Building a cloud security training platform – Pt 3: Automated User Setup

This is a guest post by one of our trainers, Paul Schwarzenberger. Paul is running the fantastic Cloud Security and DevSecOps training course this June. He also has a blog where he talks about AWS, Cloud Security and DevSecOps. This is part of a series on how he’s built a platform to make things easier for those attending his training. If you enjoy this, don’t forget to check out parts 1, 2, and 4 in this series. Thanks, Paul!

My 44CON Cloud Security and DevSecOps training course this June includes AWS, Azure and GitHub accounts which the students use so they don’t need to create their own. As I described in Part 1, I also decided to build a training platform, so that students can connect to a virtual desktop in the cloud with all the software they need pre-installed.

That way they can come on to the course with any laptop or even tablet which supports the Amazon WorkSpaces client.

I built the supporting infrastructure in AWS using Terraform – a great tool for infrastructure as code – see Part 2 for more details and screenshots.

The platform includes AWS Directory managed Microsoft AD for user credentials, Amazon WorkSpaces virtual desktops, supporting networking components, and a virtual machine for Active Directory administration.

The next step was to automate the user setup, so that, just like the infrastructure, I could deploy everything needed for the course from my laptop in a short space of time, and destroy it all when the course has finished.

I logged on to the AD admin virtual desktop using the Microsoft Remote Desktop client. I had already automated the installation of Windows Administrative tools, so I opened Active Directory Users and Computers, and could see that the domain was correctly set up but there were no users.

I needed to automate creation of users in Active Directory, for log on to Amazon WorkSpaces, and user setup in AWS and Azure for the labs. As it’s a Windows virtual machine, I decided to use PowerShell, and I included the AWS Tools for Windows PowerShell in the automated software installation.

The PowerShell script I developed starts by creating a user group. The next function creates a random password for each user – that way every run of the course has different passwords which is good from a security perspective. It also avoids including passwords in code which could accidentally be committed to a repository such as GitHub.

To make life easier for students on the course, each user has a single password for Amazon WorkSpaces, AWS and Azure. The PowerShell script stores the random password in AWS Secrets Manager:

Then, the script creates Active Directory users and adds them as members to the group:

Next, I wrote scripts to run from my laptop creating users in AWS and Azure for students to use during the course labs. The password is retrieved from AWS Secrets Manager.

Students will use their AWS credentials for three AWS labs during the course:

  • Build a secure serverless web site and content distribution network
  • Continuous Compliance lab – assess the security of an AWS account
  • DevSecOps lab – build a serverless application using a CI / CD pipeline.

Students will use their Azure credentials in the Azure lab, creating high availability infrastructure, reviewing its security and implementing security improvements.

Finally, I needed a way to pass the information to students when they arrived on the course. I decided to keep it simple and hand out a Welcome sheet to each student with their credentials and other useful information. But I didn’t want to do this manually – that would take too much time!

I wrote another script to run on my laptop – this one in Python – which retrieves the Amazon WorkSpaces registration code, gets the passwords from AWS Secrets Manager and then writes to a pdf file for each student. I’ll print these off before the course.

By the way, don’t worry, the confidential information in the screenshot is now out of date – one of the benefits of automation.

So I’ve now built the supporting infrastructure using Terraform, and set up users in both AWS and Azure with automated configuration scripts. I can spin up the environment from my laptop, configure users just before the course starts, and destroy it all when I’ve finished. That’s great both for security and also to minimise costs.

The next step is to build the Amazon WorkSpaces virtual desktops for each student using automation – I’ll cover that in my next blog post.

If you’ve enjoyed this post, check out Paul’s first and second post in the series. Paul is teaching a cloud security workshop in June. Like Rory McCune’s March Container Security training, seats are limited and likely to sell out. Book now to avoid disappointment.