homepage
Open menu
Talk with an expert
Major Update

SEC510: Cloud Security Controls and Mitigations™

GIAC Public Cloud Security (GPCS)
GIAC Public Cloud Security (GPCS)
Register Now Course Preview
  • In Person (5 days)
  • Online
38 CPEs

Today's organizations depend on complex, multicloud environments which must support hundreds of different services across multiple clouds. These services are often insecure by default and require substantially different methods to protect depending on the Cloud Service Provider (CSP) that hosts them. It is vital that security teams have a deep understanding of AWS, Azure, and Google Cloud services to lock them down effectively.

Checking off compliance requirements is simply not enough to protect the confidentiality, integrity, and availability of your organization's data, nor will it prevent attackers from taking your critical systems down. With the right controls, organizations can reduce their attack surface and prevent security incidents from becoming breaches. Mistakes are inevitable but you can limit the impact.

Course Authors:
Brandon Evans
Brandon Evans
Certified Instructor
Eric Johnson
Eric Johnson
Senior Instructor
What You Will LearnSyllabusCertificationPrerequisitesLaptop RequirementsAuthor StatementReviewsTraining & Pricing

What You Will Learn

Prevent real attacks with controls that matter

Protecting multicloud environments is challenging; Default security controls often fall short, and controls that work in one of the Big Three CSPs may not work in the others. Rather than focusing solely on compliance, organizations should prioritize attack driven controls to safeguard their most critical Cloud assets.

Whether an application is developed in-house or by a third party, accepting the inevitability of application flaws is key for implementing successful cloud security controls. While few cybersecurity professionals can fix vulnerable code, it's often easier to apply secure cloud configurations to mitigate these risks. Relying solely on CSP defaults and documentation is insufficient. SEC510 reveals numerous instances of incorrect, incomplete, or contradictory CSP controls. Additionally, if there is a zero-day vulnerability in a cloud service used by your organization, you must brace for that impact by controlling what you can.

While standards and frameworks, such as the MITRE ATT&CK Cloud Matrix, the Center for Internet Security (CIS) Cloud Provider Benchmarks, and the Cyber Defense Matrix, are helpful tools of the trade, they still have limits. That's why SEC510 goes beyond them to teach the techniques necessary to protect what matters to your organization. Mitigate the risk of common cloud mistakes with cloud security controls that matter and reduce your attack surface by eliminating misconfigurations.

"The course provided so much information and details about common security misconfigurations and mistakes in the cloud that one would not believe fit into the week. Very comprehensive, but the scary thing is that it feels like it is barely scratching the surface! Awesome job by the course authors." - Petr Sidopulos

What are Cloud Security Controls?

Cloud security controls are options provided by cloud service providers to limit exposure of cloud assets. Each CSP provides default controls that are often insecure, failing to consider the business case and needs of each customer. For secure cloud configuration that truly prevents real risk, the cloud security controls must be implemented based on business strategy, goals, and requirements by a professional who understands the nuances of various CSPs.

Business Benefits

  • Reduce the attack surface of your organization's cloud environments
  • Prevent incidents from becoming breaches through defense in-depth
  • Control the confidentiality, integrity, and availability of data in the Big 3 CSPs
  • Increase use of secure automation to keep up with the speed of today's business environment
  • Resolve unintentional access to sensitive cloud assets
  • Reduce the risk of ransomware impacting your organization's cloud data

Skills Learned

  • Make informed decisions in the Big 3 cloud service providers by understanding the inner workings of each of their Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings
  • Implement secure Identity and Access Management (IAM) with multiple layers of defense-in-depth
  • Build and secure multi cloud networks with segmentation and access control
  • Encrypt data at rest and in-transit throughout each cloud
  • Control the confidentiality, integrity, and availability of data in each cloud storage service
  • Support non-traditional computing platforms like serverless Functions as a Service (FaaS)
  • Integrate each cloud provider with one another without the use of long-lived credentials
  • Automate security and compliance checks using cloud-native platforms
  • Quickly adopt third-party cloud vendors while minimizing the risk introduced by granting them access to cloud resources
  • Guide engineering teams in enforcing security controls using Terraform and Infrastructure-as-Code (IaC)

Hands-On Cloud Security Controls and Mitigations Training

SEC510: Cloud Security Controls and Mitigations reinforces all the concepts discussed in the lectures through hands-on labs in real cloud environments. Each lab includes a step-by-step guide as well as a "no hints" option for students who want to test their skills without assistance. This allows students to choose the level of difficulty that is best for them and fall back to the step-by-step guide as needed. Students can continue to use the lab instructions, application code, and IaC after the course concludes. With this, they can repeat every lab exercise in their own cloud environments as many times as they like.

SEC510 also offers students an opportunity to participate in Bonus Challenges each day in a gamified environment, while also providing more hands-on experience with the Big 3 CSPs and relevant utilities. Can you win the SEC510 Challenge Coin?

