SANS SEC540 Cloud Security Simulator Setup Guide (K01)

SEC540 students can follow these instructions to build the labs in their personal AWS and Azure accounts. Doing so allows students to complete the labs after access to the SANS provisioned accounts is expired. Cost estimates vary by cloud provider:

• AWS free tier eligible accounts are expected to cost roughly $10 USD per day for the AWS resources (including the DevOps server). Make sure you stop the DevOps server when you are not using it.

• Azure Pay as You Go (PAYG) subscriptions are expected to cost roughly $20 USD per day for the Azure resources.

To limit costs, please make sure to run the Lab 5.4: Tear Down script in the electronic workbook when you are not using the lab environment.

YOUR Financial Responsibility

When running the Cloud Security Flight Simulator and performing the corresponding labs in your personal AWS / Azure environments, YOU are responsible for all costs.

DevOps Server Deployment

Requirements

• Provided by you:
  • AWS personal account with administrator credentials
  • Terraform 1.9 or later
  • AWS CLI
• Provided by the SEC540 instructor or OnDemand SME:
  • DevOps server AMI shared to your personal AWS account
  • Commands to set the Terraform variables and apply the template

Step by Step Instructions

1. Configure your AWS CLI with administrator credentials for your AWS Account.

   aws configure
   

2. Create a new working directory for running the Terraform deployment.

   mkdir ~/sec540
   cd ~/sec540
   

3. Download the sec540-k01.tf launch template (e.g. sec540-k01-ami.tf) into the ~/sec540 directory.

4. After sharing the AMI with your personal AWS account, the instructor or OnDemand SME will give you the commands to set the required Terraform variables and apply the template. Run those commands in the ~/sec540 directory.

5. The terraform apply command will take a few minutes to complete. Once it is finished, you will see the following:

   • The environment_summary output contains the information you need to connect to the DevOps server.

   • SmartProxy Config - The name of the SmartProxy configuration file created by Terraform in the ~/sec540 directory.

   • SSH + SOCKS Connect Command - The command to connect to the DevOps server using SSH and the SOCKS proxy using the private key created by Terraform in the ~/sec540 directory.

   Apply complete! Resources: 16 added, 0 changed, 0 destroyed.
   
   Outputs:
   
   environment_summary = <<EOT
     Latest AMI:  ami-06cb88e1e8c394247 - sans-sec540-k01.25.1.0
     Running AMI: ami-06cb88e1e8c394247
     Public IP:   3.15.0.118
   
     Local IP:          71.34.29.101
     Allow CIDR:        71.34.29.101/32
   
     Proxy Pass:        intensely_luckily_bursting_pelican
     SmartProxy Config: SmartProxy-enjoyed-crawdad.json
   
     SSH + SOCKS Connect Command
   
         ssh -i enjoyed-crawdad.pem -D 54640 student@3.15.0.118
   
     SOCKS5 URI: socks5://student:intensely_luckily_bursting_pelican@3.15.0.118:54640
   
   EOT
   

6. Follow the Range Access Instructions to install the DevOps server's CA certificate, configure the SmartProxy extension, and connect to the DevOps server.

AWS DevSecOps IAM User

To deploy the lab infrastructure to AWS, you need to create a new devsecops IAM user. The easiest to to set permissions is by attaching the AdministratorAccess policy. Our recommendation is to use a permission boundary on this IAM user to restrict access to the services not used in the AWS labs. Then, create a new pair of access keys for authenticating the DevOps server to your account.

Requirements

• Provided by you:
  • AWS personal account with administrator credentials

Step by Step Instructions

1. Log into the AWS Console using your personal administrator account.

2. See the Creating an IAM user in your AWS account documentation to create a new devsecops user.

3. See the Adding permissions to a user (console) documentation to attach the AdministratorAccess policy.

4. See the Managing access keys for IAM users documentation to create a new pair of access keys for the devsecops user.

5. Follow the Lab 1.0 - AWS Cloud Account Setup instructions in the electronic workbook to configure the DevOps server's AWS Command Line Interface (CLI).

Azure Service Principal

To deploy the lab infrastructure to Azure, you need to create a new Azure Service Principal for authenticating the DevOps server to your Azure subscription.

Requirements

• Provided by you:
  • Azure Pay as You Go (PAYG) subscription with owner permissions

Step by Step Instructions

1. Log into the Azure Portal using your personal administrator account.

2. Follow the Create a Microsoft Entra application and service principal that can access resources documentation to create a new devsecops Azure Service Principal. The service principal will need the following API permissions:

   • Use the Microsoft Graph option to add the Application.ReadWrite.All application permission set.

   • On the Configured permissions screen, press Grant admin consent for Default Directory.

3. Follow the Set up authetication option 3 documentation to create a new client secret for the devsecops Azure Service Principal.

4. Follow the Assign a user as an administrator of an Azure subscription documentation to assign the devsecops Azure Service Principal as an Owner of your Azure subscription.

5. Follow the Lab 1.0 - Azure Cloud Account Setup instructions in the electronic workbook to populate the ~/.azconfigvars file with the devsecops client id, client secret, tenant id, and subscription id. Then, complete the remaining Azure Command Line Interface (CLI) steps.

Clean Up

• When you are finished with the labs, run the Lab 5.4: Tear Down script in the electronic workbook to remove the lab infrastructure from your AWS and Azure accounts.

• Then use the same Terraform commands you used to create the DevOps server, except change the last command from terraform apply to terraform destroy. This will remove the DevOps server and the SmartProxy configuration file from your AWS account.