SEC510: Cyber Security Training at SANS Cyber Security Central: May 2023

Provided by

Enquire about this course

What You Will Learn

Multiple Clouds Require Multiple Solutions

SEC510 provides cloud security practitioners, analysts, and researchers with an in-depth understanding of the inner workings of the most popular public cloud providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Students will learn industry-renowned standards and methodologies, such as the MITRE ATT&CK Cloud Matrix and CIS Cloud Benchmarks, then apply that knowledge in hands-on exercises to assess a modern web application that leverages the cloud native offerings of each provider. Students will launch unhardened services, analyze the security configuration, validate that they are insufficiently secure, deploy patches, and validate the remediation. Through this process students will learn the philosophies that undergird each provider and how these have influenced their services and will leave the course confident that they have the knowledge they need when adopting services and Platform as a Service (PaaS) / Infrastructure as a Service (IaaS) offerings in each cloud.

The Big 3 cloud providers alone provide more services than any one company can consume. As security professionals, it can be tempting to limit what the developers use to the tried-and-true solutions of yesteryear. Unfortunately, this approach will inevitably fail as the product development organization sidelines a security entity that is unwilling to change. Functionality drives adoption, not security, and if a team discovers a service offering that can help get its product to market quicker than the competition, it can and should use it. SEC510 gives you the ability to provide relevant and modern guidance and guardrails to these teams to enable them to move both quickly and safely.

"This class was an excellent investment. I learned a great deal about the various strengths and weaknesses in the 3 largest cloud providers' default services and default configurations as well as inherent insecurities that can't be easily mitigated. There is a great deal of actionable content that I can take back to my team as we work to monitor and help our clients secure their cloud environments." - John Senn, EY

  • Be proactive in embracing the multicloud trend safely. It is impossible for an organization to standardize on a single cloud provider. A survey from Forrester shows that 86% of organizations identify as multicloud. Even if you do not want to use multiple clouds, mergers and acquisitions makes this inevitable.
  • Effective cloud security practitioners need to know how the Big 3 providers differ. Security concepts do not always translate from cloud-to-cloud. A great strategy for one can be catastrophic for another.
  • All security-minded organizations require professional reconfiguration as most cloud services are highly insecure by default.
  • Storage security is much more than just closing public buckets. Even private assets can be compromised by competent attackers.
  • Security is 5+ years behind development and needs to play catch-up. Technologies that security considers to be cutting-edge, like serverless, have been used in production for a very long time.
  • Understand the inner workings of cloud services and Platform as a Service (PaaS) / Infrastructure as a Service (IaaS) offerings in order to make more informed decisions in the cloud
  • Understand the design philosophies that undergird each provider and how these have influenced their services in order to properly prescribe security solutions for them
  • Discover the unfortunate truth that many cloud services are adopted before their security controls are fully fleshed out
  • Understand Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) in depth.
  • Understand the intricacies of Identity and Access Management, one of the most fundamental concepts in the cloud and yet one of the last understood
  • Understand cloud networking and how locking it down is a critical aspect of defense-in-depth in the cloud
  • Analyze how each provider handles encryption at rest and in transit in order to prevent sensitive data loss
  • Apply defense-in-depth techniques to protect data in cloud storage
  • Compare and contrast the serverless platforms of each provider
  • Explore the service offering landscape to discover what is driving the adoption of multiple cloud platforms and to assess the security of services at the bleeding edge, such as serverless platforms
  • Utilize multicloud IAM and cloud Single Sign-On to provide secure access to resources across cloud accounts and providers
  • Automate security and compliance checks using cloud-native platforms and open-source solutions
  • Understand Terraform Infrastructure-as-Code well enough to share it with your engineering team as a starting point for implementing the controls discussed in the course

SEC510: Public Cloud Security: AWS, Azure, and GCP consolidates all of the concepts discussed in the lectures through hands-on labs. In the labs, students will assess a modern web application written with Next.js, React, and Sequelize that leverages the cloud native offerings of each provider. Each lab includes step-by-step guide as well as a "no hints" option for students who want to test their skills without further assistance. This allows students to choose the level of difficulty that is best for them and fall back to the step-by-step guide as needed.

SEC510 also offers students an opportunity to participate in CloudWars Bonus Challenges each day in a gamified environment, while also providing more hands-on experience with the cloud security and relevant tools.
  • SECTION 1: VM credential exposure, Hardening AWS IAM policies, Hardening Azure and GCP policies, Advanced IAM features, CloudWars Section 1
  • SECTION 2: Network lockdown, Analyzing network traffic, private endpoint security, Cloud VPN and Managed SSH, CloudWars Section 2
  • SECTION 3: Audit decryption events, Encrypt all the things!, Storage service lockdown, Unauthorized file sharing, CloudWars Section 3
  • SECTION 4: Serverless prey, Hardening serverless functions, App service security, Firebase access control, CloudWars Section 4
  • SECTION 5: Multicloud integration, Login with Azure AD, Automated benchmarking, Lab teardown, CloudWars Section 5
"Labs are amazing, they cover all the content we review over the lectue." - Enrique Gamboa, ALG

"Labs are insane. Such a great setup. I'm learning a ton and plus will be able to build upon this great foundation." - Kevin Sahota, 604 Security

"Labs are very well structured and detailed to explain exactly what is happening and why." - Gareth Johnson, Close Brothers

  • Section 1: Securely Using Identity and Access Management (IAM) and Defending IAM Credentials
  • Section 2: Restricting Infrastructure and Data Access to Trusted Networks
  • Section 3: Encrypting Data at Rest and In-Transit, Locking Down Storage, and Auditing Logs
  • Section 4: Exploring Serverless Functions, App Services, and the Firebase Platform
  • Section 5: Securely Integrating Across Cloud Accounts and Automating Misconfiguration Benchmarking
  • Cloud Ace Podcast
  • Head in the Clouds, Episode 11: Importing Resources into the Terraform State File
  • Secure Service Configuration: AWS, Azure, & GCP poster | En Español
  • Multicloud Command-Line Interface Cheat Sheet
  • Firebase: Google Cloud's Evil Twin, by Brandon Evans (
  • Detecting and Locking Down Malware in Azure, by Brandon Evans (
  • Top 5 Considerations for Multicloud Security, by Brandon Evans (
  • Printed and Electronic courseware
  • MP3 audio files of the course
  • Course virtual machine (VM) with all lab exercises that can be redone outside of class
  • Thousands of lines of Infrastructure-as-Code for each cloud platform that you can use at your organization

SANS offers several courses that are good follow-ups to SEC510 depending on your job role:

Cloud Security Analyst
  • SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection
Cloud Security Engineer
  • SEC540: Cloud Security and DevSecOps Automation
  • SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection
Cloud Security Architect
  • SEC549: Enterprise Cloud Security Architecture
  • SEC540: Cloud Security and DevSecOps Automation
  • MGT520: Leading Cloud Security Design and Implementation


Start date Location / delivery
01 May 2023 Virtual Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...