Building a cloud security training platform – Pt 5: Counting The Cost

My 44CON Cloud Security and DevSecOps training course this June includes AWS, Azure and GitHub accounts which the students use so they don’t need to create their own. As I described in Part 1, I also decided to build a training platform, so that students can connect to a virtual desktop in the cloud with all the software they need pre-installed.

That way they can come on to the course with any laptop or even tablet which supports the Amazon WorkSpaces client.

I built the supporting infrastructure in AWS using Terraform which you can read about in Part 2 of my blog, and then scripted user setup across all environments as described in Part 3. And as you might expect, I incorporated lots of security features, and wrote about them in Part 4.

In this last blog of the series, you’ll hear about a lost USB key, the bill, feedback to Amazon and their response.

A Lost USB Key

The last time I delivered the Cloud Security and DevSecOps course, I copied the course materials on to a USB key, and handed it to one of the students to pass it round the class.

You can guess what happened – I never got it back …

I decided I should come up with a better solution – perhaps something which doesn’t risk spreading viruses, and demonstrates cloud security at the same time. I created some terraform code to deploy S3 buckets in Amazon, enabling security features such as encryption at rest and logging. I found some useful open source code on GitHub for a Javascript index.html file which dynamically creates a folder view of files uploaded to S3. Then I uploaded the course materials via the AWS Console so that students can download to their laptop during the course.

I decided I should come up with a better solution – perhaps something which doesn’t risk spreading viruses, and demonstrates cloud security at the same time. I created some terraform code to deploy S3 buckets in Amazon, enabling security features such as encryption at rest and logging. I found some useful open source code on GitHub for a Javascript index.html file which dynamically creates a folder view of files uploaded to S3. Then I uploaded the course materials via the AWS Console so that students can download to their laptop during the course.

I included a bucket policy in the Terraform code to only allow access from authorised IP addresses – here’s what happens if you’re not allowed:

The Bill

All good restaurant meals end with a bill – unless you run off without paying of course – and training courses in cloud environments usually result in a bill at the end of the month. Especially in this case where I provide all the cloud accounts, so students don’t need to spend time and money setting them up.

In this case there are the costs of doing the labs – estimated at around £20 per student, and the costs of the Windows and Linux virtual desktops which for a 3 day course I reckon will be about £30 per student, so all in all £50 per student. That’s only if I remember to run all the delete scripts immediately after the course has finished – note to self, I must not forget!

Amazon Feedback

During my setup and testing of the cloud security training platform, I encountered some issues and current limitations of the Amazon WorkSpaces service:

  • There’s no API to register or deregister AWS Directory Services with Amazon WorkSpaces – resulting in a manual step which right now can’t be automated
  • I can’t copy an Amazon WorkSpaces image from one region to another – so if I want to deliver the training course in another region, this would require considerable rework and the resulting image may well be inconsistent
  • Pricing of the monthly fee element of Amazon WorkSpaces isn’t pro-rata – so I’m charged for a full month even if the course is only 3 days

I did a bit of research and found out the name of the Amazon WorkSpaces General Manager, Nathan, and sent him an email with these comments – along with some compliments on the general maturity of the service.

Amazon’s Response

I was impressed that Nathan got back to me with a considered reply, and broadened the discussion to Kajal of the Amazon WorkSpaces product management team:

“This is all very valuable and thoughtful feedback”

“The asks for APIs for registering directories, and copy AMI across regions are very much on the radar”

I’m providing more information to them on the pricing issue – which has come to light as a consequence of the way I’m using Amazon WorkSpaces, with automation and a short build and destroy cycle.

Anyway, it’s nice to see that AWS listen to their small customers as well as large enterprises.

I hope you found this last blog of the series interesting and informative. I’m looking forward to seeing how students on the 44CON Cloud Security and DevSecOps Workshop use the platform, and to hearing their feedback.

The rest of the blog series is available here: Parts 1, 2, 3 and 4. If you’ve found this blog series interesting or useful, tickets for Paul’s latest available training course are available from the shop.