Overview

With the rapid adoption of cloud infrastructure and the prevalence of hybrid cloud environments among organisations, the need to address cloud misconfigurations has become paramount. This course offers a holistic approach to understanding and mitigating misconfigurations in AWS, Azure, and GCP. From building and migrating to managing and innovating in the cloud, organisations face increasing pressure to secure their cloud infrastructure effectively. To achieve this, a deep understanding of cloud attack architecture and hands-on experience with relevant tools and techniques are essential.

Updated for 2024, this comprehensive 4-day course immerses participants in the attacker's mindset, providing the opportunity to deploy over 25 novel attacks through state-of-the-art labs. The training is delivered by seasoned penetration testers with extensive experience in cloud hacking, gained through real-world engagements.

By the end of the course, participants will be well-equipped to confidently identify vulnerabilities within cloud deployments. Additionally, the training covers cloud detection and response strategies, empowering participants to proactively address weaknesses and monitor their cloud environment for potential attacks. This course is a crucial step toward enhancing cloud security in an ever-evolving threat landscape.

Approximate Labs: 38

Demo: 10

Read more

Prerequisites

Delegates must have the following to make the most of the course:

  • Basic to intermediate knowledge of cybersecurity (1.5+ years’ experience)
  • Experience with common command line syntax

Who it’s for:

  • Cloud administrators and architects
  • Penetration testers and red teamers
  • Blue teams, CSIRT / SOC analysts, and responders
  • Cloud developers & engineers
  • Security & IT managers and team leads

This course is suitable for anyone with a stake or interest in cloud security, from technical practitioners to decision makers. The syllabus has been designed to cover the latest vulnerabilities and advances in hacking, as well as the skills to penetration test cloud systems and environments and remediate vulnerabilities.

Read more

Learning Outcomes

This course uses a Defense by Offense methodology based on real world offensive research (not theory). That means everything we teach has been tried and tested on live environments and in our labs and can be applied once the course is over. By the end, you’ll know how to:

  • Think and behave like an advanced, real world threat actor
  • Identify and exploit complex vulnerabilities and security misconfigurations in AWS, Microsoft Azure, and Google Cloud Platform (GCP)
  • Design your penetration tests around real-world attacker behaviours and tooling, making it relevant to the threats facing your organisation
  • Identify the attack surface exposure created by cloud-based services such as virtual machines (VMs), buckets, container as a service (CaaS) platforms, and serverless functions
  • Support cloud defense strategies that include patching, asset inventory management, and other security controls

Top 3 takeaways

  • Exploitation techniques to gain cloud entry via exposed services
  • Post-exploitation techniques to enumerate systems and achieve exfiltration
  • Methods for defending different cloud environments

What you’ll be doing

You’ll be learning hands on:

  • Spending most of the session (~60%) on lab-based exercises
  • Using lab-based flows to explore and hack lifelike cloud environments
  • Exploiting, defending, and auditing different cloud environments
  • Competing In a Capture the Flag (CTF) challenge to test your new skills
  • Discussing case studies with your course leader to understand the real-world impact of the hacks covered

Why it’s relevant

The cybersecurity skills shortage is felt perhaps nowhere as deeply as in the cloud. With new rulebooks and standards, practitioners often find themselves playing catch up with the latest developments in technology and in the threat landscape. This course is designed to be a highly informative bootcamp to help you advance your skills in the most important and relevant areas of cloudsec. Across four days, you’ll learn about the high-impact vulnerabilities and flaws that could be open in your organisation right now and how to fix them.

Our syllabuses are revised regularly to reflect the latest in-the-wild hacks, the newest system releases, and whatever proof of concepts we’ve been developing in our own research. Because they remain so up to date with the threat landscape and security industry standard, many delegates return every 1-2 years to update their skills and get a refresh.

Read more

Course Outline

Module 1: Introduction To Cloud Computing

This module introduces the core concepts of cloud computing, emphasising the importance of security. It explores the shared responsibility model, comparing cloud security with traditional models. Additionally, it sheds light on the significance of cloud metadata APIs from an attacker's perspective. This module lays the groundwork for a deeper understanding of cloud security and its unique challenges.

