The goal of this course is to introduce fundamental Cloud security concepts and services. When successfully completing this course you will be able to...

1. Identify security benefits and responsibilities of using the Amazon Web Services (AWS) Cloud.

2. Use the identity and access management features of AWS.

3. Describe how to secure network access to AWS resources.

4. Explain the available methods for encrypting data at rest and data in transit.

5. Determine which AWS services can be used for monitoring and incident response.

AWS Academy Cloud Security Foundations Course Badge

Upon meeting the course completion requirements, you are eligible to recieve a digital course badge, sponsored by Credly. Instructions for receiving the course badge may be found in the AWS Academy on Canvas modules page.

AWS Certified Security - Specialty Exam

While this course will introduce you to many aspects of security in AWS, the course will not fully prepare you for the AWS Certified Security – Specialty certification exam. This specialty certification is intended for experienced individuals who have five years of IT security experience in designing and implementing security solutions and two or more years of hands-on experience in securing AWS workloads. To learn more about this exam, visit AWS Certification.

This course will be delivered using several learning environments, including SDCCD Canvas, AWS Academy on Canvas, Vocareum, and Zoom. The AWS Academy is providing the training materials in their Canvas LMS, including course grades. All communication and Live Sessions will be available in the SDCCD Canvas LMS. THE TWO SYSTEMS ARE NOT LINKED. Therefore, you will be provided with separate access to the AWS Academy LMS by your instructor.

SDCCD Canvas LMS: This is our communication hub, where we will find weekly announcements, links to the weekly virtual Live Sessions on SDCCD Zoom, and the session recordings. We use our SDCCD student CSID and password to log in.

AWS Academy Canvas LMS: This is where we will find our e-learning resources, including pre-recorded video lessons and demonstrations, as well as our hands-on-labs and knowledge checks (short quiz). All course grades will be posted here. We will access this from a web browser (Chrome or Firefox) on a standard PC or laptop (Windows, Mac, or Linux - no tablets or smartphones). To log-in, we use our existing AWS Academy Canvas student account.

AWS Management Console on Vocareum: We access this console within the AWS Academy on Canvas, leveraging the integrated Vocareum hands-on lab environment. The AWS Management Console is a web application that provides access through a single web interface to the AWS service consoles for managing such AWS resources as Amazon EC2 and VPC, Amazon S3, AWS Lambda, AWS Systems Manager, and more.

Completion Requirements

• Achieve a "C" grade or higher by earning at least 840 points in AWS Academy Grades

• Complete the course assessment and all six knowledge checks with minimum passing score of 70 points each

Grade Scale

• A = 100 to 95.00% = 1,200 to 1,140 points

• B = 94.99 to 85.00% = 1,139 to 1,020 points

• C = 84.99 to 70.00% = 1,019 to 840 points

• D = 69.99 to 60.00% = 839 to 720 points

• F = 59.99 to 0.00% = 719 to 0 points

Submitting Assignments

All assignments are submitted directly within the assignment page in AWS Academy on Canvas.

• Upon completing an assignment, you can submit your work for automated grading

• Your score will be immediately displayed in the course gradebook

• Upon ending an HOL session, all resources launched or deployed (either by Vocareum at the start of the lab or by you in the course of the lab) will be terminated and removed.

• Assignments may be attempted and submitted multiple times, with the most recent score displayed in the course gradebook

Late and Missed Work

I want to help you achieve your goals in this course - if you are struggling to meet the schedule, contact me as soon as possible so we can discuss this and create a plan that will help you succeed!

Types of Assignments and Activities

• Knowledge Checks (KC) - 100 points each, 6 total for up to 600 points

Completed in the AWS Academy, each AWS module includes this required ten question (multiple choice and T/F) formative assessment. This assignment is autograded and may be attempted multiple times, which allows us to gain greater confidence with the material and achieve the minimum passing score of 70 points.

• Hands-on Labs (HOL) - 100 points each, five total for up to 500 points

These are hands-on labs using the AWS console, available only within AWS Academy, and accessed and submitted using the Vocareum lab environment. The labs provide both guided, step-by-step instructions and in some cases and ending challenge to help us gain experience with and an understanding of the concepts presented in the course.