  • Section 1: IAM Fundamentals, Virtual Machine Credential Exposure, Broken Access Control and Policy Analysis, IAM Privilege Escalation, Bonus Challenges Section 1
  • Section 2: Control Ingress Traffic, Protecting Public Virtual Machines, Control Egress Traffic with Private Endpoints, Remote Code Execution via Private Endpoint Abuse, Bonus Challenges Section 2
  • Section 3: Detect and Prevent Improper Key Usage, "Encrypt all the Things!", Recover From Ransomeware, Sensitive Data Detection and Exfiltration, Bonus Challenges Section 3
  • Section 4: Serverless Prey, Hardening Serverless Functions, Using and Exploiting CIAM, Broken Firebase Database Access Control, Bonus Challenges Section 4
  • Section 5: Secure Multicloud Integration, Automated Benchmarking, Prevent Cross-Cloud Confused Deputy, Bonus Challenges Section 5

"Last month I took a course by one of the three big providers and almost everyday was a sales pitch for the first couple hours in it. That course also was geared towards clicking around in the console versus utilizing command line and terraform which was really cool." - Philip B, US Military

"This course is a MUST for anyone in this industry. I realized things in the cloud were (potentially) disastrous, but this has opened my eyes to how bad it really is. I already filed like 5 helpdesk tickets for my staff to get things fixed - Anita Simoni, County of Monterey ITD

"The exercises exceeded my expectations. They are practical implementations of the information learned in each section, build on each other, and provide a seamless way to validate your knowledge and learn the intricacies of the issues." - David Wayland

Syllabus Summary

  • Section 1 - Securely Use Cloud IAM and Defending IAM Credentials
  • Section 2 - Restrict Infrastructure and Data Access to Private Cloud Networks, Protect Public Virtual Machines, Use Secure Remote Access Capabilities, Prevent Remote Code Execution, and Enable Traffic Monitoring Capabilities
  • Section 3 - Manage Cryptographic Keys, Apply Encryption at Rest and In-Transit Across Cloud Services, Prevent Ransomware in Cloud Storage Services, Prevent Data Exfiltration, and Detect Sensitive Data in the Clouds
  • Section 4 - Secure Applications Running on Serverless FaaS, Protect Cloud Customer Identity and Access Management (CIAM) Platforms, Manage Application Consumer Identities, and Mitigate Security Issues in Firebase (a Suite of Services Acquired by and Integrated with Google Cloud)
  • Section 5 - Securely Authenticate Clouds to One Another, Automate Misconfiguration Benchmarking, and Mitigate Risks from Integrating with Cloud Vendors, including Cloud Security Posture Management (CSPM) Platforms.

Additional Free Resources

What You Will Receive

  • Printed and Electronic courseware
  • MP3 audio files of the course
  • Access to the SANS Cloud Security Flight Simulator
  • Thousands of lines of IaC and secure configurations for each cloud platform that you can use in your organization

What Comes Next?

SANS offers several courses that are excellent compliments to SEC510 depending on your job role:

Security Engineer

Security Analyst

Learn more about our job role-based training journeys here.

Syllabus (38 CPEs)

Download PDF
  • Overview

    SEC510 starts with a brief overview cloud breach trends, exploring why the vast majority of breaches are now happening in the cloud. We will explore how multicloud makes security harder, why organizations are going multicloud, and how both standardization and cloud agnosticism cannot solve the problem alone. We introduce three of the frameworks we will use throughout the course to implement attack-driven controls and mitigations: the MITRE ATT&CK Cloud Matrix, the Center for Internet Security (CIS) Cloud Foundational Benchmarks, and the Cyber Defense Matrix. Students will then initialize their lab environment and deploy a modern web application to each of the Big 3 providers.

    This leads into an analysis of one of the most fundamental and misunderstood concepts in cloud security: Identity and Access Management (IAM). This module will ensure that all students have a foundation of IAM knowledge on which the rest of the section is built. It covers the goals fulfilled by properly provisioning access, each cloud's IAM service (AWS IAM, Microsoft Entra ID, and Google Cloud Identity), and the various types of access control provided by each.

    The next module shifts the discussion from human identities to machine identities. Students will learn how workloads running on AWS Elastic Compute Cloud (EC2), Azure Virtual Machines (VMs), and the Google Cloud Compute Engine (GCE) are given temporary IAM credentials. They will then compromise real IAM credentials from their cloud virtual machines using the Instance Metadata Service (IMDS) to examine firsthand how an attacker can abuse them to access sensitive cloud data and consume cloud resources.

    With this foundation, students will discuss the primary vulnerability caused by granting permissions improperly: Broken Access Control (BAC). They will learn how to detect improper access and implement better permissions using a variety of tools. They will learn about the cloud-native tools designed for this purpose: the AWS IAM Access Analyzer, Microsoft Entra ID Permissions Management, and Google Cloud IAM Policy Intelligence. They will also explore how Large Language Models (LLMs) and Generative AI (GenAI) can augment this analysis. These strategies are critical to prevent a minor vulnerability from becoming front-page news.

    The section concludes by discussing a critical way that attackers can obtain improper permissions: Privilege Escalation. They will examine the many escalation paths that are available by default in each cloud provider. By implementing policy guardrails, they will drastically minimize the likelihood of privilege escalation being effective.

