SEC510: Cloud Security Controls and Mitigations

GIAC Public Cloud Security (GPCS)
GIAC Public Cloud Security (GPCS)
  • In Person (5 days)
  • Online
38 CPEs

Today's organizations depend on complex, multicloud environments which must support hundreds of different services across multiple clouds. These services are often insecure by default. Similar services in different Cloud Service Providers (CSPs) need to be protected using very different methods. Security teams need a deep understanding of AWS, Azure, and Google Cloud services to lock them down properly. Checking off compliance requirements is not enough to protect the confidentiality, integrity, and availability of your organization's data, nor will it prevent attackers from taking your critical systems down. With the right controls, organizations can reduce their attack surface and prevent security incidents from becoming breaches. Mistakes happen. Limit the impact of the inevitable.

What You Will Learn

Prevent real attacks with controls that matter

Protecting multicloud environments is hard. Default controls are insecure more often than not. A security control that works in one of the Big 3 CSPs may not work the same in another. Many cloud security controls are focused on compliance rather than being derived from real attack case studies. Attack-driven controls are necessary to protect an organization's most important cloud-based assets.

Accepting the inevitability of application flaws, whether the application is developed in-house or by a third-party, is fundamental for successful cloud security controls. Not many cybersecurity professionals can fix vulnerable application code. Thankfully, it is typically easier to apply secure cloud configuration to mitigate the impact of these vulnerabilities. Relying on the CSP's security defaults and documentation is insufficient. SEC510 exposes many examples of incorrect, incomplete, or contradictory CSP controls. Additionally, if there is a zero-day vulnerability in a cloud service used by your organization, you must brace for that impact by controlling what you can.

SEC510 leverages standards and frameworks where useful, such as the MITRE ATT&CK Cloud Matrix, the Center for Internet Security (CIS) Cloud Provider Benchmarks, and the Cyber Defense Matrix. These tools have limits, and SEC510 goes beyond them to teach the techniques needed to protect what matters to the organization. Mitigate the risk of common cloud mistakes with cloud security controls that matter and reduce your attack surface by eliminating misconfigurations.

"The course provided so much information and details about common security misconfigurations and mistakes in the cloud that one would not believe fit into the week. Very comprehensive, but the scary thing is that it feels like it is barely scratching the surface! Awesome job by the course authors." - Petr Sidopulos

Business Benefits

  • Reduce the attack surface of your organization's cloud environments
  • Prevent incidents from becoming breaches through defense in-depth
  • Control the confidentiality, integrity, and availability of data in the Big 3 CSPs
  • Increase use of secure automation to keep up with the speed of today's business environment
  • Resolve all unintentional access to business sensitive cloud assets

Skills Learned

  • Make informed decisions in the Big 3 cloud service providers by understanding the inner workings of each of their Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings
  • Implement secure Identity and Access Management (IAM) with multiple layers of defense-in-depth
  • Build and secure multi cloud networks with segmentation and access control
  • Encrypt data at rest and in-transit throughout each cloud
  • Control the confidentiality, integrity, and availability of data in each cloud storage service
  • Support non-traditional computing platforms like Application Services and serverless Functions as a Service (FaaS)
  • Integrate each cloud provider with one another without the use of long-lived credentials
  • Automate security and compliance checks using cloud-native platforms
  • Guide engineering teams in enforcing security controls using Terraform and Infrastructure-as-Code (IaC)

What Are Cloud Security Controls?

Cloud security controls are options provided by cloud service providers to limit exposure of cloud assets. Each CSP provides default controls that are often insecure, failing to consider the business case and needs of each customer. For secure cloud configuration that truly prevents real risk, the cloud security controls must be implemented based on business strategy, goals, and requirements by a professional who understands the nuances of various CSPs.

Hands-On Cloud Security Controls and Mitigation Training

SEC510: Cloud Security Controls and Mitigations reinforces all the concepts discussed in the lectures through hands-on labs in real cloud environments. Each lab includes a step-by-step guide as well as a "no hints" option for students who want to test their skills without assistance. This allows students to choose the level of difficulty that is best for them and fall back to the step-by-step guide as needed. Students can continue to use the lab instructions, application code, and IaC after the course concludes. With this, they can repeat every lab exercise in their own cloud environments as many times as they like.

SEC510 also offers students an opportunity to participate in Bonus Challenges each day in a gamified environment, while also providing more hands-on experience with the Big 3 CSPs and relevant utilities. Can you win the SEC510 Challenge Coin?