  • Introduction to the Cloud
  • Importance of Cloud Security
  • Shared Responsibility Model in the Cloud
  • Comparison with Conventional Security Model
  • Importance of Cloud Metadata API from an Attacker's Perspective

Module 2: Cloud Asset Enumeration

This module will explore DNS-based Enumeration techniques, gaining insights into identifying cloud assets through DNS records.

The module then delves into 'OSINT Techniques for Cloud Asset Enumeration,' equipping participants with open-source intelligence methods to uncover valuable information. Additionally, it covers 'Username Enumeration using Cloud Provider APIs,' empowering attendees to utilise cloud provider APIs to enumerate usernames effectively.

  • Importance of DNS in the Cloud
  • DNS-based Enumeration
  • OSINT Techniques for Cloud Asset Enumeration
  • Username Enumeration using Cloud Provider APIs

Module 3: Attack Surface of Cloud Services

This module delves into the attack surfaces of key cloud service models: Infrastructure as a Service (IaaS), Function as a Service (FaaS), Platform as a Service (PaaS), and Container as a Service (CaaS). It provides an in-depth understanding of the vulnerabilities and security challenges associated with each model. The module kicks off with an examination of the 'IaaS Attack Surface,' followed by the 'FaaS Attack Surface,' 'PaaS Attack Surface,' and 'CaaS Attack Surface.'

  • Understanding Infrastructure as a Service (IaaS) Attack Surface
  • Understanding Function as a Service (FaaS) Attack Surface
  • Understanding Platform as a Service (PaaS) Attack Surface
  • Understanding Container as a Service (CaaS) Attack Surface

Module 4: Cloud Storages

This module covers cloud storage security in AWS, GCP, and Azure. It starts with an introduction to AWS S3, followed by addressing AWS S3 misconfigurations. The module then explores GCP and Azure storage solutions. It culminates with a focus on securing Azure's Shared Access Signature (SAS) URLs. Attendees will gain the knowledge and skills to secure their cloud storage effectively, avoiding common pitfalls and optimising data protection in these cloud environments.

  • Introduction to AWS S3
  • AWS S3 Misconfigurations
  • Introduction to GCP Storage
  • Introduction to Azure Storage
  • Azure: Shared Access Signature (SAS) URL Misconfiguration

Module 5: Introduction to Azure and Attacking Microsoft Azure AD

This Module commences with an 'Introduction to Azure and Microsoft Entra ID,' setting the foundation for understanding Azure security.

The module extensively covers 'Azure Application Attacks' across critical components such as App Service, Function App, and Storages. Participants will also delve into the intricacies of securing Azure Databases and the significance of the Automation Account, Azure Key Vault, a pivotal component in safeguarding sensitive data, is thoroughly explored.

Additionally, this module introduces 'Microsoft Entra ID' and elaborates on its authentication methods and associated risks. Participants will gain insights into potential attacks on Microsoft Entra ID, particularly concerning Managed User Identities. The training provides advanced techniques for bypassing Multi-Factor Authentication (MFA) security and navigating Conditional Access Policies effectively.

Participants will also learn how to exploit Dynamic Membership Policies and harness Azure Identity Protection to monitor user behaviour, enhancing the overall security posture.

  • Introduction to Azure and Microsoft Entra ID
  • Azure Application Attacks on App Service, Function App, and Storages
  • Azure Database
  • Automation Account
  • Azure Key Vault
  • Introduction to Microsoft Entra ID Authentication Methods and Risks
  • Microsoft Entra ID Attacks (Managed User Identities)
  • Bypassing MFA Security and Conditional Access Policy
  • Abusing Dynamic Membership Policy
  • Azure Identity Protection to Monitor User Behaviour

Module 6: Introduction to AWS

This module offers an in-depth exploration of advanced Amazon Web Services (AWS) security topics. Beginning with an Introduction to AWS Identity and Access Management (IAM) and Policies, the module explores policy evaluation and AWS Cognito Service, with a focus on potential IAM misconfigurations.

The training delves into various aspects of AWS security, including Elastic Beanstalk, AWS Cross-Account misconfigurations, and the enumeration of roles using Pacu. Participants will gain insights into gaining access to EC2 instances by exploiting instance attributes and addressing resource-based policy misconfigurations.