    Exercises
    • IAM Fundamentals
    • Virtual Machine Credential Exposure
    • Broken Access Control and Policy Analysis
    • IAM Privilege Escalation
    • Bonus Challenges (Section 1)
    Topics
    • Introduction
      • Cloud Breach Trends
      • Insecure Defaults
      • Multicloud Considerations
      • Shadow Cloud Accounts
      • Cloud Procurement Through Mergers and Acquisitions
      • Standardization and Cloud Agnosticism
      • MITRE ATT&CK Cloud Matrix
      • Center for Internet Security (CIS) Cloud Foundations Benchmarks
      • Cyber Defense Matrix
      • Lab Environment Introduction
      • HashiCorp Terraform Overview
    • Cloud Identity and Access Management (IAM)
      • AWS IAM
      • Microsoft Entra ID
      • Google Cloud Identity
      • Identity-Based Policies
      • Resource-Based Policies
      • Attribute-Based Access Control
      • Built-In vs. Custom Policies and Roles
      • AWS Organization Service Control Policy (SCP)
      • AWS Permissions Boundaries
      • AWS Session Policy
      • Azure Role-Based Access Control (RBAC)
      • Google Cloud Allow Policy
      • Google Cloud Deny Policy
    • Cloud Managed Identity and Metadata Services
      • Cloud Compute Services
      • Machine Identities
      • AWS Elastic Compute Cloud (EC2)
      • AWS IAM Roles
      • AWS Instance Profiles
      • Azure Virtual Machines (VMs)
      • Azure Managed Identity
      • Google Cloud Compute Engine (GCE)
      • Google Cloud Service Accounts
      • Instance Metadata Services (IMDS)
      • IMDS Exploits
      • Server-Side Request Forgery
      • Command Injection
      • IMDS Hardening
    • Broken Access Control and Policy Analysis
      • Exploiting Built-In Policies and Roles
      • Cloud Resource Hijacking
      • Using Custom Policies to Meet Business Requirements
      • Finding Broken Access Control
      • AWS IAM Access Analyzer
      • Microsoft Entra ID Permissions Management
      • Google Cloud IAM Policy Intelligence
      • Large Language Model (LLM) and Generative AI (GenAI) Overview
      • Using Large Language Models (LLMs) for IAM Policy Analysis
      • Effective and Ineffective Use-Case for Applying LLMs to Security
      • Broken Access Control via LLM Hallucinations
    • IAM Privilege Escalation
      • IAM Permission Editor
      • Transitive Identity Impersonation
      • Dangerous Built-In Policies and Roles
      • Default Machine Identity Permissions
      • Preventing Privilege Escalation
      • Policy Guardrails
  • Overview

    Section 2 covers how to lock down infrastructure and data using virtual private network controls. As the public cloud IP address blocks are well known and default network security is often lax, millions of sensitive assets are unnecessarily accessible to the public Internet. This section will ensure that none of these assets belong to your organization.

    It begins by demonstrating how ingress and egress traffic can be restricted within each provider. Students will analyze the damage that can be done without these controls using examples like accessing a public-facing database containing sensitive information. They will then eliminate unnecessary ingress traffic with secure cloud configuration.

    The next module dives deeper into protecting virtual machines running in the cloud Infrastructure as a Service (IaaS) platforms. It begins by showing how public IP addresses, administrative ports, and Serial Console services can be removed while allowing for secure administration via the AWS Systems Manager (SSM) Session Manager, Azure Bastion, Google Cloud OS Login, and the Google Cloud Identity-Aware Proxy (IAP). These techniques allow an organization to work effectively while keeping internal systems off the public internet. Then, it covers how VMs that must expose an HTTP(S) server can be protected with Cloud Application Load Balancers (ALBs) and built-in Web Application Firewall (WAF) services.

    With our infrastructure locked down, we pivot to preventing untrusted networks from accessing our Platform as a Service (PaaS) platforms using Private Endpoints. We will demonstrate how defenders can use these endpoints to restrict data access to internal networks. This topic is critical as an organization's most sensitive data is often stored in PaaS instead of IaaS.

    While private endpoints enable powerful protections, they can also be abused. Specifically, AWS Private Endpoints with improperly configured Endpoint Policies can be used to perform Remote Code Execution (RCE) in and data exfiltration from isolated networks without internet access. Students will use a malicious payload to exfiltrate data from a target's AWS account to an attacker's AWS account. They will then fix the Endpoint Policy to prevent this attack vector.

    The section concludes by covering how to enable cloud-based network analysis capabilities to address malicious traffic on network channels that cannot be blocked. Students will analyze cloud flow logs and search for indicators of compromise. This module covers flow logging solutions in all three cloud, Google Cloud Firewall Rules logging, AWS Traffic Mirroring, and Google Cloud Packet Mirroring. Many of these topics have associated Bonus Challenges.

    Exercises
    • Control Ingress Traffic
    • Protecting Public Virtual Machines
    • Control Egress Traffic with Private Endpoints
    • Remote Code Execution via Private Endpoint Abuse
    • Bonus Challenges (Section 2)
    Topics
    • Cloud Virtual Networks
      • Network Service Scanning
      • Default Network Configuration
      • Internet Gateways
      • NAT Gateways
      • AWS Security Groups
      • AWS NACLs
      • Azure Network Security Groups
      • Google Cloud Firewall Rules
    • Protecting Public Virtual Machines
      • Eliminate Public IP Addresses
      • Block SSH and RDP Administrative Access
      • Disable Serial Console Debug Access
      • AWS Systems Manager (SSM) Session Manager
      • Azure Bastion
      • Google Cloud OS Login
      • Google Cloud Identity-Aware Proxy (IAP)
      • Cloud Application Load Balancers (ALBs)
      • Built-In Web Application Firewall (WAF) Services
    • Private Endpoint Security
      • AWS PrivateLink
      • Azure Private Link
      • Google Cloud Private Google Access
      • Google Cloud VPC Service Controls
      • Custom Service Endpoints
      • Supply-Chain Attacks via Software Packages
      • Remote Code Execution (RCE)
    • Private Endpoint Abuse
      • AWS Private Endpoint Policy
      • Remote Code Execution Without Internet Access
      • Malicious Payload Delivery via S3 and Private Endpoints
      • Data Exfiltration via AWS CloudTrail
    • Enabling Traffic Monitoring
      • Flow Logging
      • Google Cloud Firewall Rules Logging
      • AWS Traffic Mirroring
      • Google Cloud Packet Mirroring
  • Overview

    Data security is as important, if not more important, in the cloud than it is on-premises. There are countless cloud data leaks that could have been prevented with the appropriate controls. This section examines the cloud services that enable data encryption, secure storage, ransomware protection, access control, data loss detection, policy enforcement, and more.

    The first half of Section 3 covers all you need to know about encryption in the cloud. Students will learn about each provider's cryptographic key management solution and how it can be used to apply multiple layers of encryption at rest. Students will also learn how in-transit encryption is performed throughout the cloud, such as the encryption between clients, load balancers, applications, and database servers. These techniques will improve your organization's security while satisfying its legal and compliance needs.

    The second half of Section 3 is primarily focused on cloud storage services. After briefly discussing the most basic storage security technique, turning off public access, it will cover more advanced controls like organization-wide access control, ransomware mitigations, file versioning, data retention, and more. It concludes with a discussion of additional data exfiltration paths and how to automatically detect sensitive data storage.

    Exercises
    • Detect and Prevent Improper Key Usage
    • Encrypt All The Things!
    • Recover From Ransomware
    • Sensitive Data Detection and Exfiltration
    • Bonus Challenges (Section 3)
    Topics
    • Cryptographic Key Management
      • AWS KMS
      • Azure Key Vault
      • Google Cloud KMS
      • Overview of Single-Tenant Alternatives: AWS CloudHSM, Azure Dedicated HSM, Azure Key Vault Managed HSM, and Google Cloud Bare Metal (Rack) HSM
      • Key Usage Audit Logging
    • Encryption with Cloud Services
      • Disk-Level Encryption
      • Service-Level Encryption
      • Column-Level Encryption
      • In-Transit Encryption
      • Enforcing Encryption Consistently Across Cloud Services
    • Cloud Storage Platforms
      • Access Control
      • Ransomware Prevention and Recovery
      • Audit Logs
      • Data Retention
      • Supply-Chain Attacks via Developer Tools
    • Sensitive Data Exfiltration
      • Data Exfiltration Paths
      • Signed URLs
    • Sensitive Data Detection
      • Amazon Macie
      • Amazon CloudWatch Logs Data Protection
      • Overview of Microsoft Purview and Azure Information Protection
      • Google Cloud Data Loss Prevention / Sensitive Data Protection
  • Overview

    This section teaches students how to secure the infrastructure powering their cloud-based applications and how to protect the users of those applications. It begins with a computing paradigm taking the industry by storm: serverless Functions as a-Service (FaaS). It balances the discussion of the challenges serverless introduces with the advantages it provides in securing product development and security operations. After introspecting the serverless runtime environments using Serverless Prey (an open-source tool written by the course authors), students will examine and harden practical serverless functions in a real environment.

    The next module covers how Customer Identity and Access Management (CIAM) can help track and authenticate the users of an organization's applications. It does a deep dive into AWS's CIAM solution, Amazon Cognito, and how its default configuration can be exploited to perform user enumeration and account takeover attacks. It also shows how users in Cognito User Pools can obtain dangerous AWS IAM permissions using Cognito Identity Pools. Most importantly, it will demonstrate how these attacks can be prevented.

    This section also covers Google Cloud's CIAM solution, Google Cloud Identity for Customers and Partners (CICP). Google Cloud obtained this service through their acquisition of a company named Firebase. The section concludes with a detailed breakdown of this CIAM and its interplay with Firebase's flagship products, the Realtime Database and Cloud Firestore. These highly popular but rarely reviewed services are serverless databases with many access control considerations and security implications for Google Cloud projects.

    Exercises
    • Serverless Prey
    • Harden Serverless Functions
    • Using and Exploiting CIAM
    • Broken Firebase Database Access Control
    • Bonus Challenges (Section 4)
    Topics
    • Cloud Serverless Functions
      • AWS Lambda
      • Azure Functions and the Azure App Service
      • Google Cloud Functions / Google Cloud Run Functions
      • Security Advantages and Concerns for Serverless
      • Function as a Service Controls
      • Persistence with Serverless
    • Cloud Customer Identity and Access Management (CIAM)
      • Overview of OAuth 2.0, OpenID Connect (OIDC), and SAML
      • Amazon Cognito User Pools
      • User Enumeration Attacks
      • Amazon Cognito User Account Takeover Attacks
      • Amazon Cognito Identity Pools
      • Amazon Cognito AWS IAM Broken Access Control
      • Google Cloud Identity for Customers and Partners
      • Firebase Authentication
    • Firebase Databases and Google Cloud Implications
      • Firebase Realtime Database
      • Cloud Firestore
      • Google Cloud Privilege Escalation via Firebase
      • Compliance Concerns
  • Overview

    The course concludes with practical guidance on how to operate an organization across multiple cloud providers. Many of the topics discussed in the course become more complicated if an organization's cloud providers are integrated with one another. We begin by discussing how multicloud integration impacts Identity and Access Management (IAM). Many organizations use long-lived credentials to support multicloud integrations. These credentials are much more valuable to attackers than those that are short-lived. Although students will learn best practices for long-lived credentials, this will only mitigate the risk, not eliminate it. This module goes one step further by demonstrating novel ways to use Workload Identity Federation to authenticate from one cloud provider to another with short-lived cloud credentials.

    The next module covers the cloud-native Cloud Security Posture Management (CSPM) services. Students will use these services to automate security checks for the CIS Benchmarks covered throughout the course. With these capabilities, an organization can take the lessons learned in SEC510 and apply them at scale.

    The final module ties these two topics together. Most organizations would prefer to use a single platform to secure all of their clouds. This requires a vendor to have access to the organization's cloud accounts. Organizations should distrust external services at least as much, if not more so, than their internal systems and users. This module provides the key requirements for minimizing the level of trust vested in these vendors and reducing the risk that this trust is abused. Students will explore this topic by using Multicloud CSPM services as an example. Specifically, they will learn about Microsoft Defender for Cloud's cross-cloud CSPM capabilities. They will analyze a case study of a critical vulnerability in Microsoft Defender for Cloud, discovered by the authors of this course, that could be used to access sensitive data in an organization's linked AWS accounts. Finally, they will implement mitigations to prevent similar types of exploits from being performed via third-party cloud vendors.

