homepage
Open menu
Contact Sales

Designing Access to Shared Datasets in the Cloud

  • Wednesday, 15 Mar 2023 10:00AM EDT (15 Mar 2023 14:00 UTC)
  • Speaker: Kat Traxler

This workshop is structured around teaching students how to construct access to shared datasets in S3 and more broadly, cementing in their minds the threats to consider when using cloud-native storage. Students will dive headlong into a case study where they will serve as the Cloud Security Architect Consultant for a fictional company undergoing the growing pains of a nascent cloud migration. Tasks in this workshop challenge the student to first understand a tangled web of access controlled via a single policy document and subsequently dissect the access pattern, creating new policy attachment points for each data consumer. Finally, students will demonstrate how to restrict access to data subsets at the network-level.Lab work is initially done in a browser-based diagramming tool to complete the desired pattern.  The real fun begins when students log into the AWS console to “See It in Action”.  Students are encouraged to have a trust but verify mentality and ensure their requirements have been met. Investigating the implementation of the diagramed pattern is prompted through a CTF style game that runs all through the workshop - prompting students to inspect corners of the architecture for clues and controls, earning points along the way.

Instructor Led Exercises:

  • Threat modeling S3
  • Access control for Shared Datasets

Workshop Objectives

  • Review the data flow diagram of an external ingestion pattern using S3
  • Evaluate the Attack Surface and the Trust Boundaries crossed when data is both written and read from S3
  • Consider possible threats to a system using S3 as an ingestion point
  • Delegate bucket-level access control to access points
  • Segment object access by data consumer through access point policy.
  • Depicted the layering of policy to restrict access at the network layer to specific data classes.
  • Diagram the new access model and log into the AWS console to verify the real-life implementation.

Prerequisite Knowledge:

  • A cursory understanding of the AWS access model is helpful as the basics of Identity and Access Management in AWS will not be covered, however, in-depth knowledge is not required.
  • Familiarity with AWS Management Console

System Requirements

  • Current Web Browser with internet access (i.e. Chrome, Safari, Edge, or Firefox)
  • In this environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Login to Register

Related Content

Blog
CLD_-_Aviata_Cloud_Solo_Flight_Challenge_-_General_-_Workshop_340_x_340.jpg
Cloud Security
Aviata Cloud Solo Flight Challenge
Master cloud security by tackling this free series of workshops.
Cloud_Ace_Final.png
SANS Cloud Security
read more
Blog
N2C_blog_image.png
Security Awareness, Cybersecurity Leadership, Cloud Security, Open-Source Intelligence (OSINT), Industrial Control Systems Security, Digital Forensics, Incident Response & Threat Hunting, Cybersecurity and IT Essentials, Cyber Defense, Offensive Operations, Pen Testing, and Red Teaming, CyberLive, Workforce Development, Career Development, Why Certify, Imposter Syndrome, NetWars, Mentorship, Job Hunting, Operating System & Device In-Depth, Artificial Intelligence (AI)
A Visual Summary of SANS New2Cyber Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS New2Cyber Summit 2024
370x370-person-placeholder.png
Alison Kim
read more
Blog
340x340-Homepage_Inclusions_Cloud_Security_Curriculum.jpg
Cloud Security
Cloud Agnostic or Devout?
Why Securing Multiple Clouds Using Terraform is Harder Than You Think
BrandonEvans_Headshot_370x370.png
Brandon Evans
read more