  • Section 1: VM Credential Exposure, Hardening AWS IAM Policies, Hardening Azure and GCP Policies, Advanced IAM features, Bonus Challenges Section 1
  • Section 2: Network Lockdown, Analyzing Network Traffic, Private Endpoint Security, Cloud VPN and Managed SSH, Bonus Challenges Section 2
  • Section 3: Audit Decryption Events, "Encrypt all the Things!", Storage Service Lockdown, Sensitive Data Detection and Exfiltration, Bonus Challenges Section 3
  • Section 4: App Service Security, Serverless Prey, Hardening Serverless Functions, Login with the Microsoft Identity Platform, Broken Firebase Database Access Control, Bonus Challenges Section 4
  • Section 5: Secure Multicloud Integration, Automated Benchmarking, Microsoft Defender and Multicloud, Bonus Challenge Finale, Lab Teardown, Bonus Challenges Section 5

"Excellent course and instruction by Brandon! Last month I took a course by one of the three big providers and almost everyday was a sales pitch for the first couple hours in it. That course also was geared towards clicking around in the console versus utilizing command line and terraform which was really cool." - Philip B, US Military

"Labs are amazing, they cover all the content we review over the lecture." - Enrique Gamboa, ALG

"Labs are insane. Such a great setup. I'm learning a ton and plus will be able to build upon this great foundation." - Kevin Sahota, 604 Security

"The exercises exceeded my expectations. They are practical implementations of the information learned in each section, build on each other, and provide a seamless way to validate your knowledge and learn the intricacies of the issues." - David Wayland

Syllabus Summary

  • Section 1 - Securely Use Cloud IAM and Defending IAM Credentials
  • Section 2 - Restrict Infrastructure and Data Access to Private Cloud Networks, Monitor for Suspicious Network Traffic, and Use Secure Remote Access Capabilities
  • Section 3 - Manage Cryptographic Keys, Apply Encryption at Rest and In-Transit Across Cloud Services, Protect Data in Cloud Storage Services, Audit Encryption Key and Storage Access, and Detect Sensitive Data in the Clouds
  • Section 4 - Secure the Cloud Compute Services that Run Applications Including Serverless FaaS, Manage Application Consumer Identities, and Analyze Firebase (a Suite of Services Acquired by and Integrated with Google Cloud)
  • Section 5 - Authenticate Clouds to One Another and Automate Misconfiguration Benchmarking

Additional Free Resources

What You Will Receive

  • Printed and Electronic courseware
  • MP3 audio files of the course
  • Access to the SANS Cloud Security Flight Simulator
  • Thousands of lines of IaC and secure configurations for each cloud platform that you can use in your organization

What Comes Next?

SANS offers several courses that are excellent compliments to SEC510 depending on your job role:

Security Engineer

Security Analyst

Learn more about our job role-based training journeys at

Notice to Students

Please plan to arrive 30 minutes early before your first session for lab preparation and set-up. During this time, students can confirm that their cloud accounts are properly provisioned and connect to the Cloud Security Flight Simulator. For live classes (online or in-person), the instructor will be available to assist students with set-up 30 minutes prior to the course start time. The lecture will begin at the scheduled course start time.

Syllabus (38 CPEs)

Download PDF
  • Overview

    SEC510 starts with a brief overview cloud breach trends, exploring why the vast majority of breaches are now happening in the cloud. We will explore how multicloud makes security harder, why organizations are going multicloud, and how both standardization and cloud agnosticism cannot solve the problem alone. We introduce three of the frameworks we will use throughout the course to implement attack-driven controls and mitigations: the MITRE ATT&CK Cloud Matrix, the Center for Internet Security (CIS) Cloud Foundational Benchmarks, and the Cyber Defense. Students will then initialize their lab environment and deploy a modern web application to each of the Big 3 providers.

    This leads into an analysis of one of the most fundamental and misunderstood concepts in cloud security: Identity and Access Management (IAM). Students will compromise real IAM credentials from cloud virtual machines using the Instance Metadata Service (IMDS) to examine firsthand how an attacker can use them to access sensitive cloud data.

    The remainder of this section will focus on how to harden the IMDS and leverage well-written IAM policies to minimize the harm caused by such attacks. These strategies are critical to prevent a minor vulnerability from becoming front-page news.

