Building a cloud security training environment

24/3/2019

The Cloud Security and DevSecOps training course I’m delivering for 44CON in June includes AWS, Azure and GitHub accounts which the students use so they don’t need to create their own.

Wouldn’t it be great if students could turn up with any laptop, or even an iPad, and do the course. And the time spent on the labs would be used to learn about cloud security and DevSecOps, not debugging software installation issues.

So I started looking at building a training platform which students can use – and as this is a cloud security course, what better place to do this than in the cloud?

Click on the "Read More" link below to see the proof of concept and design.

When I’ve delivered similar courses in the past, students brought their own laptops and installed the software they needed for the hands-on AWS and Azure security labs, either in advance or during the course.

For this course, Steve Lord of 44CON suggested I create a YouTube video showing how to install the various software needed, and that got me thinking – wouldn’t it be great if students could turn up with any laptop, or even an iPad, and do the course. And the time spent on the labs would be used to learn about cloud security and DevSecOps, not debugging software installation issues.

The first step in building the cloud security training platform was a proof of concept – so I created some Amazon WorkSpaces instances in the cloud, manually using the AWS console, and started installing software.

Within 30 minutes, I had created two virtual desktops in the cloud – one Linux, the other Windows, and connected to each in turn with the Amazon WorkSpaces client from my laptop. The user experience was really good – even when connecting over mobile data. Then I installed the software I needed for the course, tested it, and created workspace bundles to be used as images for future builds. I created new WorkSpaces from the bundles to make sure that they came up correctly with all the software preinstalled and configured.

So I’ve successfully proved the concept – the next step is to develop a design for a solution which could be used for 10 – 20 students, with full automation for building and tearing down the training environment.

I wanted a platform which could be deployed through automation before the course, and then destroyed immediately after the course – to avoid unnecessary bills!

This is the design I came up with, after doing some research on Amazon WorkSpaces and AWS Directory Services:

AWS Directory Services has several options, the one I selected was Microsoft Active Directory Standard Edition, which can be used with both Windows and Linux Amazon WorkSpaces.

As this is a cloud security course, I didn't just want to create a design which worked, I also wanted to demonstrate secure cloud architectures.

The design includes:

Virtual Private Cloud (VPC) with private address space
private user subnets, containing the AWS managed Active Directory domain controllers and the WorkSpaces, with no route to the Internet
public DMZ subnets for outbound access to the Internet using NAT Gateways
Windows Server 2016 instance for administration and setup of the Active Directory domain, users and groups
Security group on the admin server only allowing inbound remote desktop access from a single IP address.

If you’re wondering how the Amazon WorkSpaces client connects via the Internet, that’s not shown on this diagram, as it’s managed by AWS via a second network interface on each WorkSpace virtual desktop.

The next steps are to set up a new AWS account for the training platform, and build using automation tools ...

3 Comments

John Snowe

24/3/2019 07:15:12 pm

And may I ask how much all the above cost you including Windows Server 2016? Last time we tried a similar lab in AWS the bill was £280/day or £8,400 a month - or £102,200 per year.

Paul Schwarzenberger

25/3/2019 09:53:43 pm

Hi John, many thanks for reading the blog, and your question.

I'm planning to cover costs in a future blog post - however, my calculations show an estimated total cost of $311 for a 3 day course with 20 students. The services used include AWS Directory Services for Microsoft AD Standard Edition, Windows and Linux Amazon WorkSpaces using the hourly pricing option, NAT Gateways, a single Windows Server 2016 on EC2, KMS and Secrets Manager.

Automation is absolutely essential so that the environment can be easily deployed just before the course starts, and destroyed as soon as the course ends.

Feel free to get in touch with me direct, if you'd like more details.

9/4/2019 10:15:34 pm

A further update - I believe the above estimate is reasonably accurate for the first month. After that, the Amazon WorkSpaces monthly charge for the "hourly" pricing option is no longer calculated on a pro-rata basis.

The estimated costs for a 3 day course for 20 students, each student having both a Windows and a Linux WorkSpace, then increase to $678, or $34 per student.

Your comment will be posted after it is approved.

Building a cloud security training environment

Leave a Reply.

Author

Archives

Categories