
  5. In the top right-hand corner of the page, select "U.S. East (Northern Virginia).
  6. From the left navigation bar, select "Limits".
  7. Verify that you have at least 10vCPUs for On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances.
  8. If your limits are less than 10 vCPUs, please start by creating a new t2.micro instance. Creating a new instance often causes the limits to increase automatically. If your limits do not automatically increase (wait 30 minutes to check again), open a ticket with the AWS support team to request an a increase. More details can be found in the AWS EC2 Service Limits documentation.

Microsoft Azure

  1. Browse to the Azure Portal.
  2. Register for a personal 12-month free account.

Google Cloud Platform

  1. Create a Google account.
  2. Sign up for a GCP free trial.


A properly configured system is required for each student participating in this course. Before starting your course, carefully read and follow these instructions exactly:

  • Download and install VMware Workstation or VMware Fusion on your system prior to the start of the class.
  • If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 15+, VMware Fusion 11+.
  • If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Host Hardware Requirements

  • CPU: 64-bit 2.5+ GHz multi-core processor or higher
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
  • Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! 16GB of RAM is MANDATORY)
  • Working USB 2.0 or higher port
  • Wireless Ethernet 802.11 B/G/N/AC
  • Local Administrator Access within your host operating system

Mandatory Host Operating System Requirements

You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:

  • Windows (8 or 10)
  • Mac OS X (Catalina, Mojave)

Mandatory Software Requirements

Prior to class, ensure that the following software is installed on the host operating system:

  • VMware Workstation Pro 15+, VMware Fusion 11+
  • Zip File Utility (7Zip or the built-in operating system zip utility)

In summary, before beginning the course you should:

  • Have a laptop with a solid-state drive (SSD), 8GB of RAM, and a 64-bit operating system
  • Install VMware (Workstation or Fusion)
  • Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled
  • Download the SEC510 Lab Setup Instructions and Course Media from your sans.org account
  • Register a NEW AWS account prior to the start of the class at https://aws.amazon.com/
  • Register a NEW Azure account prior to the start of class at https://azure.microsoft.com/en-us/free/
  • Register a NEW GCP free-tier account prior to the start of class at https://console.cloud.google.com/freetrial

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Security analysts, security engineers, security researchers, cloud engineers, DevOps engineers, security auditors, system administrators, operations personnel, or anyone who is responsible for:

  • Evaluating and adopting new cloud offerings
  • Researching new vulnerabilities and developments in cloud security
  • Identity and Access Management
  • Managing a cloud-based virtual network
  • Secure configuration management

Courses or equivalent experiences that are prerequisites for SEC510:

SEC488: Cloud Security Essentials

Although SEC510 uses Terraform Infrastructure-as-Code to deploy and configure services in each cloud for the labs, students will not need in-depth knowledge of Terraform or need to understand any of the syntax used. However, students will be introduced at a high level to what this code accomplishes.

For those looking to prepare ahead of time, check out the Terraform Getting Started Guide: https://learn.hashicorp.com/terraform/getting-started/install

Author Statement

"The move to leveraging multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not accurate in all cases. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control.

Why do teams adopt additional cloud solutions in the first place? To make their jobs easier or more enjoyable. Developers are creating products that make money for the business, not for the central security team. If a team discovers a service offering that can help get its product to market quicker than the competition, it can and should use it. Security should embrace the inevitability of the multicloud movement and take on the hard work of implementing guardrails that enable the organization to move quickly and safely.

The multicloud storm is coming, whether you like it or not."

- Brandon Evans and Eric Johnson