    Exercises
    • Secure Multicloud Integration
    • Automated Benchmarking
    • Prevent Cross-Cloud Confused Deputy
    • Bonus Challenges (Section 5)
    Topics
    • Multicloud Access Management
      • Risks of Long-Lived Credentials
      • Workload Identity Federation
      • Cross-Cloud Authentication Without Long-Lived Credentials
    • Cloud Security Posture Management
      • AWS Security Hub
      • Microsoft Defender for Cloud
      • Google Cloud Security Command Center
    • Vendor Integration and Multicloud Security Posture Management
      • Third-Party Multicloud Security Posture Management
      • Vendor Integration Assessment Criteria
      • Microsoft Defender for Cloud's Cross-Cloud CSPM Capabilities
      • The Confused Deputy Problem
      • Confused Deputy Vulnerability in Microsoft Defender for Cloud
      • Mitigating Cross-Customer Broken Access Control via Cloud Vendors
      • Denying Excessive Permissions to Cloud Vendors
    • Summary
    • Additional Resources

GIAC Public Cloud Security

The GIAC Public Cloud Security (GPCS) certification validates a practitioner's ability to secure the cloud in both public and multi cloud environments. GPCS-certified professionals are familiar with the nuances of AWS, Azure, GCP and have the skills needed to defend each of these platforms.

  • Evaluation and comparison of public cloud service providers
  • Auditing, hardening, and securing public cloud environments
  • Introduction to multi-cloud compliance and integration
More Certification Details

Prerequisites

Although SEC510 uses Terraform Infrastructure-as-Code to deploy and configure services in each cloud for the labs, students will not need in-depth knowledge of Terraform or need to understand any of the syntax used. However, students will be introduced at a high level to what this code accomplishes.

The following are courses or equivalent experiences that are prerequisites for SEC510:

  • SANS SEC488: Cloud Security Essentials or hands-on experience using the AWS and Azure Cloud.
  • Students must have basic familiarity with the high-level concepts of cloud IAM and networking.
  • Students must be comfortable working with the Bash commands.

NOTE: This is not an application security course, and it will not teach you how to fix vulnerable application code. Instead, it will teach you practical controls and mitigations that you can use to prevent AppSec incidents from becoming breaches. While knowing how to code is helpful, it is not strictly required for this course.

Laptop Requirements

The SEC510 course labs contain lab exercises for AWS, Azure, and GCP. Most labs can be completed with any one of these providers. However, we strongly recommend completing the labs for all three providers to learn how the services in each differ in small, yet critical ways. Experiencing this nuance in these interactive labs will help you better defend each platform and prepare for the GPCS certification.

SANS will provide students with the AWS accounts, Azure subscription, and Google Cloud project required to complete the labs for those providers.

OnDemand students:

  • Students can dynamically provision access to their AWS accounts, Azure subscription, and Google Cloud project by logging in to their SANS account and visiting the My Labs page.
  • When cloud account provisioning is complete, students can download time-limited credentials for accessing the cloud account.

Live events (In Person or Live Online)

  • Students are automatically provisioned access to their AWS account, Azure subscription, and Google Cloud project 24 hours before class starts.
  • Students can log in to their SANS account and visit the My Labs page to download their cloud credentials the day before class begins.

Mandatory Laptop Requirement:

Students must bring their own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Students must be in full control of their system's network configuration. The system will need to communicate with the cloud-hosted lab environment using a combination of HTTPS, SSH, and SOCKS5 traffic on non-standard ports. Running VPN, intercepting proxy, or egress firewall filters may cause connection issues communicating with the lab environment. Students must be able to configure or disable these services.

Bring Your Own Laptop Configured Using The Following Directions:

A properly configured system is required for each student participating in this course. Before starting your course, carefully read and follow these instructions exactly:

  • Operating system must be the latest version of Windows 10, macOS 10.15.x or later, or a Linux distribution that also can install and run the Firefox browser described below.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Must have the ability to install Firefox, enable a Firefox extension, and install a new trusted root certificate on the machine.
  • Prior to class, ensure that the following software is installed on the host operating system:

In Summary

Before beginning the course, you should:

SANS will be providing access to the following cloud environments: AWS, Azure, and Google Cloud. Unfortunately, due to some cloud security controls we cannot control, sometimes the login you receive requires verification with a valid phone number where you can receive text messages (virtual numbers will not work). Please ensure you have and are willing to provide your phone number to the cloud provider should this situation occur.

After you have completed those steps, access the SANS provider cloud accounts to connect to the SANS Cloud Security Flight Simulator. The SEC510 Flight Simulator server hosts an electronic workbook, terminal, and other services that can be accessed through the Firefox browser.

must access the "Setup Instructions" document in the Course Material Downloads section of your SANS portal and follow its instructions before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"The use of multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not effective in all clouds. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control.

"Why do teams adopt multiple cloud providers in the first place? To make their jobs easier or more enjoyable. Developers are creating products that meet the organization's goals, not for the central security team. If a team discovers that a service offering can help get its product to market faster, it can and should use it. Security should embrace the inevitability of the multicloud movement and take on the hard work of implementing guardrails so the organization can move quickly and safely.

"The multicloud storm is here, whether you like it or not. Prevent the rain from drowning your organization."

- Brandon Evans and Eric Johnson

"Simply outstanding! All the way around. Very well done." - Ryan Stillions, IBM X-Force IR

Ways to Learn

  • OnDemand

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

Register Now
  • Live Online

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

View Available Dates & Time Zones
  • In Person (5 days)

Did someone say ALL-ACCESS? On-site immersion via in-classroom course sessions led by world-class SANS instructors fill your day, while bonus receptions and workshops fill your evenings.

