Skip to content

SANS SEC545 Cloud Security Simulator Setup Guide (K02)

SEC545 students can follow these instructions to build the labs in their personal AWS accounts. Doing so allows students to complete the labs after access to the SANS provisioned accounts is expired.

  • AWS free tier eligible accounts are expected to cost roughly $30 USD per day for the AWS resources (including the DevOps server). Make sure you tear down the environment when you are not using it.

To limit costs, please make sure to run the Tear Down script (~/code/genaiapp/destroy_lab.sh) when you are not using the lab environment.

YOUR Financial Responsibility

When running the Cloud Security Flight Simulator and performing the corresponding labs in your personal AWS / Azure environments, YOU are responsible for all costs.

DevOps Server Deployment

Requirements

Step by Step Instructions

  1. Configure your AWS CLI with administrator credentials for your AWS Account.

    aws configure

  2. Create a new working directory for running the Terraform deployment.

    mkdir ~/sec545
cd ~/sec545

  3. Download the sec545-k02.tf launch template (e.g. sec545-k02-ami.tf) into the ~/sec545 directory.

  4. After sharing the AMI with your personal AWS account, the instructor or OnDemand SME will give you the commands to set the required Terraform variables and apply the template. Run those commands in the ~/sec545 directory.

  5. The terraform apply command will take a few minutes to complete. Once it is finished, you will see the following:

    • The environment_summary output contains the information you need to connect to the DevOps server.

    • SmartProxy Config - The name of the SmartProxy configuration file created by Terraform in the ~/sec545 directory.

    • SSH + SOCKS Connect Command - The command to connect to the DevOps server using SSH and the SOCKS proxy using the private key created by Terraform in the ~/sec545 directory.

    Apply complete! Resources: 16 added, 0 changed, 0 destroyed.

Outputs:

environment_summary = <<EOT
  Latest AMI:  ami-06cb88e1e8c394247 - sans-sec545-k02.25.1.0
  Running AMI: ami-06cb88e1e8c394247
  Public IP:   3.15.0.118

  Local IP:          71.34.29.101
  Allow CIDR:        71.34.29.101/32

  Proxy Pass:        intensely_luckily_bursting_pelican
  SmartProxy Config: SmartProxy-enjoyed-crawdad.json

  SSH + SOCKS Connect Command

      ssh -i enjoyed-crawdad.pem -D 54640 student@3.15.0.118

EOT

  6. Follow the course Lab Setup Instructions guide to install the DevOps server's CA certificate, configure the SmartProxy extension, and connect to the DevOps server.

AWS student IAM User

To deploy the lab infrastructure to AWS, you need to create a new student IAM user. The easiest to to set permissions is by attaching the AdministratorAccess policy. Our recommendation is to use a permission boundary on this IAM user to restrict access to the services not used in the AWS labs. Then, create a new pair of access keys for authenticating the DevOps server to your account.

Requirements

  • Provided by you:
    • AWS personal account with administrator credentials

Step by Step Instructions

  1. Log into the AWS Console using your personal administrator account.

  2. See the Creating an IAM user in your AWS account documentation to create a new student user.

  3. See the Adding permissions to a user (console) documentation to attach the AdministratorAccess policy.

  4. See the Managing access keys for IAM users documentation to create a new pair of access keys for the student user.

  5. Follow the Lab 1.0 - AWS Cloud Account Setup instructions in the electronic workbook to configure the DevOps server's AWS Command Line Interface (CLI).

Clean Up

  • When you are finished with the labs, run the ~/code/genaiapp/destroy_lab.sh script to remove the lab infrastructure from your AWS account.

  • Then use the same Terraform commands you used to create the DevOps server, except change the last command from terraform apply to terraform destroy. This will remove the DevOps server and the SmartProxy configuration file from your AWS account.