SEC541: Cloud Security Monitoring and Threat Detection

Provided by

About the course

SEC541 will take you on a deep dive into Amazon Web Services (AWS) in order to search out and identify threats in your cloud environment. We will look at the most common threat techniques used against AWS environments, what their characteristics are, and how to detect them. Then we'll explore ways to improve the architecture of your environment. The course goes deep into CloudWatch, CloudTrail, GuardDuty, and Security Hub, among other services.

What You Will Learn
Attackers Can Run But Not Hide. Our Radar Sees All Threats.

Cloud infrastructure provides organizations with new and exciting services to better meet the demands of their customers. However, these services bring with them new challenges, particularly for organizations struggling to make sense of the cloud native logs, keeping ahead of fast moving development teams, and trying to learn about how threats are adapting to cloud services. Securely operating cloud infrastructure requires new tools and approaches.

In SEC541, we start by walking through a real world attack campaign against a cloud infrastructure. We will break down how it happened, what made it successful, and what could have been done to catch them in the act. We spend the day dissecting the attacks, learning how to leverage cloud native and cloud integrated capabilities to detect, hunt, or investigate similar attacks in a real environment, and build our arsenol of analytics, detections and best practices for you to bring back to work on Monday.

SEC541: Cloud Monitoring and Threat Detection Will Prepare You To:

  • Research attacks and threats to cloud infrastructure and how they could effect you
  • Use AWS and Azure core logging services effectively to detect suspicious behaviors
  • Move beyond the cloud provided GUIs to perform complex analysis
  • Perform network analysis with cloud provided network logging
  • Integrate container, operating system, and deployed application logging into cloud logging services for more cohesive analysis
  • Make the most of managed security services such as AWS GuardDuty, AWS Detective and Azure Sentinel


This course was formerly 1-Day. Additional content around AWS as well as Azure, and more labs have been added to this content.


The labs in this course are hands-on explorations into AWS logging and monitoring services. Each lab will start by researching a particular threat and the data needed to detect it. Then the student will use native services within AWS to extract, transform, and analyze the threat. The course lecture coupled with the labs will give students a full picture of how those services within AWS work, the data they produce, and common ways to analyze those data.

Day 1 and 2 labs will center around your own infrastructure you will build in class, perform your own attacks, and gather those logs. Day 3, the class will open up to a larger shared AWS environment leverage managed security services.


  • Printed and Electronic courseware
  • Virtual machine with all lab resources
  • MP3 of the course


  • Cloud Security Monitoring and Threat Hunting in AWS
  • Threat Hunting Through Log Analysis in AWS


Depending on your current job role and your future career plans, any of these courses may be a great follow-on to SEC541: Cloud Security Monitoring and Threat Detection:

SEC588: Cloud Penetration Testing Course
SEC557: Continuous Automatin for Enterprise and Cloud Security
SEC510: Public Cloud Security: AWS, Azure, & GCP
SEC540: Cloud Security DevSecOps Automation

Syllabus (18 CPEs)

SEC541.1: Management Plane and Network Logging

SEC541.2: Compute and Cloud Services Logging

SEC541.3: Cloud Service and Data Discovery in AWS

The target students should be familiar with AWS or Azure and have worked with it hands-on, especially security professionals working in the cloud security field who understand basic threats and attack vectors.

The course will assume that students are able to understand or do the following without help:

  • Build a VM
  • Understand how IAM roles/policies work
  • Create key pairs for SSH log-in
  • Understand basic cloud networking capabilities.

Other Courses SEC541 Students Have Taken

  • SEC488: Cloud Security Essentials
  • SEC540: Cloud Security and DevOps Automation

Laptop Requirements
SEC541 students will run the exercises from a virtual machine that is configured with all the tools and documentation needed. All exercises will use Amazon Web Services (AWS).

IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the virtual machines to function properly in the classVerify that under BIOS, Virtual Support is ENABLED.

Mandatory System Requirements

System running Windows, Linux, or Mac OS X 64-bit version
At least 8 GB of RAM
40 GB of available disk space (more space is recommended)
Administrator access to the operating system
Anti-virus software will need to be disabled in order to install some of the tools
An available USB port
Wireless NIC for network connectivity
Machines should NOT contain any personal or company data
Verify that under BIOS, Virtual Support is ENABLED
Mandatory Downloads Prior to Coming to Class

A 64-bit host operating system is installed (Windows is recommended)

Adobe Acrobat or other PDF reader application

Mandatory AWS Account Prior to Coming to Class:

  • An AWS account is required to do the hands-on exercises during this course. The AWS account must be created prior to the start of class. Your ability to execute the exercises will be delayed if you wait to set up the AWS account in class.
  • Estimated additional costs for the AWS account should be less than $20
  • You will receive detailed instructions for setting up your AWS account before the start of class.

Author Statement
"Cloud service providers are giving us new tools faster than we can learn how to use them. As with any new and complex tool, we need to get past the surface-level how-to in order to radically reshape our infrastructure. This course is an overview of the elements of AWS and Azure that we may have used before but are ready to truly explore. By the end of the class, youll be confident knowing that you have the skills to start looking for the threats and building a true threat detection program in AWS and Azure." - Shaun McCullough and Ryan Nicholson

"I really enjoyed learning more about the AWS data sources and then performing relevant attacks against them to generate events that we could hunt for." - Gavin Knapp, Bridewell Consulting

Ways to Learn
 Live Online
Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Who Should Attend SEC541?
Anyone who performs monitoring, threat detection, or is responsible for logging including:

Security Analysts
Security Architects
Technical Security Managers
Security Monitoring Analysts
Cloud Security Architects
System Administrators
Cloud Administrators

The course content deals with topics which are faced by threat analysts on a daily basis. The labs mimic real world scenarios and are really easy to follow along. I can't wait to take all the knowledge and test it in production." - Yatin Wadhwa

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...