View Available Dates & Locations

Who Should Attend SEC510?

  • Security analysts
  • Security engineers
  • Security researchers
  • Cloud engineers, DevOps engineers
  • Security auditors
  • System administrators
  • Operations personnel
  • Anyone who is responsible for:
    • Evaluating and adopting new cloud offerings
    • Researching new vulnerabilities and developments in cloud security
    • Handling Identity and Access Management
    • Managing a cloud-based virtual network
    • Secure configuration management

NICE Framework Work Roles

  • Security Control Assessor (OPM 612)
  • Enterprise Architect (OPM 651)
  • Security Architect (OPM 652)
  • Research & Development Specialist (OPM 661)
  • Information Systems Security Developer (OPM 631)

"I would definitely recommend this course. I consider the security topics covered to be critical knowledge for companies that are hosting in the cloud. The course content has been very well put together, well researched, and is very applicable." - Dan Van Wingerden, Radiology Partners

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Reviews

The course content exceeded my expectations regarding the breadth and depth of information and specifics to each cloud. Excellent content.
David Wayland
Brandon gave me the best experience I’ve ever had with labs. I usually fall behind on labs because I try to understand everything I’m doing. I was able to do that but also just copy and paste if I had to catch up.
Aaron Landrum
Oxy
I maintain that this is the single best SANS class available (and I just got my 8th cert). If you can only take one course - this is the one.
Joshua Wiley
TikTok
If you Cloud, you need this course - <period>.
Sean Ayres
UPS
One of the best SANS courses I have taken. I am going to recommend this training to other company InfoSec Professionals in our company.
Randy Freston
BoA
    Africa/Abidjan
    Africa/Accra
    Africa/Addis Ababa
    Africa/Algiers
    Africa/Asmara
    Africa/Asmera
    Africa/Bamako
    Africa/Bangui
    Africa/Banjul
    Africa/Bissau
    Africa/Blantyre
    Africa/Brazzaville
    Africa/Bujumbura
    Africa/Cairo
    Africa/Casablanca
    Africa/Ceuta
    Africa/Conakry
    Africa/Dakar
    Africa/Dar es Salaam
    Africa/Djibouti
    Africa/Douala
    Africa/El Aaiun
    Africa/Freetown
    Africa/Gaborone
    Africa/Harare
    Africa/Johannesburg
    Africa/Juba
    Africa/Kampala
    Africa/Khartoum
    Africa/Kigali
    Africa/Kinshasa
    Africa/Lagos
    Africa/Libreville
    Africa/Lome
    Africa/Luanda
    Africa/Lubumbashi
    Africa/Lusaka
    Africa/Malabo
    Africa/Maputo
    Africa/Maseru
    Africa/Mbabane
    Africa/Mogadishu
    Africa/Monrovia
    Africa/Nairobi
    Africa/Ndjamena
    Africa/Niamey
    Africa/Nouakchott
    Africa/Ouagadougou
    Africa/Porto-Novo
    Africa/Sao Tome
    Africa/Timbuktu
    Africa/Tripoli
    Africa/Tunis
    Africa/Windhoek
    America/Adak
    America/Anchorage
    America/Anguilla
    America/Antigua
    America/Araguaina
    America/Argentina/Buenos Aires
    America/Argentina/Catamarca
    America/Argentina/ComodRivadavia
    America/Argentina/Cordoba
    America/Argentina/Jujuy
    America/Argentina/La Rioja
    America/Argentina/Mendoza
    America/Argentina/Rio Gallegos
    America/Argentina/Salta
    America/Argentina/San Juan
    America/Argentina/San Luis
    America/Argentina/Tucuman
    America/Argentina/Ushuaia
    America/Aruba
    America/Asuncion
    America/Atikokan
    America/Atka
    America/Bahia
    America/Bahia Banderas
    America/Barbados
    America/Belem
    America/Belize
    America/Blanc-Sablon
    America/Boa Vista
    America/Bogota
    America/Boise
    America/Buenos Aires
    America/Cambridge Bay
    America/Campo Grande
    America/Cancun
    America/Caracas
    America/Catamarca
    America/Cayenne
    America/Cayman
    America/Chicago
    America/Chihuahua
    America/Ciudad Juarez
    America/Coral Harbour
    America/Cordoba
    America/Costa Rica
    America/Creston
    America/Cuiaba
    America/Curacao
    America/Danmarkshavn
    America/Dawson
    America/Dawson Creek
    America/Denver
    America/Detroit
    America/Dominica
    America/Edmonton
    America/Eirunepe
    America/El Salvador
    America/Ensenada
    America/Fort Nelson
    America/Fort Wayne
    America/Fortaleza
    America/Glace Bay
    America/Godthab
    America/Goose Bay
    America/Grand Turk
    America/Grenada
    America/Guadeloupe
    America/Guatemala
    America/Guayaquil