    • VM Credential Exposure
    • Hardening AWS IAM Policies
    • Hardening Azure and GCP Policies
    • Advanced IAM Features
    • Bonus Challenges (Section 1)
    • Introduction
      • Cloud Breach Trends
      • Insecure Defaults
      • Multicloud Considerations
      • Shadow Cloud Accounts
      • Cloud Procurement Through Mergers and Acquisitions
      • Standardization and Cloud Agnosticism
      • MITRE ATT&CK Cloud Matrix
      • Center for Internet Security (CIS) Cloud Foundations Benchmarks
      • Cyber Defense Matrix
      • Lab Environment Introduction
      • HashiCorp Terraform Overview
    • Identity and Access Management
      • Identities
      • Policies
      • Organization-Wide Controls
      • AWS IAM
      • Azure Active Directory (Azure AD) and Microsoft Entra ID
      • Google Cloud IAM
    • Cloud Metadata and Credential Services
      • The Cloud Instance Metadata Service (IMDS) for each cloud provider
      • IMDS Compromise Case Study
      • IMDS Hardening
    • Related Application Vulnerabilities
      • Command Injection
      • Server-side request forgery
  • Overview

    Section 2 covers how to lock down infrastructure within a virtual private network. As the public cloud IP address blocks are well known and default network security is often lax, millions of sensitive assets are unnecessarily accessible to the public Internet. This section will ensure that none of these assets belong to your organization.

    It begins by demonstrating how ingress and egress traffic can be restricted within each provider. Students will analyze the damage that can be done without these controls by accessing a public-facing database and creating a reverse shell session in each environment. We will then eliminate both attack vectors with secure cloud configuration.

    The next module covers cloud-based network analysis capabilities to address malicious traffic on network channels that cannot be blocked. Students will analyze cloud flow logs and search for indicators of compromise. The module also covers AWS Traffic Mirroring and Google Cloud Packet Mirroring, both of which have associated Bonus Challenges.

    With our infrastructure locked down, we pivot to controlling network access to PaaS using Private Endpoints. We will demonstrate how defenders can use these endpoints to restrict data access to internal networks and how attackers can abuse them to exfiltrate data.

    This section concludes with techniques for securely granting organization members access to assets in private cloud networks. These techniques allow an organization to work effectively while keeping internal systems off the public internet.

    • Network Lockdown
    • Analyzing Network Traffic
    • Private Endpoint Security
    • Cloud VPN and Managed SSH
    • Bonus Challenges (Section 2)
    • Cloud Virtual Networks
      • Network Service Scanning
      • Default Network Configuration
      • Network Security Groups
    • Network Traffic Analysis
      • Flow Logging
      • AWS Traffic Mirroring
      • Google Cloud Packet Mirroring
      • Google Cloud Firewall Rules Logging
    • Private Endpoints
      • AWS Private Link
      • Azure Private Link
      • Google Cloud Private Google Access
      • Google Cloud VPC Service Controls
      • Custom Service Endpoints
    • Advanced Remote Access
      • Managed SSH
      • Hybrid VPN Gateways
      • AWS Session Manager
      • Azure Bastion
      • Google Cloud OS Login
      • Google Cloud Identity-Aware Proxy (IAP)
    • Command and Control Servers Software Supply-Chain Attacks
  • Overview

    Data security is as important, if not more important, in the cloud than it is on-premises. There are countless cloud data leaks that could have been prevented with the appropriate controls. This section examines the cloud services that enable data encryption, secure storage, access control, data loss detection, policy enforcement, and more.

    The first half of Section 3 covers all you need to know about encryption in the cloud. Students will learn about each provider's cryptographic key management solution and how it can be used to apply multiple layers of encryption at rest. Students will also learn how in-transit encryption is performed throughout the cloud, such as the encryption between clients, load balancers, applications, and database servers. These techniques will improve your organization's security while satisfying its legal and compliance needs.

    The second half of Section 3 is primarily focused on cloud storage services. After briefly discussing the most basic storage security technique, turning off public access, it will cover more advanced controls like organization-wide access control, file versioning, data retention, secure transit, and more. It concludes with a discussion of additional data exfiltration paths and how to automatically detect sensitive data storage.

    • Audit Decryption Events
    • Encrypt All The Things!
    • Storage Service Lockdown
    • Sensitive Data Detection and Exfiltration
    • Bonus Challenges (Section 3)
    • Cryptographic Key Management
      • AWS KMS
      • Azure Key Vault
      • Google Cloud KMS
      • Overview of Single-Tenant Alternatives: AWS CloudHSM, Azure Dedicated HSM, and Azure Key Vault Managed HSM
      • Key Usage Audit Logging
    • Encryption with Cloud Services
      • Disk-Level Encryption
      • Service-Level Encryption
      • Column-Level Encryption
      • In-Transit Encryption
    • Cloud Storage Platforms
      • Access Control
      • Audit Logs
      • Data Retention
    • Sensitive Data Detection and Exfiltration
      • Data Exfiltration Paths
      • Signed URLs
      • Amazon Macie
      • Amazon CloudWatch Logs Data Protection
      • Overview of Microsoft Purview and Azure Information Protection
      • Google Cloud Data Loss Prevention
  • Overview

