Welcome to Cloud Security Lab a Week (Cloud SLAW, because why not). A new newsletter dedicated to upping your cloud security skills through a weekly series of hands-on labs. Each week I’ll release a short 15-30 minute hands-on lab right into your inbox, with a companion YouTube video and recorded for posterity in a blog post.

There are a lot of security training options out there. Heck, I’ve written a bunch of them. But we still have a massive shortage of cloud security skills and there really aren’t any good free options to help you improve your practical skills. It’s time to free the knowledge and help level up the industry.

Zero to Hero for free.

That’s the TL;DR, here are the details and click Learn Stuff in the header to sign up!

What is this and how will it work?

Every week I’ll release a newsletter with a hands-on lab that’s designed to take about 15-30 minutes. Something you can knock out pretty easily on a Friday afternoon. Each lab will build on the labs before, but the labs are also designed to minimize any incremental costs from week to week.

Every lab will release as an email, be posted to the blog, and have a companion YouTube video.

When you sign up the emails will start at the very beginning of the series and run weekly. You are, however, free to skip ahead via the blog posts and run at your own pace. Just keep in mind I’m only writing one a week and eventually you’ll land back on the newsletter pace like everyone else.

Labs will start on AWS and I probably have a year or more of material to work with before we consider adding in Azure or GCP. Although the training is all labs, it’s designed to teach fundamental skills that will often apply to any provider. I’ll also occasionally drop little multi-cloud tidbits to highlight some of the differences between providers.

A key reason I’m doing this is to help create more cloud security professionals, not console monkeys. Although the labs are all short, they will highlight not only the skills to build something, but the security principles behind it. Also, over time I will create learning paths in major topic areas (like incident response) if you just want to up your skills in a particular domain.

Is this really free forever?

Yes. Next question?

What if I already have experience?

Each week will include background information on the lab and why I recommend doing things a certain way. Even if you know your way around AWS the odds are you will pick up new information and techniques. Also, as we progress the labs will get more and more advanced. I’ve been doing this a lot longer than most anyone else and hopefully have picked up some tricks over the years.

Personally I’d subscribe, skim the newsletter, and try the labs in areas I haven’t played with before. Also, personally, I’m really biased and want people to subscribe.

How are the lessons organized?

Poorly? No, I do have a plan. This is going to be cloud security the way I’ve always wanted to teach it. My plan is to go slow and really focus on the fundamentals in the core services. Then I’ll expand to additional services, and start diving in deeper. While I have a rough outline I also don’t expect I’ll want to stick with it since I get great ideas as I write and will get even better ideas through your feedback.

This isn’t how I can structure a 2-5 day class. We have… years? … to get through all the material. We can take our time and really make sure we cover both principles and practicalities. We have breathing room and I intend to use it. I don’t have to run through all of IAM, for example, before moving on to a different topic. I can teach just the right IAM needed at a point in time, then reinforce that with repetition, then add in the next layer.

And then, when I get bored, I can just throw a fastball to keep things interesting. We can always come back to dig in more slowly later.

What if I miss a week or just want to skip a lab?

Go back… this is designed so you can participate at your own pace. Or skip a lab and just do the ones you want. If a lab has pre-requisites that will be specified at the beginning and I’ll include CloudFormation templates to build them (where possible).

Ah ha! Why not Terraform?

Any idiot (narrator: he’s the idiot) can run CloudFormation in their account. Terraform is great but you have to run software someplace instead of just pasting in a URL. We will eventually get to some Terraform labs, but CloudFormation will be the standard.

How much will these labs cost me?

Not much. I’m trying to design the labs so you can tear them down at the end every week. Much of what we will do will be on the AWS Free Tier but I can’t promise that will cover everything. Labs will be set up so you can destroy them at the end, with a list of things to delete. If we still need those resources I’ll include a CloudFormation template at the start of the next lab.

This won’t be perfect. I’m not responsible for your bill. But I have a lot of experience and should be able to keep costs very VERY low on a week to week basis.

Aren’t you cannibalizing your own commercial trainings?

Nope. There are still a lot of reasons to take an in-person or virtual training. First, Cloud SLAW is all about the practical skills and knowledge, but isn’t tied to any certification. There are areas of knowledge we aren’t going to cover here that are important and required for certifications.

Second, sometimes there is no substitute to having an instructor in the room who can answer questions and add color to the material.

Finally, some trainings simply won’t fit this format. While I will have some Incident Response labs down the road, there’s no way to build a 30 minute lab with the level of depth and complexity we include in classroom training.

Besides, I’m not a full time trainer anyway. I don’t need to run many classes outside the day job to make sure the kids get their annual Disney fix.

Is this a Cloud Security Alliance thing?

No, but they are a partner. Although some labs will overlap these aren’t a replacement for classroom (or virtual) training. A times I’ll be highlighting CSA classes that complement whatever topic we are covering. The CSA will also be providing some discounts and even the occasional free test tokens we can use as a giveaway.

Is it sponsored?

Not yet, but someday :) I do plan on taking sponsorships. As altruistic as I like to be, I’m always hunting for ways to support myself while still releasing free content to the masses. It’s how I founded Securosis and that business model worked really damn well.

The plan is to have a weekly sponsor that gets text and video callouts, plus the occasional “optional lab” sponsor. Optional labs will allow students to get experience with commercial tools for no cost.

Who are you?

My name is Rich Mogull (yes, it’s a funny name). I’m the SVP of Cloud Security at FireMon (check out our free CSPM) and also the CEO of Securosis, which is now more of a side gig. I’ve been working hands-on in cloud security from pretty much the start, back when AWS only had about 7 services and no IAM. My content has been used to train more people in cloud security than probably anyone else on the planet. I am the primary author and maintainer of the CCSK, CCSK+ and CCSK Advanced (formerly Advanced Cloud Security Practitioner) curricula for the Cloud Security Alliance. I’ve also contributed to the CCAK and have taught cloud security at Black Hat for over 10 years. Most recently I’ve been running Adversarial Cloud Incident Response with Will Bengtson. I’ve built smaller classes on everything from cloud governance to DevSecOps.

But training is just my side gig. I spent over 10 years advising large enterprises on their cloud security strategies, running assessments, and building cloud security research. About 7 years ago I spun some of my research out into a startup, snagged some VC funding, and was eventually acquired by FireMon.

My main side hobby is as a disaster response paramedic. My wife liked to call that my “very expensive hobby” until I got my pilot’s license, which is now the “let’s just not talk about it expensive hobby”. I’m a member of the 501st Legion and spend my free time doing family stuff, outside sports, and 3D printing/making.

Please sign up, because avgas isn’t cheap.