    America/Guyana
    America/Halifax
    America/Havana
    America/Hermosillo
    America/Indiana/Indianapolis
    America/Indiana/Knox
    America/Indiana/Marengo
    America/Indiana/Petersburg
    America/Indiana/Tell City
    America/Indiana/Vevay
    America/Indiana/Vincennes
    America/Indiana/Winamac
    America/Indianapolis
    America/Inuvik
    America/Iqaluit
    America/Jamaica
    America/Jujuy
    America/Juneau
    America/Kentucky/Louisville
    America/Kentucky/Monticello
    America/Knox IN
    America/Kralendijk
    America/La Paz
    America/Lima
    America/Los Angeles
    America/Louisville
    America/Lower Princes
    America/Maceio
    America/Managua
    America/Manaus
    America/Marigot
    America/Martinique
    America/Matamoros
    America/Mazatlan
    America/Mendoza
    America/Menominee
    America/Merida
    America/Metlakatla
    America/Mexico City
    America/Miquelon
    America/Moncton
    America/Monterrey
    America/Montevideo
    America/Montreal
    America/Montserrat
    America/Nassau
    America/New York
    America/Nipigon
    America/Nome
    America/Noronha
    America/North Dakota/Beulah
    America/North Dakota/Center
    America/North Dakota/New Salem
    America/Nuuk
    America/Ojinaga
    America/Panama
    America/Pangnirtung
    America/Paramaribo
    America/Phoenix
    America/Port-au-Prince
    America/Port of Spain
    America/Porto Acre
    America/Porto Velho
    America/Puerto Rico
    America/Punta Arenas
    America/Rainy River
    America/Rankin Inlet
    America/Recife
    America/Regina
    America/Resolute
    America/Rio Branco
    America/Rosario
    America/Santa Isabel
    America/Santarem
    America/Santiago
    America/Santo Domingo
    America/Sao Paulo
    America/Scoresbysund
    America/Shiprock
    America/Sitka
    America/St Barthelemy
    America/St Johns
    America/St Kitts
    America/St Lucia
    America/St Thomas
    America/St Vincent
    America/Swift Current
    America/Tegucigalpa
    America/Thule
    America/Thunder Bay
    America/Tijuana
    America/Toronto
    America/Tortola
    America/Vancouver
    America/Virgin
    America/Whitehorse
    America/Winnipeg
    America/Yakutat
    America/Yellowknife
    Antarctica/Casey
    Antarctica/Davis
    Antarctica/DumontDUrville
    Antarctica/Macquarie
    Antarctica/Mawson
    Antarctica/McMurdo
    Antarctica/Palmer
    Antarctica/Rothera
    Antarctica/South Pole
    Antarctica/Syowa
    Antarctica/Troll
    Antarctica/Vostok
    Arctic/Longyearbyen
    Asia/Aden
    Asia/Almaty
    Asia/Amman
    Asia/Anadyr
    Asia/Aqtau
    Asia/Aqtobe
    Asia/Ashgabat
    Asia/Ashkhabad
    Asia/Atyrau
    Asia/Baghdad
    Asia/Bahrain
    Asia/Baku
    Asia/Bangkok
    Asia/Barnaul
    Asia/Beirut
    Asia/Bishkek
    Asia/Brunei
    Asia/Calcutta
    Asia/Chita
    Asia/Choibalsan
    Asia/Chongqing
    Asia/Chungking
    Asia/Colombo
    Asia/Dacca
    Asia/Damascus
    Asia/Dhaka
    Asia/Dili
    Asia/Dubai
    Asia/Dushanbe
    Asia/Famagusta
    Asia/Gaza
    Asia/Harbin
    Asia/Hebron
    Asia/Ho Chi Minh
    Asia/Hong Kong
    Asia/Hovd
    Asia/Irkutsk
    Asia/Istanbul
    Asia/Jakarta
    Asia/Jayapura
    Asia/Jerusalem
    Asia/Kabul
    Asia/Kamchatka
    Asia/Karachi
    Asia/Kashgar
    Asia/Kathmandu
    Asia/Katmandu
    Asia/Khandyga
    Asia/Kolkata
    Asia/Krasnoyarsk
    Asia/Kuala Lumpur
    Asia/Kuching
    Asia/Kuwait
    Asia/Macao
    Asia/Macau
    Asia/Magadan
    Asia/Makassar
    Asia/Manila
    Asia/Muscat
    Asia/Nicosia
    Asia/Novokuznetsk
    Asia/Novosibirsk
    Asia/Omsk
    Asia/Oral
    Asia/Phnom Penh
    Asia/Pontianak
    Asia/Pyongyang
    Asia/Qatar
    Asia/Qostanay
    Asia/Qyzylorda
    Asia/Rangoon
    Asia/Riyadh
    Asia/Saigon
    Asia/Sakhalin
    Asia/Samarkand
    Asia/Seoul
    Asia/Shanghai
    Asia/Singapore
    Asia/Srednekolymsk
    Asia/Taipei
    Asia/Tashkent
    Asia/Tbilisi
    Asia/Tehran
    Asia/Tel Aviv
    Asia/Thimbu
    Asia/Thimphu
    Asia/Tokyo
    Asia/Tomsk
    Asia/Ujung Pandang
    Asia/Ulaanbaatar
    Asia/Ulan Bator
    Asia/Urumqi
    Asia/Ust-Nera
    Asia/Vientiane
    Asia/Vladivostok
    Asia/Yakutsk
    Asia/Yangon
    Asia/Yekaterinburg
    Asia/Yerevan
    Atlantic/Azores
    Atlantic/Bermuda
    Atlantic/Canary
    Atlantic/Cape Verde
    Atlantic/Faeroe
    Atlantic/Faroe
    Atlantic/Jan Mayen
    Atlantic/Madeira
    Atlantic/Reykjavik
    Atlantic/South Georgia
    Atlantic/St Helena
