HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.
SEC510: Cloud Security Controls and Mitigations

SEC510: Cloud Security Controls and Mitigations 4GB 2025

No permission to download
You don't need to like the resource to download it.
You have reached your daily download limit.
You have bypassed the message count limit.
Overview History Discussion

Cloud-Security-Controls-and-Mitigations.webp

SEC510: Cloud Security Controls and Mitigations​


Today's organizations depend on complex, multicloud environments which must support hundreds of different services across multiple clouds. These services are often insecure by default and require substantially different methods to protect depending on the Cloud Service Provider (CSP) that hosts them. It is vital that security teams have a deep understanding of AWS, Azure, and Google Cloud services to lock them down effectively.

Checking off compliance requirements is simply not enough to protect the confidentiality, integrity, and availability of your organization's data, nor will it prevent attackers from taking your critical systems down. With the right controls, organizations can reduce their attack surface and prevent security incidents from becoming breaches. Mistakes are inevitable but you can limit the impact.

What You Will Learn​

Prevent real attacks with controls that matter

Protecting multicloud environments is challenging; Default security controls often fall short, and controls that work in one of the Big Three CSPs may not work in the others. Rather than focusing solely on compliance, organizations should prioritize attack driven controls to safeguard their most critical Cloud assets.

Whether an application is developed in-house or by a third party, accepting the inevitability of application flaws is key for implementing successful cloud security controls. While few cybersecurity professionals can fix vulnerable code, it's often easier to apply secure cloud configurations to mitigate these risks. Relying solely on CSP defaults and documentation is insufficient. SEC510 reveals numerous instances of incorrect, incomplete, or contradictory CSP controls. Additionally, if there is a zero-day vulnerability in a cloud service used by your organization, you must brace for that impact by controlling what you can.

While standards and frameworks, such as the MITRE ATT&CK Cloud Matrix, the Center for Internet Security (CIS) Cloud Provider Benchmarks, and the Cyber Defense Matrix, are helpful tools of the trade, they still have limits. That's why SEC510 goes beyond them to teach the techniques necessary to protect what matters to your organization. Mitigate the risk of common cloud mistakes with cloud security controls that matter and reduce your attack surface by eliminating misconfigurations.

"The course provided so much information and details about common security misconfigurations and mistakes in the cloud that one would not believe fit into the week. Very comprehensive, but the scary thing is that it feels like it is barely scratching the surface! Awesome job by the course authors." - Petr Sidopulos

What are Cloud Security Controls?​

Cloud security controls are options provided by cloud service providers to limit exposure of cloud assets. Each CSP provides default controls that are often insecure, failing to consider the business case and needs of each customer. For secure cloud configuration that truly prevents real risk, the cloud security controls must be implemented based on business strategy, goals, and requirements by a professional who understands the nuances of various CSPs.

Business Benefits​

  • Reduce the attack surface of your organization's cloud environments
  • Prevent incidents from becoming breaches through defense in-depth
  • Control the confidentiality, integrity, and availability of data in the Big 3 CSPs
  • Increase use of secure automation to keep up with the speed of today's business environment
  • Resolve unintentional access to sensitive cloud assets
  • Reduce the risk of ransomware impacting your organization's cloud data

Skills Learned​

  • Make informed decisions in the Big 3 cloud service providers using deep insights covered for each of their Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings
  • Inform your protections from case studies covering real attacks impacting organizations with mature security programs
  • Go beyond the documentation to prove exactly how security controls work, or fail to work, in real environments
  • Implement multiple layers of Identity and Access Management (IAM) using advanced conditions
  • Combine identity and network security capabilities to fend off threats with the best of both perimeters
  • Enforce sensitive data encryption at scale
  • Recover from cloud storage ransomware to quickly resume business operations
  • Support advanced, non-traditional computing platforms like serverless Functions as a Service (FaaS)
  • Perform cross-cloud integrations without the use of dangerous, long-lived credentials
  • Automate security and compliance checks using cloud-native platforms
  • Quickly adopt third-party cloud vendors while minimizing the risk introduced by granting them access to sensitive data
  • Guide engineering teams in enforcing security controls using Terraform and Infrastructure-as-Code (IaC)

Hands-On Cloud Security Controls and Mitigations Training​

SEC510: Cloud Security Controls and Mitigations reinforces all the concepts discussed in the lectures through hands-on labs in real cloud environments. Each lab includes a step-by-step guide as well as a "no hints" option for students who want to test their skills without assistance. This allows students to choose the level of difficulty that is best for them and fall back to the step-by-step guide as needed. Students can continue to use the lab instructions, application code, and IaC after the course concludes. With this, they can repeat every lab exercise in their own cloud environments as many times as they like.