    This section teaches students how to secure the infrastructure powering their cloud-based applications and how to protect the users of those applications. It begins with App Services, platforms that simplify the process of running and scaling cloud applications. This leads into a computing paradigm taking the industry by storm: serverless Functions as a-Service (FaaS). It balances the discussion of the challenges serverless introduces with the advantages it provides in securing product development and security operations. After introspecting the serverless runtime environments using Serverless Prey (an open-source tool written by the course authors), students will examine and harden practical serverless functions in a real environment. They will also learn how FaaS security impacts App Service security.

    The next module covers how Customer Identity and Access Management (CIAM) can help track and authenticate the users of an organization's applications. The Google Cloud Platform obtained their CIAM services through their acquisition of a company named Firebase. The section concludes with a detailed breakdown of this CIAM and its interplay with Firebase's flagship product, the Realtime Database. This highly popular but rarely reviewed service is a serverless database with many access control considerations and security implications for Google Cloud projects.

    • App Service Security
    • Serverless Prey
    • Hardening Serverless Functions
    • Login with the Microsoft Identity Platform
    • Broken Firebase Database Access Control
    • Bonus Challenges (Section 4)
    • App Services
      • Overview of AWS Elastic Beanstalk
      • Azure App Service
      • Google App Engine
    • Cloud Serverless Functions
      • Security Advantages and Concerns
      • Function as a Service Defense
      • Persistence with Serverless
    • Cloud Customer Identity and Access Management (CIAM)
      • Overview of OAuth 2.0, OpenID Connect (OIDC), and SAML
      • Amazon Cognito User Pools
      • Microsoft Identity Platform
      • Overview of Azure AD Business-to-Consumer (B2C) and Microsoft Entra External ID for Customers
      • Google Cloud Identity for Customers and Partners (CICP)
      • Firebase Authentication
    • Firebase Databases and Google Cloud Implications
      • Realtime Database
      • Cloud Firestore
      • Google Cloud Privilege Escalation via Firebase
      • Compliance Concerns
  • Overview

    The course concludes with practical guidance on how to operate an organization across multiple cloud providers. Many of the topics discussed in the sections become more complicated if an organization's cloud providers are integrated with one another. We begin by discussing multicloud integration impacts Identity and Access Management (IAM). Many organizations use long-lived credentials to support multicloud integrations. These credentials are much more valuable to attackers than those that are short-lived. Although students will learn best practices for long-lived credentials, this will only mitigate the risk, not eliminate it. This module goes one step further by demonstrating novel ways to use Workload Identity Federation to authenticate from one cloud provider to another with short-lived cloud credentials.

    The next module covers the cloud-native Cloud Security Posture Management (CSPM) services. Students will use these services to automate security checks for the CIS Benchmarks covered throughout the course. With these capabilities, an organization can take the lessons learned in SEC510 and apply them at scale.

    The final module, Multicloud CSPM, ties these two topics together. Most organizations would prefer to use a single platform to assess the security posture of all their clouds. After learning about the third-party multicloud CSPM services, students will leverage Workload Identity such that Microsoft Defender for Cloud to analyze the security posture of all three cloud providers. If implemented properly, this capability will be invaluable to security organizations. If done wrong, this integration can decrease the security of the organization's AWS accounts and Google Cloud projects. This module will highlight these pitfalls to ensure that students engineer this correctly from the start.

    • Secure Multicloud Integration
    • Automated Benchmarking
    • Microsoft Defender and Multicloud
    • Bonus Challenge Finale
    • Lab Teardown
    • Bonus Challenges (Section 5)
    • Multicloud Access Management
      • Risks from Long-Lived Credentials
      • Workload Identity Federation
      • Cross-Cloud Authentication Without Long-Lived Credentials
    • Cloud Security Posture Management
      • AWS Security Hub
      • Azure Security Center
      • Google Cloud Security Command Center
      • Open-Source Solutions
    • Multicloud Security Posture Management
      • Third-Party Multicloud Security Posture Management
      • Microsoft Defender for Cloud CSPM
    • Summary
    • Additional Resources

GIAC Public Cloud Security

The GIAC Public Cloud Security (GPCS) certification validates a practitioner's ability to secure the cloud in both public cloud and multi cloud environments. GPCS-certified professionals are familiar with the nuances of AWS, Azure, GCP and have the skills needed to defend each of these platforms.

