Tuesday – Jan. 28, 2019
Wednesday – Jan. 29, 2019


8:00am – 5:00pm
8:00am – 5:00pm


13333 Holmes Road
Kansas City, MO 64145



Pre-exam Assessment

NOTE: This is an advanced, hands-on, cloud security class.

Students should be extremely comfortable connecting to and working with remote Linux systems via SSH and in navigating the Amazon Web Services console without step-by-step screenshots. Students will need basic Python skills to complete all of the automation labs but code snippets will be provided. All students should complete the pre-class assessment lab and bring their completion token to class. Students unable to keep up with the rapid pace of this training will be expected to complete the labs on their own time outside of class. 

Pre-exam Assessment

Part of the Cloud Security Alliance CCSK Suite

Learn to embrace cloud and build secure and resilient applications and infrastructure that blow away what you can do in traditional environments. This advanced training program covers cutting-edge techniques for building secure cloud deployments, from networking and identity management through application security and serverless architectures. This two day training is predominantly hands-on labs as we build out a secure cloud environment and cloud-native application architecture, then create a deployment pipeline with integrated security testing. We finish with security automation and a live fire incident response exercise. All labs are in Amazon Web Services but we also discuss the implementation differences for Azure and Google Compute Platform.


Real-world cloud security is most definitely not business as usual. The fundamental abstraction and automation used to build cloud platforms upends much of how we implement security. The same principles may apply, but how they apply is dramatically different, especially at enterprise scale.

This highly technical course expands the basics of our Cloud Security Hands on Training and delves deep into practical cloud security and applied DevSecOps for enterprise-scale cloud deployments. It focuses completely on Infrastructure and Platform as a Service, and will not cover Software as a Service. The training is technical and will not cover policies, risk, or governance issues except as they come up in passing.

We begin on day one with an in-depth discussion of cloud platform technologies; giving you a look into how the services are built and managed, and the security implications. We will then quickly start building out a landing zone in Amazon Web Services and a multi-account sandbox environment and deploying security controls.

Day two shifts gears to focus on designing secure architectures, integrate with DevOps, and build your own DevSecOps toolkit for managing cloud security at scale:

The content includes:

  • Use of multi-account architectures for managing blast radius.
  • Creating a landing zone and building multi-account security architectures in AWS.

  • Principles for expanding security for multi-cloud deployments.

  • Building out advanced cloud virtual networks. Including transit networks.

  • Leveraging inherent cloud capabilities for network security.

  • Security using Infrastructure as Code with CloudFormation.

  • Use of DNS management, auto scale groups, load balancers, and other technologies for immutable infrastructure.

  • Privileged user management, MFA, and other access essentials.

  • Securing PaaS and mixed IaaS/PaaS architectures.

  • Advanced Identity and Access management for cloud, including setting up SAML federation across providers, permission boundaries, multi-account federation, and preventing privilege escalation.

  • Fundamentals of DevSecOps.

  • Building secure deployment pipelines and fundamentals of Git and Jenkins security.

  • Leveraging multi path pipelines for secure production deployments.

  • Integrating automated security testing into deployment pipelines with pre and post build tests in Jenkins.

  • Basics of secrets management for DevOps.

  • Cloud security architectural patterns for major application types and serverless security, including AuthN/Z with API gateways.

  • Cloud data security and encryption.

  • Automating continuous security monitoring and alerting using cloud native capabilities.

  • Security automation through the console.

  • Security automation through code (predominantly Python/lambda).

  • AuthN/Z for security automation and credential management and role chaining.

  • Scaling your security operations to hundreds (or thousands) of accounts through automation.

  • Container security fundamentals (time permitting) and securing mixed container/serverless deployments.

  • Incident response in the cloud.

All labs will be in Amazon Web Services, with some demonstrations and integrations with Microsoft Azure. All labs can be completed outside of class for students unable to keep up with the rapid pace of the training.

Programming labs will use Python. Text snippets will be provided so students don’t need to code from scratch, but students without Python skills may be limited to using only the provided snippets.


Technical security professionals wanting to expand their hands on knowledge of cloud security and DevSecOps at enterprise scale. Non-technical professionals are welcome to attend and absorb the information but need to understand they will not be able to complete the labs and the instructors will not be able to adjust the pace of the training.


Students should have experience with at least one public cloud provider (Ideally AWS) and hands-on experience configuring virtual networks, launching and managing basic instances/services, and navigating cloud management consoles that may not match screenshots due to the rapid rate of cloud provider changes (Amazon has changed entire service interfaces in the middle of training in the past). They should also be comfortable with the command line and basic bash scripting. Python experience is strongly encouraged for the best experience.


A laptop with SSH and wireless connectivity and their pre-class assessment token. Students MUST sign up for Amazon Web Services before training begins, and bring their credentials and keys.


Electronic training materials


Rich Mogull – With twenty years of experience in information security, physical security, and risk management, Rich is one of the foremost experts on cloud security, having driven development of the Cloud Security Alliance’s V4 Guidance and the associated CCSK training curriculum.