SEC510 also offers students an opportunity to participate in Bonus Challenges each day in a gamified environment, while also providing more hands-on experience with the Big 3 CSPs and relevant utilities. Can you win the SEC510 Challenge Coin?

  • Section 1: IAM Fundamentals, Virtual Machine Credential Exposure, Broken Access Control and Policy Analysis, IAM Privilege Escalation, Bonus Challenges Section 1
  • Section 2: Control Ingress Traffic, Protecting Public Virtual Machines, Control Egress Traffic with Private Endpoints, Remote Code Execution via Private Endpoint Abuse, Bonus Challenges Section 2
  • Section 3: Detect and Prevent Improper Key Usage, "Encrypt all the Things!", Recover From Ransomeware, Sensitive Data Detection and Exfiltration, Bonus Challenges Section 3
  • Section 4: Serverless Prey, Hardening Serverless Functions, Using and Exploiting CIAM, Broken Firebase Database Access Control, Bonus Challenges Section 4
  • Section 5: Secure Multicloud Integration, Automated Benchmarking, Prevent Cross-Cloud Confused Deputy, Bonus Challenges Section 5
"Last month I took a course by one of the three big providers and almost everyday was a sales pitch for the first couple hours in it. That course also was geared towards clicking around in the console versus utilizing command line and terraform which was really cool." - Philip B, US Military

"This course is a MUST for anyone in this industry. I realized things in the cloud were (potentially) disastrous, but this has opened my eyes to how bad it really is. I already filed like 5 helpdesk tickets for my staff to get things fixed - Anita Simoni, County of Monterey ITD

"The exercises exceeded my expectations. They are practical implementations of the information learned in each section, build on each other, and provide a seamless way to validate your knowledge and learn the intricacies of the issues." - David Wayland

Syllabus Summary​

  • Section 1 - Securely Use Cloud IAM and Defending IAM Credentials
  • Section 2 - Restrict Infrastructure and Data Access to Private Cloud Networks, Protect Public Virtual Machines, Use Secure Remote Access Capabilities, Prevent Remote Code Execution, and Enable Traffic Monitoring Capabilities
  • Section 3 - Manage Cryptographic Keys, Apply Encryption at Rest and In-Transit Across Cloud Services, Prevent Ransomware in Cloud Storage Services, Prevent Data Exfiltration, and Detect Sensitive Data in the Clouds
  • Section 4 - Secure Applications Running on Serverless FaaS, Protect Cloud Customer Identity and Access Management (CIAM) Platforms, Manage Application Consumer Identities, and Mitigate Security Issues in Firebase (a Suite of Services Acquired by and Integrated with Google Cloud)
  • Section 5 - Securely Authenticate Clouds to One Another, Automate Misconfiguration Benchmarking, and Mitigate Risks from Integrating with Cloud Vendors, including Cloud Security Posture Management (CSPM) Platforms.

Additional Free Resources​

What You Will Receive​

  • Printed and Electronic courseware
  • MP3 audio files of the course
  • Access to the SANS Cloud Security Flight Simulator
  • Thousands of lines of IaC and secure configurations for each cloud platform that you can use in your organization

What Comes Next?​

SANS offers several courses that are excellent compliments to SEC510 depending on your job role:

Security Engineer

Security Analyst

Learn more about our job role-based training journeys
This link is hidden for visitors. Please Log in or register now.
.


Syllabus​

This link is hidden for visitors. Please Log in or register now.


GIAC Public Cloud Security​

The GIAC Public Cloud Security (GPCS) certification validates a practitioner's ability to secure the cloud in both public and multi cloud environments. GPCS-certified professionals are familiar with the nuances of AWS, Azure, GCP and have the skills needed to defend each of these platforms.

  • Evaluation and comparison of public cloud service providers
  • Auditing, hardening, and securing public cloud environments
  • Introduction to multi-cloud compliance and integration
This link is hidden for visitors. Please Log in or register now.

Prerequisites​

Although SEC510 uses Terraform Infrastructure-as-Code to deploy and configure services in each cloud for the labs, students will not need in-depth knowledge of Terraform or need to understand any of the syntax used. However, students will be introduced at a high level to what this code accomplishes.