• Course Assessment - 100 points

The final course assessment includes 25 randomized questions drawn from the course videos and student guide notes. This assignment is autograded and may be attempted multiple times to achieve a minimum passing score of 70 points.

• Zoom Live Sessions (LS)

Each week during Live Session, we review the prior week's materials, introduce the current week's lesson and activities, and work in small groups. If you miss a Live Session, be sure to notify the instructor.

I value your success and I know your ability to communicate with me is an important ingredient in that recipe.

• Contact me Monday through Friday by Canvas Inbox, and I will respond within 24 to 48 Hours.

• Meet with me in Zoom before or after the weekly Live Session.

• Meet with me in Zoom during Student Virtual Office Hours.

• If you are seeking help with a lab, consider scheduling time in Zoom to work on it together!

Canvas Inbox: It is important to stay in contact, and this is one of the best ways to do so. I will respond to your message within 48 hours (but usually sooner), Monday – Friday before 5:30 PM. You can either check your messages in the CANVAS system or set your notifications to your preferred method of contact. If you send me a message over the weekend or during the holiday, expect a response by Monday or Tuesday afternoon.

Canvas Announcements: You will receive one each week on Sunday when the weekly module opens. These appear at the top of the class homepage when you log in and will be sent to you directly through your preferred method of notification from CANVAS. Check them regularly, as they contain important information about upcoming assignments or class concerns.

If I do not hear from you, and your course participation drops, I will reach out through Canvas Inbox, to make sure everything is alright. It is important that you respond as soon as you receive the message. Remaining in communication with myself (and your classmates) is one of the best ways to ensure success in the course.

Help with Lab Assignments: If you are seeking help with an assignment, include the assignment name and number, the specific step number, and any error messages and relevant information, including the expected outcome. The more accurate and specific, the better. Sometimes a screen shot or two can explain things that words cannot, especially when properly annotated. You might also consider dropping by the weekly office hours in Zoom or during the Live Session, or we can schedule a one-to-one Zoom session.

I want and know that you can succeed in this course, and I have found that regular weekly participation is one of the most effective ways to learn and grow your Cloud skills. To help make that happen, this course is offered online, and synchronous, which means that we will have regular weekly online meetings, and weekly assignments

So what is regular participation?

Regular participation means check into the course at minimum 3 times a week:

• Completing graded assignments each week

• Attending Weekly Live Sessions

• Viewing module videos and reading

• Practicing demos with the sandbox

• Responding to messages from the instructor within 48 hours, or sooner if urgent

Note: If I do not hear from you and you do not participate in the course for over a week, I will send you a Canvas message. If I do not hear back from you within 24 to 48 hours, and you still have not accessed the course, I may assume you have dropped, and will remove your name from the course roster.

In general, do your best to stay current with the weekly material. If you cannot participate regularly or know that you may have to miss a week in Canvas for an unavoidable circumstance, let me know right way. Stay in contact and respond to any messages within 48 hours

Each weekly Live Session is an opportunity for you to interact directly with others in the course. I urge you to make every effort to attend and participate. The meetings are held in Zoom and provides us with time to both review the prior week’s material, as well as highlight important points about the current week’s module. You also have an opportunity to meet with fellow classmates to discuss thought provoking scenarios and exchange ideas in small groups. Most students enjoy the opportunity to share ideas and learn from each other. The registration link is available on the course home page.

The Student Virtual Office Hours provide time for one-to-one assistance with labs and concepts, as well as again sharing ideas with classmates or going deeper with a topic. Link is available on the course home page.

Counseling/Student Services

Student services provides If you need help with a personal problem or advice about your studies, you can make an appointment with a counselor.  For example, a counselor can help you make a plan to reach your goals: improving your English, getting your GED, enrolling in a job training class or attending college.  If you need help finding a job, you can contact the Career Development Services Counselor

• Course Counselor: Joyce Almario-Greno, jalmario@sdccd.edu

• Job Developer: Jennifer Kennedy, 619-800-3093, jkennedy@sdccd.edu

• Contact Career Services

Disability Support Programs and Services (DSPS)

If you have a disability or think you might have a disability, you can contact the counselor in the Disability Support Programs and Services (DSPS) at your campus. DSPS can provide services and special equipment that will make it easier for you to study in our classes. An example of special equipment is a machine that enlarges the print for people who have a vision disability. Since it takes time to provide services, we recommend that you contact the counselor at least two weeks in advance.  DSPS services are confidential and voluntary.