    Atlantic/Stanley
    Australia/ACT
    Australia/Adelaide
    Australia/Brisbane
    Australia/Broken Hill
    Australia/Canberra
    Australia/Currie
    Australia/Darwin
    Australia/Eucla
    Australia/Hobart
    Australia/LHI
    Australia/Lindeman
    Australia/Lord Howe
    Australia/Melbourne
    Australia/NSW
    Australia/North
    Australia/Perth
    Australia/Queensland
    Australia/South
    Australia/Sydney
    Australia/Tasmania
    Australia/Victoria
    Australia/West
    Australia/Yancowinna
    Brazil/Acre
    Brazil/DeNoronha
    Brazil/East
    Brazil/West
    CET
    CST6CDT
    Canada/Atlantic
    Canada/Central
    Canada/Eastern
    Canada/Mountain
    Canada/Newfoundland
    Canada/Pacific
    Canada/Saskatchewan
    Canada/Yukon
    Chile/Continental
    Chile/EasterIsland
    Cuba
    EET
    EST
    EST5EDT
    Egypt
    Eire
    Etc/GMT
    Etc/GMT+0
    Etc/GMT+1
    Etc/GMT+10
    Etc/GMT+11
    Etc/GMT+12
    Etc/GMT+2
    Etc/GMT+3
    Etc/GMT+4
    Etc/GMT+5
    Etc/GMT+6
    Etc/GMT+7
    Etc/GMT+8
    Etc/GMT+9
    Etc/GMT-0
    Etc/GMT-1
    Etc/GMT-10
    Etc/GMT-11
    Etc/GMT-12
    Etc/GMT-13
    Etc/GMT-14
    Etc/GMT-2
    Etc/GMT-3
    Etc/GMT-4
    Etc/GMT-5
    Etc/GMT-6
    Etc/GMT-7
    Etc/GMT-8
    Etc/GMT-9
    Etc/GMT0
    Etc/Greenwich
    Etc/UCT
    Etc/UTC
    Etc/Universal
    Etc/Zulu
    Europe/Amsterdam
    Europe/Andorra
    Europe/Astrakhan
    Europe/Athens
    Europe/Belfast
    Europe/Belgrade
    Europe/Berlin
    Europe/Bratislava
    Europe/Brussels
    Europe/Bucharest
    Europe/Budapest
    Europe/Busingen
    Europe/Chisinau
    Europe/Copenhagen
    Europe/Dublin
    Europe/Gibraltar
    Europe/Guernsey
    Europe/Helsinki
    Europe/Isle of Man
    Europe/Istanbul
    Europe/Jersey
    Europe/Kaliningrad
    Europe/Kiev
    Europe/Kirov
    Europe/Kyiv
    Europe/Lisbon
    Europe/Ljubljana
    Europe/London
    Europe/Luxembourg
    Europe/Madrid
    Europe/Malta
    Europe/Mariehamn
    Europe/Minsk
    Europe/Monaco
    Europe/Moscow
    Europe/Nicosia
    Europe/Oslo
    Europe/Paris
    Europe/Podgorica
    Europe/Prague
    Europe/Riga
    Europe/Rome
    Europe/Samara
    Europe/San Marino
    Europe/Sarajevo
    Europe/Saratov
    Europe/Simferopol
    Europe/Skopje
    Europe/Sofia
    Europe/Stockholm
    Europe/Tallinn
    Europe/Tirane
    Europe/Tiraspol
    Europe/Ulyanovsk
    Europe/Uzhgorod
    Europe/Vaduz
    Europe/Vatican
    Europe/Vienna
    Europe/Vilnius
    Europe/Volgograd
    Europe/Warsaw
    Europe/Zagreb
    Europe/Zaporozhye
    Europe/Zurich
    GB
    GB-Eire
    GMT
    GMT+0
    GMT-0
    GMT0
    Greenwich
    HST
    Hongkong
    Iceland
    Indian/Antananarivo
    Indian/Chagos
    Indian/Christmas
    Indian/Cocos
    Indian/Comoro
    Indian/Kerguelen
    Indian/Mahe
    Indian/Maldives
    Indian/Mauritius
    Indian/Mayotte
    Indian/Reunion
    Iran
    Israel
    Jamaica
    Japan
    Kwajalein
    Libya
    MET
    MST
    MST7MDT
    Mexico/BajaNorte
    Mexico/BajaSur
    Mexico/General
    NZ
    NZ-CHAT
    Navajo
    PRC
    PST8PDT
    Pacific/Apia
    Pacific/Auckland
    Pacific/Bougainville
    Pacific/Chatham
    Pacific/Chuuk
    Pacific/Easter
    Pacific/Efate
    Pacific/Enderbury
    Pacific/Fakaofo
    Pacific/Fiji
    Pacific/Funafuti
    Pacific/Galapagos
    Pacific/Gambier
    Pacific/Guadalcanal
    Pacific/Guam
    Pacific/Honolulu
    Pacific/Johnston
    Pacific/Kanton
    Pacific/Kiritimati
    Pacific/Kosrae
    Pacific/Kwajalein
    Pacific/Majuro
    Pacific/Marquesas
    Pacific/Midway
    Pacific/Nauru
    Pacific/Niue
    Pacific/Norfolk
    Pacific/Noumea
    Pacific/Pago Pago
    Pacific/Palau
    Pacific/Pitcairn
    Pacific/Pohnpei
    Pacific/Ponape
    Pacific/Port Moresby
    Pacific/Rarotonga
    Pacific/Saipan
    Pacific/Samoa
    Pacific/Tahiti
    Pacific/Tarawa
    Pacific/Tongatapu
    Pacific/Truk
    Pacific/Wake
    Pacific/Wallis
    Pacific/Yap
    Poland
    Portugal
    ROC
    ROK
    Singapore
    Turkey
    UCT
    US/Alaska
    US/Aleutian
    US/Arizona
    US/Central
    US/East-Indiana
    US/Eastern
    US/Hawaii
    US/Indiana-Starke
    US/Michigan
    US/Mountain
    US/Pacific
    US/Samoa
    UTC
    Universal
    W-SU
    WET
    Zulu
    Filters:
    Training Formats
          Location
          Dates

          Register for SEC510

          Learn about Group Pricing

          Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

          Loading...