The following are courses or equivalent experiences that are prerequisites for SEC510:

  • This link is hidden for visitors. Please Log in or register now.
    or hands-on experience using the AWS and Azure Cloud.
  • Students must have basic familiarity with the high-level concepts of cloud IAM and networking.
  • Students must be comfortable working with the Bash commands.
NOTE: This is not an application security course, and it will not teach you how to fix vulnerable application code. Instead, it will teach you practical controls and mitigations that you can use to prevent AppSec incidents from becoming breaches. While knowing how to code is helpful, it is not strictly required for this course.

Laptop Requirements​

The SEC510 course labs contain lab exercises for AWS, Azure, and GCP. Most labs can be completed with any one of these providers. However, we strongly recommend completing the labs for all three providers to learn how the services in each differ in small, yet critical ways. Experiencing this nuance in these interactive labs will help you better defend each platform and prepare for the GPCS certification.

SANS will provide students with the AWS accounts, Azure subscription, and Google Cloud project required to complete the labs for those providers.

OnDemand students:

  • Students can dynamically provision access to their AWS accounts, Azure subscription, and Google Cloud project by logging in to their SANS account and visiting the My Labs page.
  • When cloud account provisioning is complete, students can download time-limited credentials for accessing the cloud account.
Live events (In Person or Live Online)

  • Students are automatically provisioned access to their AWS account, Azure subscription, and Google Cloud project 24 hours before class starts.
  • Students can log in to their SANS account and visit the My Labs page to download their cloud credentials the day before class begins.

Mandatory Laptop Requirement:​

Students must bring their own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Students must be in full control of their system's network configuration. The system will need to communicate with the cloud-hosted lab environment using a combination of HTTPS, SSH, and SOCKS5 traffic on non-standard ports. Running VPN, intercepting proxy, or egress firewall filters may cause connection issues communicating with the lab environment. Students must be able to configure or disable these services.

Bring Your Own Laptop Configured Using The Following Directions:​

A properly configured system is required for each student participating in this course. Before starting your course, carefully read and follow these instructions exactly:

  • Operating system must be the latest version of Windows 10, macOS 10.15.x or later, or a Linux distribution that also can install and run the Firefox browser described below.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Must have the ability to install Firefox, enable a Firefox extension, and install a new trusted root certificate on the machine.
  • Prior to class, ensure that the following software is installed on the host operating system:

In Summary​

Before beginning the course, you should:

  • Have a laptop with an up-to-date operating system
  • This link is hidden for visitors. Please Log in or register now.
    and the
    This link is hidden for visitors. Please Log in or register now.
  • Download the SEC510 Lab Setup Instructions from your sans.org account
SANS will be providing access to the following cloud environments: AWS, Azure, and Google Cloud. Unfortunately, due to some cloud security controls we cannot control, sometimes the login you receive requires verification with a valid phone number where you can receive text messages (virtual numbers will not work). Please ensure you have and are willing to provide your phone number to the cloud provider should this situation occur.

After you have completed those steps, access the SANS provider cloud accounts to connect to the SANS Cloud Security Flight Simulator. The SEC510 Flight Simulator server hosts an electronic workbook, terminal, and other services that can be accessed through the Firefox browser.

must access the "Setup Instructions" document in the Course Material Downloads section of your SANS portal and follow its instructions before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please
This link is hidden for visitors. Please Log in or register now.
.

Author Statement​

"The use of multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not effective in all clouds. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control.

"Why do teams adopt multiple cloud providers in the first place? To make their jobs easier or more enjoyable. Developers are creating products that meet the organization's goals, not for the central security team. If a team discovers that a service offering can help get its product to market faster, it can and should use it. Security should embrace the inevitability of the multicloud movement and take on the hard work of implementing guardrails so the organization can move quickly and safely.

"The multicloud storm is here, whether you like it or not. Prevent the rain from drowning your organization."

-
This link is hidden for visitors. Please Log in or register now.
and
This link is hidden for visitors. Please Log in or register now.


"Simply outstanding! All the way around. Very well done." - Ryan Stillions, IBM X-Force IR


Download​

Free download for users PRIV8

Password​

htdark.com
Author
dEEpEst
Downloads
0
Views
56
First release
Last update

Ratings

0.00 star(s) 0 ratings
Join the discussion More information

More resources from dEEpEst

Share this resource

Back
Top