Additionally, the module covers Lambda and API Gateway exploitation, AWS Elastic Container Registry (ECR), and Elastic Container Service (ECS). It educates participants on protecting sensitive data within Docker images and introduces AWS Organisations and IAM Access Analyzer.

Upon completion of this Module, attendees will emerge with a deep understanding of advanced AWS security practices and the practical skills required to secure cloud environments effectively. This module is designed to empower individuals to proactively address security challenges within AWS infrastructures.

  • Introduction to AWS IAM and Policies
  • Understanding AWS Policy Evaluation
  • AWS Cognito Service
  • IAM: Misconfigurations
  • Elastic Beanstalk
  • AWS Cross-Account Misconfigurations
  • Enumerate Roles using Pacu
  • Gaining Access to EC2 Instance by Abusing Instance Attribute
  • Resource Based Policy Misconfiguration
  • Lambda and API Gateway Exploitation
  • AWS ECR and ECS Service
  • Stealing sensitive information from the Docker images
  • Introduction of AWS Organisation
  • IAM Access Analyzer

Module 7: Introduction to GCP

Participants will delve into essential GCP security aspects, including IAM Role and Service Account, Authentication methods using Service Account files and Access tokens. The module introduces Compute Engine, Cloud Storage, App Engine, and Identity-Aware Proxy (IAP). Furthermore, this module covers the GCP services like Cloud Function, Cloud Storage, Pub/Sub, Cloud Run and databases.

Security-related topics include IAM Impersonation and Secret Manager, bolstering access control. The module concludes by introducing Container Registry, a vital component of GCP container management.

  • Introduction to GCP
  • Introduction to IAM Role, Service account
  • Understanding the Authentication in GCP:
    • Service Account file
    • Access token
  • Introduction to Compute Engine and Cloud Storage
  • Understanding App Engine, IAP
  • Database: Firestore/Firebase
  • Cloud Function and Cloud Storage
  • Pub/Sub and Cloud Run
  • IAM Impersonation and Secret Manager
  • Container Registry

Module 7: Revisiting AWS, Azure and GCP Misconfigurations in Hardened Environment

This section revisits the key cloud misconfigurations discussed in the Azure, AWS, and GCP sections, focusing on comprehensive fixes in a hardened environment. The module provides insights into the practical implementation of robust security measures, ensuring that cloud environments are fortified against vulnerabilities and risks. By actively validating these fixes, participants will be better prepared to enhance cloud security and maintain a robust posture across Azure, AWS, and GCP platforms.

  • Validate Fixes for the Following Topics:
    • Microsoft Entra ID
    • Azure MFA Bypass
    • Azure Key Vault
    • Elastic Beanstalk
    • AWS IAM Misconfigurations
    • ECS and ECR
    • AWS Cognito
    • GCP IAM
    • GCP IAP

Module 9: Backdooring and Maintaining Access

Module 10: Difference Between AWS, Azure, & GCP IAM and Pitfalls

This module offers a concise comparison of Identity and Access Management (IAM) in AWS, Azure, and GCP. It illuminates the key differences and potential pitfalls associated with IAM in these cloud platforms. Participants will gain insights into the nuanced IAM features and challenges specific to each provider, equipping them with a solid understanding to navigate and secure access control effectively.

Module 11: Cloud Defense Using Open-Source and Cloud-Native Tools

This module focuses on an all-encompassing approach to cloud defense, encompassing four fundamental pillars: identification, protection, detection, and response. Participants will gain insights into how to proactively identify vulnerabilities and potential threats within their cloud infrastructure. They will also explore strategies for safeguarding cloud assets and data. The module delves into the critical aspect of real-time threat detection, equipping individuals with the skills to recognise and respond to security incidents effectively. By the end of this module, participants will be well-prepared to establish robust cloud defense mechanisms, ensuring the security and resilience of their cloud environments.

