The Cloud Security and DevSecOps training course I’m delivering for 44CON in June includes AWS, Azure and GitHub accounts which the students use so they don’t need to create their own. Wouldn’t it be great if students could turn up with any laptop, or even an iPad, and do the course. And the time spent on the labs would be used to learn about cloud security and DevSecOps, not debugging software installation issues. So I started looking at building a training platform which students can use – and as this is a cloud security course, what better place to do this than in the cloud? Click on the "Read More" link below to see the proof of concept and design. When I’ve delivered similar courses in the past, students brought their own laptops and installed the software they needed for the hands-on AWS and Azure security labs, either in advance or during the course. For this course, Steve Lord of 44CON suggested I create a YouTube video showing how to install the various software needed, and that got me thinking – wouldn’t it be great if students could turn up with any laptop, or even an iPad, and do the course. And the time spent on the labs would be used to learn about cloud security and DevSecOps, not debugging software installation issues. The first step in building the cloud security training platform was a proof of concept – so I created some Amazon WorkSpaces instances in the cloud, manually using the AWS console, and started installing software. Within 30 minutes, I had created two virtual desktops in the cloud – one Linux, the other Windows, and connected to each in turn with the Amazon WorkSpaces client from my laptop. The user experience was really good – even when connecting over mobile data. Then I installed the software I needed for the course, tested it, and created workspace bundles to be used as images for future builds. I created new WorkSpaces from the bundles to make sure that they came up correctly with all the software preinstalled and configured. So I’ve successfully proved the concept – the next step is to develop a design for a solution which could be used for 10 – 20 students, with full automation for building and tearing down the training environment. I wanted a platform which could be deployed through automation before the course, and then destroyed immediately after the course – to avoid unnecessary bills! This is the design I came up with, after doing some research on Amazon WorkSpaces and AWS Directory Services: AWS Directory Services has several options, the one I selected was Microsoft Active Directory Standard Edition, which can be used with both Windows and Linux Amazon WorkSpaces.
As this is a cloud security course, I didn't just want to create a design which worked, I also wanted to demonstrate secure cloud architectures. The design includes:
If you’re wondering how the Amazon WorkSpaces client connects via the Internet, that’s not shown on this diagram, as it’s managed by AWS via a second network interface on each WorkSpace virtual desktop. The next steps are to set up a new AWS account for the training platform, and build using automation tools ...
3 Comments
John Snowe
24/3/2019 07:15:12 pm
And may I ask how much all the above cost you including Windows Server 2016? Last time we tried a similar lab in AWS the bill was £280/day or £8,400 a month - or £102,200 per year.
Reply
Paul Schwarzenberger
25/3/2019 09:53:43 pm
Hi John, many thanks for reading the blog, and your question.
Reply
Paul Schwarzenberger
9/4/2019 10:15:34 pm
A further update - I believe the above estimate is reasonably accurate for the first month. After that, the Amazon WorkSpaces monthly charge for the "hourly" pricing option is no longer calculated on a pro-rata basis.
Reply
Your comment will be posted after it is approved.
Leave a Reply. |
AuthorPaul Schwarzenberger is a Cloud Security Architect and DevSecOps specialist Archives
October 2024
Categories |