Celidor
  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact

Building a cloud security training platform - part 3

12/5/2019

0 Comments

 

Part 3 - automated user setup

Picture
My 44CON Cloud Security and DevSecOps training course this June includes AWS, Azure and GitHub accounts which the students use so they don’t need to create their own. As I described in Part 1, I also decided to build a training platform, so that students can connect to a virtual desktop in the cloud with all the software they need pre-installed.

That way they can come on to the course with any laptop or even tablet which supports the Amazon WorkSpaces client.

I built the supporting infrastructure in AWS using Terraform – a great tool for infrastructure as code – see Part 2 for more details and screenshots.

Click on the "Read More" link below to see how I automated the user setup.
Picture
The platform includes AWS Directory managed Microsoft AD for user credentials, Amazon WorkSpaces virtual desktops, supporting networking components, and a virtual machine for Active Directory administration.
​
The next step was to automate the user setup, so that, just like the infrastructure, I could deploy everything needed for the course from my laptop in a short space of time, and destroy it all when the course has finished.
Picture
I logged on to the AD admin virtual desktop using the Microsoft Remote Desktop client. I had already automated the installation of Windows Administrative tools, so I opened Active Directory Users and Computers, and could see that the domain was correctly set up but there were no users.
​
I needed to automate creation of users in Active Directory, for log on to Amazon WorkSpaces, and user setup in AWS and Azure for the labs. As it’s a Windows virtual machine, I decided to use PowerShell, and I included the AWS Tools for Windows PowerShell in the automated software installation.
Picture
The PowerShell script I developed starts by creating a user group. The next function creates a random password for each user – that way every run of the course has different passwords which is good from a security perspective. It also avoids including passwords in code which could accidentally be committed to a repository such as GitHub.
​
To make life easier for students on the course, each user has a single password for Amazon WorkSpaces, AWS and Azure. The PowerShell script stores the random password in AWS Secrets Manager:
Picture
Then, the script creates Active Directory users and adds them as members to the group:
Picture
Next, I wrote scripts to run from my laptop creating users in AWS and Azure for students to use during the course labs. The password is retrieved from AWS Secrets Manager.
Picture
Students will use their AWS credentials for three AWS labs during the course:
  • Build a secure serverless web site and content distribution network
  • Continuous Compliance lab – assess the security of an AWS account
  • DevSecOps lab – build a serverless application using a CI / CD pipeline
Picture
Students will use their Azure credentials in the Azure lab, creating high availability infrastructure, reviewing its security and implementing security improvements.
​
Finally, I needed a way to pass the information to students when they arrived on the course. I decided to keep it simple and hand out a Welcome sheet to each student with their credentials and other useful information. But I didn’t want to do this manually – that would take too much time!
Picture
I wrote another script to run on my laptop – this one in Python – which retrieves the Amazon WorkSpaces registration code, gets the passwords from AWS Secrets Manager and then writes to a pdf file for each student. I’ll print these off before the course.

By the way, don’t worry, the confidential information in the screenshot is now out of date – one of the benefits of automation.

So I’ve now built the supporting infrastructure using Terraform, and set up users in both AWS and Azure with automated configuration scripts. I can spin up the environment from my laptop, configure users just before the course starts, and destroy it all when I’ve finished. That’s great both for security and also to minimise costs.
​
The next step is to build the Amazon WorkSpaces virtual desktops for each student using automation – I’ll cover that in my next blog post.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Paul Schwarzenberger is a Cloud Security Architect and Engineer

    Archives

    April 2025
    March 2025
    October 2024
    September 2024
    August 2024
    July 2024
    May 2024
    March 2024
    October 2023
    September 2023
    February 2023
    January 2023
    December 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    January 2022
    November 2021
    September 2021
    July 2021
    March 2021
    July 2020
    June 2020
    February 2020
    December 2019
    November 2019
    October 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    November 2018
    October 2018
    September 2018
    August 2018

    Categories

    All
    Cloud Security
    DevSecOps

    RSS Feed


Contact us via email at [email protected] 

© 2020 Celidor Limited. All Rights Reserved.

Celidor Limited

Company Number: 08870661


  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact