SANS SEC488 Cloud Security Essentials

In the spring of 2023, I signed up for the SANS graduate certificate program for cloud security. I’m no stranger to SANS courses, completing their master’s program from 2018 through 2022. Luckily, my employer has a tuition reimbursement program allows me to take these courses over multiple years to maximize the benefit. It was a lot of work, but I learned a lot in each SANS course. The community I’ve met throughout my time has also been fantastic. If you can afford it, I highly recommend SANS.

Before enrolling in this course, explain why I signed up for four other courses. Living in the Microsoft identity world, I am familiar with Azure. I’ve taken several Azure exams and have a general idea of the correct direction. When it comes to Amazon Web Services (AWS) and Google Cloud Platform (GCP), I have never even touched it. I’m aware of some of the very basics, such as storage in AWS being called S3, GCP having virtual machines, etc. But I needed to familiarize myself with how you set this up and what the best practices are.

I was also starting to spend more time at work with Microsoft Entra Permissions Management (MEPM), a cloud infrastructure entitlement management (CIEM) product. This is integrated with AWS and GCP, as well as Azure. Going deeper on AWS and GCP would be a big help on many of the findings and remediation actions MEPM recommends, which requires some knowledge of these additional cloud providers. Finally, most customers I work with are in at least two of these clouds. There are further courses that I also had weak spots in that I needed to improve on, so I signed up for the program.

The first course in their program is Security 488: Cloud Security Essentials. You can read the site for all the full details of what’s covered, but at a high level, you create your own AWS account and Azure subscription, along with the IAM accounts to go with it. You then spin up a small Linux VM in Azure and set up your lab environment for the week via Terraform. You don’t have to write terraform code, but it spins up this really nice lab environment. The labs showcase the different topics covered and give some nice things to go back to and ensure you are doing in your own environment.

Lab The SEC 488 lab diagram that you use throughout the five day course.

Then, throughout the five days, you’ll cover the fundamentals of each cloud provider as you build out the environment for a fictional rock band CD/CA. When teaching a topic, take networking, for example; it will start with the basics and use AWS as the first example. Then, it will move to Azure and call out where it’s different. Finally, the topic will move to GCP. This style tends to make the course content skew a bit heavier to AWS, then Azure, and finally, GCP is the smallest. This is aligned with what I see at most customers where AWS and Azure are the vast majority, and there is possibly some GCP for specific workloads. If you are a very large GCP shop, consider looking at something more specific to that elsewhere.

For me, this course was a really great introduction to the other additional cloud providers. This is a 400-level fundamental course, so there wasn’t anything too tricky topic-wise. Many of the topics were covered in other security courses, but this had the cloud flavor of it. I’d recommend this course if you are getting started in this cloud space or are really heavy on one cloud provider and beginning to branch out. This would also be great as a second course if you have just taken SEC 401 Security Essentials and then wanted to get started with the cloud. If you’ve been maintaining two or three of these cloud providers for several years, have made a few mistakes along the way, and learned from them, you probably won’t find as much value as I did.

The GIAC Cloud Security Essentials (GCLD) exam is pretty straightforward, like most GIAC exams. I will give you a tip in making your index that I did. Put the topic area first and then add the cloud provider next if you need to. This prevents you from remembering whether you called something Amazon AWS or AWS or a feature like CloudTrail. This will help you locate the area quicker when taking the exam.