SANS SEC549 2021: Cloud Security Architecture – Key Takeaways Course Overview SANS SEC549 was designed to bridge the gap between traditional enterprise security architecture and cloud-native environments. Unlike generic cloud certifications (e.g., AWS Certified Security), this course focused on architectural patterns , threat modeling, and strategic control selection across AWS, Azure, and GCP. Core Modules (as taught in 2021) 1. Cloud Threat Modeling
Shift Left Mentality : Integrating security into CI/CD pipelines before deployment. STRIDE for Cloud : Adapting Microsoft’s STRIDE (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege) to serverless, containers, and IaaS. Tooling : Using open-source tools like Cartography or CloudMapper to visualize attack paths.
2. Identity & Access Management (IAM) Deep Dive
Cross-Cloud IAM : Comparing AWS IAM, Azure AD, and GCP Cloud IAM. Federation & Zero Trust : Implementing OIDC/OAuth 2.0 for workload identities (e.g., GitHub Actions assuming temporary AWS roles). Privilege Escalation Paths : Common misconfigurations (e.g., over-permissive resource policies, AssumeRole abuse). sans sec 549 2021
3. Network Security Architecture
Microsegmentation : Using security groups, network policies (Kubernetes), and service meshes (Istio). Cloud Firewalls : WAF, AWS Network Firewall, Azure Firewall, and GCP Cloud Armor. Zero Trust Network Access (ZTNA) : Replacing VPNs with cloud-native ZTNA solutions.
4. Data Protection
Encryption at Rest & in Transit : KMS (Key Management Service) differences across clouds. BYOK/HYOK : Bring Your Own Key / Hold Your Own Key. Data Loss Prevention (DLP) : Implementing DLP for S3 buckets, Blob storage, and BigQuery.
5. Compliance & Governance
Automated Compliance : Using AWS Config, Azure Policy, and GCP Organization Policy. Audit Logging : Centralizing CloudTrail, Azure Monitor, and Cloud Logging into a SIEM. Framework Mapping : CIS Benchmarks, NIST 800-53, and GDPR/CCPA. SANS SEC549 2021: Cloud Security Architecture – Key
6. Incident Response in the Cloud
IR Playbooks : Detecting compromised IAM keys, cryptomining, and data exfiltration. Forensics : Acquiring volatile memory from EC2, snapshots from EBS, and container logs. Containment : Automatically isolating instances, revoking sessions, and blocking malicious IPs via cloud APIs.