  • Identification of Cloud Assets
  • Hybrid Account Asset Inventory
  • AWS Multi-Account Asset Inventory using Open Source Tools
  • Protection of Cloud Assets
  • Principle of Least Privilege (with examples like EC2, IAM, RDS, etc.)
  • Financial Protections by Enabling Budgets
  • Metadata API Protection
  • Demo of Metadata API Protection using Linux Firewall Rules
  • Monitoring Cloud Activities using Cloud Native Tools
  • Hybrid Cloud Account Monitoring Strategy
  • Automated Response in Cloud Against Malicious Activities
  • Response to Attacks Using AWS Config and AWS Step

Module 12: Auditing and Benchmarking of Cloud

This module delves into the comprehensive CIS benchmark, and essential cloud security best practices designed to establish a baseline security posture within cloud infrastructures. Participants will gain profound insights into industry standards and proven methodologies for enhancing cloud security, ultimately fortifying their cloud environments against vulnerabilities and threats.

  • Preparing for the Audit
  • Automated Auditing via Tools
    • Exercise
  • Golden Image / Docker Image Audits
    • Exercise
  • Relevant Benchmarks for Cloud

Read more

QA is proud to be an official partner with NotSoSecure.

NSS Technical Paper - Defending against Client-Side Attacks

Download Technical Paper

Why choose QA

Dates & Locations

Cyber Security learning paths

Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.

Required Star = Required
Certification = Certification
AI Security & Governance
Application Security
Cyber Blue Team
Cloud Security
DFIR Digital Forensics & Incident Response
Industrial Controls & OT Security
Information Security Management
NIST Pathway
OffSec
Privacy Professional
Reverse Engineer
Secure Coding
Security Architect
Security Auditor
Security Risk
Security Tech Generalist
Vulnerability Assessment & Penetration Testing

Cyber Defensive Operations learning paths

Want to boost your career in Cyber Defensive Operations? View QA's learning pathways below, specially designed to give you the skills to succeed.

Required Star = Required
Certification = Certification
Cyber Blue Team
DFIR Digital Forensics & Incident Response
Security Tech Generalist

Offensive Cyber Operations learning paths

Want to boost your career in the world of Offensive Cyber Operations? View QA's learning pathway below, specially designed to give you the skills to succeed.

Required Star = Required
Certification = Certification
OffSec
Vulnerability Assessment & Penetration Testing
Reverse Engineer

Frequently asked questions

See all of our FAQs

How can I create an account on myQA.com?

There are a number of ways to create an account. If you are a self-funder, simply select the "Create account" option on the login page.

If you have been booked onto a course by your company, you will receive a confirmation email. From this email, select "Sign into myQA" and you will be taken to the "Create account" page. Complete all of the details and select "Create account".

If you have the booking number you can also go here and select the "I have a booking number" option. Enter the booking reference and your surname. If the details match, you will be taken to the "Create account" page from where you can enter your details and confirm your account.

Find more answers to frequently asked questions in our FAQs: Bookings & Cancellations page.

How do QA’s virtual classroom courses work?

Our virtual classroom courses allow you to access award-winning classroom training, without leaving your home or office. Our learning professionals are specially trained on how to interact with remote attendees and our remote labs ensure all participants can take part in hands-on exercises wherever they are.

We use the WebEx video conferencing platform by Cisco. Before you book, check that you meet the WebEx system requirements and run a test meeting (more details in the link below) to ensure the software is compatible with your firewall settings. If it doesn’t work, try adjusting your settings or contact your IT department about permitting the website.

Learn more about our Virtual Classrooms.

How do QA’s online courses work?

QA online courses, also commonly known as distance learning courses or elearning courses, take the form of interactive software designed for individual learning, but you will also have access to full support from our subject-matter experts for the duration of your course. When you book a QA online learning course you will receive immediate access to it through our e-learning platform and you can start to learn straight away, from any compatible device. Access to the online learning platform is valid for one year from the booking date.

All courses are built around case studies and presented in an engaging format, which includes storytelling elements, video, audio and humour. Every case study is supported by sample documents and a collection of Knowledge Nuggets that provide more in-depth detail on the wider processes.

Learn more about QA’s online courses.

When will I receive my joining instructions?

Joining instructions for QA courses are sent two weeks prior to the course start date, or immediately if the booking is confirmed within this timeframe. For course bookings made via QA but delivered by a third-party supplier, joining instructions are sent to attendees prior to the training course, but timescales vary depending on each supplier’s terms. Read more FAQs.

When will I receive my certificate?

Certificates of Achievement are issued at the end the course, either as a hard copy or via email. Read more here.

Contact Us

Please contact us for more information