CloudSLAW Monthly: February, 2024

CloudSLAW is the closest I’ve ever come to building a time machine, despite trying many times.

There are a hair over 1,600 of you now, and everyone is rolling through the lessons at their own pace. Some of you are on lesson 1, others on lesson 12, and as we grow in both content and members, the gap will only widen.

As the author it’s kind of a new experience — some of you will email me questions on the latest and greatest, and others on things I wrote a month or two ago. The advantage of this model is that everyone gets to learn at their own pace, from the start. The disadvantage is that I don’t have a great way to talk to everyone at once and update you on what’s going on. Since I already spam you once a week, I figure once a month might be an acceptable pace for an all-hands email.

I’m still figuring this entire concept out, and can’t tell you how much I appreciate you for coming along for the ride. I hope you consider the content a good trade for the occasional sponsor or other attempt to pay my bills. I don’t take anything for granted, and please let me know if it ever gets to be too much.

And I’d be remiss if I didn't also link to our free technical CSMM assessment tool over at FireMon Cloud Defense…

For those of you at the front of the pack, we are just about to finish up our first big push on core security. I have a couple labs on SSO planned, one more on org structure, and then we’ll bounce around a bit. If I can pull it off I’m working on something I’m calling the “time warp”, which will skip ahead many months and drop you into a more-advanced lab we’ll build up with IaC and automation.

Fundamentals are critical and where we need to start, but they aren’t exactly… action packed. The time warp will give you and idea of why we are setting everything up the way we are, and let you see a little offense in action! I mean, if I pull it off.

While I can’t totally commit, there is also a really good chance we will launch a CloudSLAW: Azure in April. This would be with a different instructor and learning path, at a slightly slower pace. No promises, but it’s looking good.

From the CloudSLAW Community

When you kick these things out into the wild you never know how people will respond. I’m absolutely thrilled when I get emails with feedback and even corrections. I will absolutely continue to make mistakes as I do this, probably every week. It also really helps to hear from those of you working through the content: what works, what doesn't, and what you would prefer to see. You can always email me directly at [email protected].

This week I have one general feedback/correction and a very cool project someone is building based on the labs. Both have given permission to be mentioned:

Craig asks:

“As a result, my first question is regarding the S3 bucket name. I understand you're changing the suffix (to make the new bucket unique), but I've always followed the practice of having the bucket name include the account it's created in. From the way I'm reading it, you're keeping the account ID of the management account and just changing the suffix, which would confuse me in an enterprise when I'm using something like steampipe to search for buckets and then see a different account ID for one of them. Wouldn't it make more sense to change the bucket account ID and keep the random suffix?”

Yep. He’s more right and I’m more wrong, but I’m a little right. I do think his way is probably better and I hadn’t thought of it from that perspective; likely because the tooling I use shows me the account ID from the central inventory right at the top of the page. 

I kept it simple in the lab because I try to reduce as many variables as possible. Having taught a ton at Black Hat and other places, I’ve learned even really simple and obvious copy/paste exercises cause issues. But that isn’t a good excuse. I did contemplate changing that ID, and opted for simplicity. I wasn’t thinking of the search case, because my tooling handles it. 

Craig also mentioned that he is creating a repository of CloudFormation templates for these labs that he will eventually release, which is not only amazing but brings me to …

Dominic had the same great idea but for Terraform! He has posted his repository at https://github.com/0xdeadbeefJERKY/slaw-terraform 

We’ll be using both Terraform and CloudFormation in these labs. I had thought about making them for every lab, but the honest truth is I haven’t had the time. I’m excited and honored that the community has beaten me to the punch.

Corrections

• I messed up the billing alerts and issued a correction lab. This only matters if you finished the lab before I issued the fix, since it’s fixed in the posts and email sequence moving forward.

• Friend of CloudSLAW Chris Farris caught another one. I named our central logging account SecurityAudit but it should probably be some variation of “Logs”. I’m going to use the fix for that one as an excuse for some other skills around SCPs and OUs we need to learn, so stand by. It’s a small but important distinction.

My Other Work and Upcoming Trainings

I’m not going to link to everything, because I post way too much in way too many places, but I will highlight some bigger things:

• We released version 2.0 of the Cloud Security Maturity Model. Yes, this was also our sponsor this week.

• Chris Farris and I are speaking at RSAC. This ended up inspiring a much larger project we hope to release soon. We also had too much fun coming up with the title and description. CloudSec Hero to Zero: Self-Obsolescing Through Prolific Efficiency.

• Will Bengtson and I are teaching Adversarial Cloud Incident Response at Black Hat. Although we teach cloud IR privately, this is pretty much the only place we teach the adversarial version.

• We are very deep into updating the Cloud Security Alliance CCSK training to version 5.0. This is a ground-up rebuild and a ton of work, but initial feedback from reviewers is very positive. Mike Rothman will be teaching the first public class at Black Hat this summer.

Thank you everyone, and please keep the feedback coming!