  • Evaluation and comparison of public cloud service providers
  • Auditing, hardening, and securing public cloud environments
  • Introduction to multi-cloud compliance and integration
More Certification Details


Although SEC510 uses Terraform Infrastructure-as-Code to deploy and configure services in each cloud for the labs, students will not need in-depth knowledge of Terraform or need to understand any of the syntax used. However, students will be introduced at a high level to what this code accomplishes.

The following are courses or equivalent experiences that are prerequisites for SEC510:

  • SANS SEC488: Cloud Security Essentials or hands-on experience using the AWS and Azure Cloud.
  • Students must have basic familiarity with the high-level concepts of cloud IAM and networking.
  • Students must be comfortable working with the Bash commands.

NOTE: This is not an application security course, and it will not teach you how to fix vulnerable application code. Instead, it will teach you practical controls and mitigations that you can use to prevent AppSec incidents from becoming breaches. While knowing how to code is helpful, it is not strictly required for this course.

Laptop Requirements

The SEC510 course labs contain lab exercises for AWS, Azure, and GCP. Most labs can be completed with any one of these providers. However, we strongly recommend completing the labs for all three providers to learn how the services in each differ in small, yet critical ways. Experiencing this nuance in these interactive labs will help you better defend each platform and prepare for the GPCS certification.

  • SANS will provide students with the AWS account and Azure subscription required to complete the labs for those providers.
  • Students must bring their own Google Cloud account to complete the Google Cloud course labs.

Prior to the start of class, students must create a Google Cloud account if they would like to complete the associated labs.

  • This account must be brand new (never used for any other purpose).
  • Students who would like to complete the Firebase lab must create a Google Cloud account even if they choose not to complete the rest of the Google Cloud exercises.
  • New Google Cloud users get $300 in free credits, which should be sufficient for completing the labs as long as the lab environment is not kept active for an extended period of time.
  • Students can create the Google Cloud account here:

OnDemand students:

  • Students can dynamically provision access to their AWS or Azure accounts by logging in to their SANS account and visiting the My Labs page.
  • When cloud account provisioning is complete, students can download time-limited credentials for accessing the cloud accounts

Live events (In Person or Live Online)

  • Students are automatically provisioned access to both AWS and Azure accounts 24 hours before class starts.
  • Students can log in to their SANS account and visit the MyLabs page to download their cloud credentials the day before class begins.

Students must bring their own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Students must be in full control of their system's network configuration. The system will need to communicate with the cloud-hosted lab environment using a combination of HTTPS, SSH, and SOCKS5 traffic on non-standard ports. Running VPN, intercepting proxy, or egress firewall filters may cause connection issues communicating with the lab environment. Students must be able to configure or disable these services.


A properly configured system is required for each student participating in this course. Before starting your course, carefully read and follow these instructions exactly:

  • Operating system must be the latest version of Windows 10, macOS 10.15.x or later, or a Linux distribution that also can install and run the Firefox browser described below.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Must have the ability to install Firefox, enable a Firefox extension, and install a new trusted root certificate on the machine.
  • Prior to class, ensure that the following software is installed on the host operating system:

Before beginning the course, you should:

After you have completed those steps, access the SANS provider cloud accounts to connect to the SANS Cloud Security Flight. The SEC510 Flight Simulator server hosts an electronic workbook, terminal, and other services that can be accessed through the Firefox browser.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"The use of multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not effective in all clouds. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control.

"Why do teams adopt multiple cloud providers in the first place? To make their jobs easier or more enjoyable. Developers are creating products that meet the organization's goals, not for the central security team. If a team discovers that a service offering can help get its product to market faster, it can and should use it. Security should embrace the inevitability of the multicloud movement and take on the hard work of implementing guardrails so the organization can move quickly and safely.

"The multicloud storm is here, whether you like it or not."

- Brandon Evans and Eric Johnson

"Simply outstanding! All the way around. Very well done." - Ryan Stillions, IBM X-Force IR


I maintain that this is the single best SANS class available (and I just got my 8th cert). If you can only take one course - this is the one.
Joshua Wiley
Brandon gave me the best experience I’ve ever had with labs. I usually fall behind on labs because I try to understand everything I’m doing. I was able to do that but also just copy and paste if I had to catch up.
Aaron Landrum
The course content exceeded my expectations regarding the breadth and depth of information and specifics to each cloud. Excellent content.
David Wayland
If you Cloud, you need this course - <period>.
Sean Ayres
One of the best SANS courses I have taken. I am going to recommend this training to other company InfoSec Professionals in our company.
Randy Freston

    Register for SEC510

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.