Part 5: counting the costMy 44CON Cloud Security and DevSecOps training course this September includes AWS, Azure and GitHub accounts which the students use so they don’t need to create their own. As I described in Part 1, I also decided to build a training platform, so that students can connect to a virtual desktop in the cloud with all the software they need pre-installed. That way they can come on to the course with any laptop or even tablet which supports the Amazon WorkSpaces client. I built the supporting infrastructure in AWS using Terraform which you can read about in Part 2 of my blog, and then scripted user setup across all environments as described in Part 3. And as you might expect, I incorporated lots of security features, and wrote about them in Part 4. In this last blog of the series, you’ll hear about a lost USB key, the bill, feedback to Amazon and their response. Click on the "Read More" link below to view. A lost USB keyThe last time I delivered the Cloud Security and DevSecOps course, I copied the course materials on to a USB key, and handed it to one of the students to pass it round the class. You can guess what happened – I never got it back … I decided I should come up with a better solution – perhaps something which doesn’t risk spreading viruses, and demonstrates cloud security at the same time. I created some terraform code to deploy S3 buckets in Amazon, enabling security features such as encryption at rest and logging. I found some useful open source code on GitHub for a Javascript index.html file which dynamically creates a folder view of files uploaded to S3. Then I uploaded the course materials via the AWS Console so that students can download to their laptop during the course. I included a bucket policy in the Terraform code to only allow access from authorised IP addresses – here’s what happens if you’re not allowed: The billAll good meals at a restaurant end with a bill – unless you run off without paying of course – and training courses in cloud environments usually result in a bill at the end of the month. Especially in this case where I provide all the cloud accounts, so students don’t need to spend time and money setting them up. In this case there are the costs of doing the labs – estimated at around £20 per student, and the costs of the Windows and Linux virtual desktops which for a 3 day course I reckon will be about £30 per student, so all in all £50 per student. That’s only if I remember to run all the delete scripts immediately after the course has finished – note to self, I must not forget! Feedback to AmazonDuring my setup and testing of the cloud security training platform, I encountered some issues and current limitations of the Amazon WorkSpaces service:
I did a bit of research and found out the name of the Amazon WorkSpaces General Manager, Nathan, and sent him an email with these comments – along with some compliments on the general maturity of the service. Amazon's responseI was impressed that Nathan got back to me with a considered reply, and broadened the discussion to Kajal of the Amazon WorkSpaces product management team: “This is all very valuable and thoughtful feedback” “The asks for APIs for registering directories, and copy AMI across regions are very much on the radar” I’m providing more information to them on the pricing issue – which has come to light as a consequence of the way I’m using Amazon WorkSpaces, with automation and a short build and destroy cycle. Anyway, it’s nice to see that AWS listen to their small customers as well as large enterprises. And finally ...I hope you found this last blog of the series interesting and informative. Attendees of the 44CON Cloud Security and DevSecOps Workshop last week used the platform with great results. They certainly appreciated not having to install complex software on their own laptops.
Students will be using the platform on the 44CON Cloud Security and DevSecOps training course this September - now a 3 day course with the addition of GCP and 4 extra labs.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
AuthorPaul Schwarzenberger is a Cloud Security Architect and DevSecOps specialist Archives
September 2024
Categories |