SANS Security West 2021 is right around the corner! Choose from over 30 interactive courses, plus Core & Cyber Defense NetWars.

Stay Sharp: Management & Cloud - Live Online

Virtual, US Central | Mon, Feb 1 - Thu, Feb 4, 2021

SEC541: Cloud Security Monitoring and Threat Detection Waitlist

Mon, February 1, 2021

Course Syllabus  ·  6 CPEs  ·   Lab Requirements
Instructor: Shaun McCullough

Because this course is offered as a beta including discounted pricing, seating is limited to a maximum of two seats per organization. No additional discounts apply.

Attackers Can Run But Not Hide. Our Radar Sees All Threats.

NOTE: The name of this course has just been updated to "Cloud Security Monitoring and Threat Detection" from "Cloud Security Monitoring and Threat Hunting". The content remains the same. The title change more precisely reflects the topics covered in the course that are more broad than just "hunting".

SEC541: Cloud Security Monitoring and Threat Detection Will Prepare You To:

  • Understand the threats against AWS cloud infrastructure
  • Introduction to AWS core logging services.
  • Research, detect, and investigate threats
  • Incorporate scripting and automation to make threat hunters more efficient
  • Understand how good architecture improves threat detection


Cloud infrastructure provides organizations with new and exciting services to better meet the demands of their customers. However, these services bring with them new challenges, particularly the need to effectively hunt down and identify threats attacking your infrastructure. Securely operating cloud infrastructure requires new tools and approaches.

This course is an introduction to the native services available within Amazon Web Services (AWS) to gather, analyze, and detect threats. You will learn about common attack techniques used against cloud infrastructure, and then investigate how to detect those threats in AWS. SEC541 is all about gaining the hands-on experience that gives you the skills and confidence to seek out threats in your own environment. We'll also discuss architectural design patterns that can make detection easier and attacks harder, as well as ways to automate tasks wherever possible.


The labs in this course are hands-on explorations into the AWS logging and monitoring services. Each lab will start by researching a particular threat, and the data needed to detect it. Then, the student will use native services within AWS to extract, transform, and analyze the threat. The course lecture coupled with the labs will give students a full picture of how those services within AWS services work, the data they produces, and common ways to analyze those data.

Do not expect to spend the labs clicking on screens. The labs are focused almost entirely on using the AWS command line interface (CLI), which is the best way to really understand the native services within AWS. The use of the CLI will also facilitate scripting and automation.


  • Printed and Electronic courseware
  • Virtual machine with all lab resources
  • MP3 of the course


SEC588: Cloud Penetration Testing Course

Course Syllabus

Shaun McCullough
Mon Feb 1st, 2021
9:00 AM - 12:15 PM CT
1:30 PM - 5:00 PM CT

  • Identify Cloud Service Discovery Attacks with CloudTrail
  • Identify Brute Force Attacks with VPC Flow Logs
  • Identify Web App Attacks through CloudWatch Logs
  • Leverage GuardDuty as a Threat Detection Service

CPE/CMU Credits: 6


Analyzing the AWS management plane with CloudTrail

  • How AWS's API works
  • Understanding the CloudTrail service
  • Athena for analysis

Collecting network traffic

  • The VPC flow log
  • Athena for log analysis

Analyzing custom logging through CloudWatch

  • Using CloudWatch for analysis
  • Automating response actions in AWS
  • CloudWatch Insights for log analysis

Leveraging GuardDuty

  • Basics of GuardDuty
  • Tuning in GuardDuty

Investigate Security Hub

  • How to use Security Hub as part of your security program
  • Tools that Security Hub leverages

Additional Information

SEC541 students will run the exercises from a virtual machine that is configured with all the tools, and documentation needed. All exercises will use Amazon Web Services (AWS).

IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VMs to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.

Mandatory System Requirements:

  • System running Windows, Linux, or Mac OS X 64-bit version
  • At least 8 GB of RAM
  • 40 GB of available disk space (more space is recommended)
  • Administrator access to the operating system
  • Anti-virus software will need to be disabled in order to install some of the tools
  • An available USB port
  • Wireless NIC for network connectivity
  • Machines should NOT contain any personal or company data
  • Verify that under BIOS, Virtual Support is ENABLED

Mandatory Downloads Prior to Coming to Class:

Mandatory Amazon Web Services (AWS) Account Prior to Coming to Class:

  • An AWS account is required to do the hands-on exercises during this course. The AWS account must be created prior to the start of class. Your ability to execute the exercises will be delayed if you wait to set up the AWS account in class.
  • Estimated additional costs for the day of AWS account should be less than $5
  • You will receive detailed instructions for setting up your AWS account before the start of class

It is critical that your CPU and operating system support 64-bits so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines.

Please download and install VM Workstation Pro 15.5 or higher, VMware Fusion 11.5 or higher, or VMware Workstation Player 15.5 or higher versions on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

If you have additional questions about the laptop specifications, please contact

If you have additional questions about the laptop specifications, please contact

  • Security Analysts
  • Security Architects
  • Technical Security Managers
  • Security Monitoring Analysts
  • Cloud Security Architects
  • System Administrators
  • Cloud Administrators

The target students should be familiar with AWS and have worked with it hands-on, especially security professionals working in the cloud security field who understand basic threats and attack vectors.

The course will assume that students are able to understand or do the following without help:

  • Build an EC2
  • Understand how IAM roles/policies work
  • Create access keys and configure the AWS command line interface
  • Create key pairs for SSH log-in
  • Create S3 buckets security, understanding basic security options
  • Understand VPC, security groups, subnets, and routing
  • Navigate the AWS console

Author Statement

"Cloud service providers are giving us new tools faster than we can learn how to use them. As with any new and complex tool, when need to get past the surface level "how-to" in order to radically reshape our infrastructure. This course is an overview of the elements of AWS that we may have used before but and are ready to truly explore. At the end of the class, you can be confident in knowing you will be able to start looking for the threats, and can start building a true threat detection program in AWS."

- Shaun McCullough