Building an AWS and Azure security training platform
This is a guest post by one of our trainers, Paul Schwarzenberger. Paul is running the fantastic Cloud Security and Devops training course this June. He also has a blog where he talks about AWS, Cloud Security and DevOps. This is part of a series on how he’s built a platform to make things easier for those attending his training. If you enjoy this, check out Parts 2, 3 and 4. Thanks, Paul!
Part 1 – Proof of Concept
The Cloud Security and DevSecOps training course I’m delivering for 44CON in June includes AWS, Azure and GitHub accounts which the students use so they don’t need to create their own.
Wouldn’t it be great if students could turn up with any laptop, or even an iPad, and do the course. And the time spent on the labs would be used to learn about cloud security and DevSecOps, not debugging software installation issues.
When I’ve delivered similar courses in the past, students brought their own laptops and installed the software they needed for the hands-on AWS and Azure security labs, either in advance or during the course.
For this course, Steve suggested I create a YouTube video showing how to install the various software needed, and that got me thinking – wouldn’t it be great if students could turn up with any laptop, or even an iPad, and do the course. And the time spent on the labs would be used to learn about cloud security and DevSecOps, not debugging software installation issues.
So I started looking at building a training platform which students can use – and as this is a cloud security course, what better place to do this than in the cloud?
First step was a proof of concept – so I created some Amazon WorkSpaces instances in the cloud, manually using the AWS console, and started installing software.
Within 30 minutes, I had created two virtual desktops in the cloud – one Windows, the other Linux, and connected to each in turn with the Amazon WorkSpaces client from my laptop. The user experience was really good – even when connecting over mobile data. Then I installed the software I needed for the course, tested it, and created workspace bundles to be used as images for future builds. I created new WorkSpaces from the bundles to make sure that they came up correctly with all the software preinstalled and configured.
So I’ve successfully proved the concept – the next step is to develop a design for a solution which could be used for 10 – 20 students, with full automation for building and tearing down the training environment immediately after the course – to avoid unnecessary bills!
This is the design I came up with, after doing some research on Amazon WorkSpaces and AWS Directory Services:
AWS Directory Services has several options, the one I selected was Microsoft Active Directory Standard Edition, which can be used with both Windows and Linux Amazon WorkSpaces.
As this is a cloud security course, it’s important that the design isn’t just functional, but also demonstrates secure cloud architectures.
The design includes:
• Virtual Private Cloud (VPC) with private address space
• private user subnets, containing the AWS managed Active Directory domain controllers and the WorkSpaces, with no route to the Internet
• public DMZ subnets for outbound access to the Internet using NAT Gateways
• Windows Server 2016 instance for administration and setup of the Active Directory domain, users and groups
• Security group on the admin server only allowing inbound remote desktop access from a single IP address.
If you’re wondering how the Amazon WorkSpaces client connects via the Internet, that’s not shown on this diagram, as it’s managed by AWS via a second network interface on each WorkSpace virtual desktop.
The next step is to set up a new AWS account for the training platform. I’ll cover that in the next Blog post.
Paul’s Cloud Security and DevOps Workshop course runs on the 6th and 7th of June.
Pingback: Building a cloud security training platform – Pt 3: Automated User Setup - 44CON