Celidor
  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact

Building a cloud security training environment

24/3/2019

3 Comments

 
Picture
The Cloud Security and DevSecOps training course I’m delivering for 44CON in June includes AWS, Azure and GitHub accounts which the students use so they don’t need to create their own.
Wouldn’t it be great if students could turn up with any laptop, or even an iPad, and do the course. And the time spent on the labs would be used to learn about cloud security and DevSecOps, not debugging software installation issues.
​So I started looking at building a training platform which students can use – and as this is a cloud security course, what better place to do this than in the cloud?

Click on the "Read More" link below to see the proof of concept and design.
When I’ve delivered similar courses in the past, students brought their own laptops and installed the software they needed for the hands-on AWS and Azure security labs, either in advance or during the course.
 
For this course, Steve Lord of 44CON suggested I create a YouTube video showing how to install the various software needed, and that got me thinking – wouldn’t it be great if students could turn up with any laptop, or even an iPad, and do the course. And the time spent on the labs would be used to learn about cloud security and DevSecOps, not debugging software installation issues.
 
The first step in building the cloud security training platform was a proof of concept – so I created some Amazon WorkSpaces instances in the cloud, manually using the AWS console, and started installing software.
​Within 30 minutes, I had created two virtual desktops in the cloud – one Linux, the other Windows, and connected to each in turn with the Amazon WorkSpaces client from my laptop. The user experience was really good – even when connecting over mobile data. Then I installed the software I needed for the course, tested it, and created workspace bundles to be used as images for future builds. I created new WorkSpaces from the bundles to make sure that they came up correctly with all the software preinstalled and configured.
 
So I’ve successfully proved the concept – the next step is to develop a design for a solution which could be used for 10 – 20 students, with full automation for building and tearing down the training environment.
​I wanted a platform which could be deployed through automation before the course, and then destroyed immediately after the course – to avoid unnecessary bills!
 
This is the design I came up with, after doing some research on Amazon WorkSpaces and AWS Directory Services:
Picture
AWS Directory Services has several options, the one I selected was Microsoft Active Directory Standard Edition, which can be used with both Windows and Linux Amazon WorkSpaces.
 
As this is a cloud security course, I didn't just want to create a design which worked, I also wanted to  demonstrate secure cloud architectures.
 
The design includes:
  • Virtual Private Cloud (VPC) with private address space
  • private user subnets, containing the AWS managed Active Directory domain controllers and the WorkSpaces, with no route to the Internet
  • public DMZ subnets for outbound access to the Internet using NAT Gateways
  • Windows Server 2016 instance for administration and setup of the Active Directory domain, users and groups
  • Security group on the admin server only allowing inbound remote desktop access from a single IP address.
 
If you’re wondering how the Amazon WorkSpaces client connects via the Internet, that’s not shown on this diagram, as it’s managed by AWS via a second network interface on each WorkSpace virtual desktop.
 
The next steps are to set up a new AWS account for the training platform, and build using automation tools ...
3 Comments
John Snowe
24/3/2019 07:15:12 pm

And may I ask how much all the above cost you including Windows Server 2016? Last time we tried a similar lab in AWS the bill was £280/day or £8,400 a month - or £102,200 per year.

Reply
Paul Schwarzenberger
25/3/2019 09:53:43 pm

Hi John, many thanks for reading the blog, and your question.

I'm planning to cover costs in a future blog post - however, my calculations show an estimated total cost of $311 for a 3 day course with 20 students. The services used include AWS Directory Services for Microsoft AD Standard Edition, Windows and Linux Amazon WorkSpaces using the hourly pricing option, NAT Gateways, a single Windows Server 2016 on EC2, KMS and Secrets Manager.

Automation is absolutely essential so that the environment can be easily deployed just before the course starts, and destroyed as soon as the course ends.

Feel free to get in touch with me direct, if you'd like more details.

Reply
Paul Schwarzenberger
9/4/2019 10:15:34 pm

A further update - I believe the above estimate is reasonably accurate for the first month. After that, the Amazon WorkSpaces monthly charge for the "hourly" pricing option is no longer calculated on a pro-rata basis.

The estimated costs for a 3 day course for 20 students, each student having both a Windows and a Linux WorkSpace, then increase to $678, or $34 per student.

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Paul Schwarzenberger is a Cloud Security Architect and DevSecOps specialist

    Archives

    February 2023
    January 2023
    December 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    January 2022
    November 2021
    September 2021
    July 2021
    March 2021
    July 2020
    June 2020
    February 2020
    December 2019
    November 2019
    October 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    November 2018
    October 2018
    September 2018
    August 2018

    Categories

    All
    Cloud Security
    DevSecOps

    RSS Feed


Contact us via email at info@celidor.net 

© 2020 Celidor Limited. All Rights Reserved.

Celidor Limited

Company Number: 08870661


  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact