If you have been reading my series on Cloud Security certifications then one recurring point I keep mentioning is the importance of getting hands on experience in the Cloud. Certifications will only get you so far and without practical hands-on experience you will face challenges early on in your cloud security career. However even for those who are actively trying to get cloud security experience; one common problem is the ago old dilemma below:
Instead of waiting around waiting for an employer to take a chance with you and give you a cloud security job without experience, I have listed down some simple steps you can use to get hands on experience today.
If you are new to the cloud then follow these steps in sequence and do not skip ahead without completing the previous one. If you get stuck in the technicalities of any of the steps then troubleshoot it yourself with the material present on the internet and do not give up. If you are able to complete these then you can list down some valuable cloud security experience on your CV !
Step 1 : Sign up for a free tier account
A key starting point for getting hands on is to have a home lab / sandbox where you can play around with services in the cloud. Thankfully most of the major providers already provide the same as they want users to try out their services before moving onto paid services. Google Cloud have a free plan which gives you around USD 300 to spend and play around over 90 days. Similarly AWS free tier gives you the ability to try out AWS services free up-to specified limits. Provided you keep an eye on these services you can easily create a cloud sandbox to play around in.
For the purposes of the examples below , I have used AWS but most of the these examples will be applicable to any cloud environment
Step 2 : Start with Infrastructure as Code (IaC)
Now that you have a cloud sandbox, it is time to provision some infrastructure but not via the easy way i.e. the management console. If you are working in the cloud then there is no escape from Infrastructure as Code as it is one of the most basic skills you need. IaC like its name basically means you define Infrastructure in a code template which is then processed by the provider and converted into actual infra in the cloud.
IaC lets you implement proper automation as no one in a proper cloud environment is going to provision hundreds of servers through a management interface and all of them will be using IaC templates like Cloudformation or Terraform. There are also numerous security benefits like full visibility , code review and immutability. Check out my ISACA journal article here if you want to know more about IaC. If you are completely new to IaC then some great free tutorials are present here. Use them to deploy a server (ec2 instance) or create a VPC and make sure to destroy them once they are no longer needed. You will encounter lots of problems the first time but do not give up as it will teach you a lot about how infrastructure gets provisioned in the cloud
Step 3 : Download Jenkins and create a pipeline
Ok now that you have a cloud sandbox and have become comfortable with a few IaC templates, now is the time to download and install Jenkins. In cloud environments, most code is propagated via pipelines and the best way to learn how that happens is building your own pipeline via Jenkins.
In case you are not aware then Jenkins is an open-source tool widely used in the DevOps and CI/CD world. It is completely free and lets you build pipelines for deploying code. Learn how to propagate your IaC templates via Jenkins instead of doing it manually. In case you do not know how to do the same there are some great tutorials available with my favorite one being here.
It is finally time to dive into some security stuff !
Step 4 : Scan your IaC templates for security issues
Ok if you have reached this far then you now have a pipeline which create infrastructure in the cloud via a pipeline which is pretty amazing !
DevOps and the Cloud go hand in hand and security is one of the major concerns when it comes to pipelines. We now need to introduce some security checks into the pipeline which stops insecure code from being propagated such as a template which has hard-coded access keys and secret keys !
There are numerous commercial and free tools available and the one I would recommend is Checkov which is a static code analysis tool for IaC which detects insecure templates and also lets you know if any insecure packages or images are being used.
Checkov can be installed from its github repo above and you can simply point it towards an Iac template and let it work its magic below.
Once you get the hang of Checkov, it is time to integrate Checkov scanning with the Jenkins pipelines you made earlier. Basically we want insecure code to stop the pipeline and show up as an failure. Cloud runs on code and completing this step will go a long way in building up your cloud security knowledge. Checkov has an easy tutorial for how to do this here
Step 5: Conduct a cloud security assessment of your AWS account
One of the biggest steps to complete your cloud security experience would be to conduct a complete review of your cloud environment. This is not something you can ( or would ) do manually but the good news is that there are numerous free tools present on the market. If you are using AWS like me then the best option would be Prowler. As per the official documentation :
Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custome security framework
Prowler can be downloaded easily and run after you have configured the required credentials. Run it on your free AWS account and see the results
Step 6: Volunteer for Cloud Security experience
Congratulations for reaching this far ! If you have reached this far then you know how to deploy infrastructure as code, have it checked for vulnerabilities and do a complete security assessment for the most popular cloud provider in the world !
If you want to get more hands on experience while waiting for your dream job in cloud security then I would recommend creating a profile on Fiverr or Upwork and volunteering to do cloud security reviews for low cost. Most companies like non-profit organizations or small companies cannot afford full time security teams and will happily work with you to have a cloud security review done. They will get the benefit of a full security review while you can add this valuable experience on your profile.
I hope the above was beneficial to you all and I wish you all the best in your cloud security journey. If you feel there is more stuff I could have added then do let me know !