Enrollment Assistance

For assistance with your SDCCD student password or student records: Use the secure mySDCCD Support Desk. Complete the top portion, and at the bottom of the web page, select from the Help Topic "I forgot my password". You will then be required to submit a digital copy of your government issued ID for proof of identity.

To Speak with Live Staff: Sign up for our Virtual Student Support Center (Links to an external site.)

For all other matters: email the campus at sdcenorthcity@sdccd.edu or sdcemesa@sdccd.edu. All of the staff are waiting to help students.

Course Attendance

Regular attendance is expected in all courses. For online courses the expectation is that you will check into the course at minimum 3 times a week. Any student frequently absent from the course may, at the discretion of the instructor, be dropped from the course. Those students receiving Veteran’s Benefits or CalWORKS must comply with the attendance requirements specific to these programs.

Commitment to Integrity and Academic Dishonesty Policy

• Students should actively participate in course activities.

• Our college has rules about academic dishonesty:

  • Students are not permitted to cheat on course assignments or tests.

  • Students are not permitted to use false information.

  • Students may not copy the language or ideas of another person and use them as their own ideas.

• An instructor will take the following steps if he/she thinks a student has been dishonest in completing a course assignment or test:

  • Discuss the situation with the student. Make sure that the student understands why his/her action is dishonest.

  • If the student did not understand that his action was dishonest, the instructor can give the student a warning.

  • If the student knew that his action was dishonest, the instructor can give him/her a failing grade.

Note that live sessions fall on the day of the week and at the times provided to you before the term start and proceed in a weekly manner. All assignments for a particular live session are due at 11:59 PM PST on the last day of the week for that module. Live sessions will not be held on SDCCE holidays.  If a live session for this course falls on an SDCCE holiday, the live session will be rescheduled, and your instructor will inform you as to when the Live Session will be rescheduled or how the content will be covered

AWS Academy Topics

The purpose of this module is to introduce us to the AWS Academy Cloud Security Foundations (ACSF) course prerequisites and objectives, and provide an overview of what the course will cover. We are introduced to the content of each module along with any activities, demonstrations, and labs that are contained in each module. We then are introduced to the course scenario, a fictional bank, which provides a way to explore topics of cloud-computing security in the context of relatable business needs.

Activities

Minimum Content Time: 3.75 hours

• Live Session in Zoom (3.0 hours)

  • Activity: AWS Documentation Scavenger Hunt

• Welcome and Pre-Course Survey (10 minutes)

• AWS Module 1 video lessons (10 minutes)

• Activity: AWS Documentation Scavenger Hunt (25 minutes)

AWS Academy Topics

The purpose of this module is to introduce us to how to provide security in the AWS Cloud. We are introduced to important security concepts, including the triad of confidentiality, integrity, and availability, or CIA, and the security models used in the cloud. Our focus will center on the security design principles based on the AWS Well-Architected Security Pillar, which provides guidance and best practices on how to strengthen the security posture of the customer’s cloud environment. We also cover the AWS shared responsibility model to identify customer and AWS responsibilities.

Module Objectives

• Identify security features and benefits of cloud computing.

• Identify the security principles that the AWS Cloud is structured around.

• Identify which part of an application the user is responsible to secure in the cloud.

Activities

Minimum Content Time: 3.75 hours

• Live Session in Zoom (3.0 hours)

  • Activity: Shared Responsibility Model

• AWS Module 2 video lessons (25 min)

• AWS Knowledge Check 2 (20 minutes)

AWS Academy Topics

The purpose of this module is to introduce the AWS Identity and Access Management (IAM) service, and to present some of the key terms and elements of the service. The module explains how IAM provides authentication and authorization and examines how IAM integrates with other AWS services. It provides an overview of additional authentication and access management services including AWS Single Sign-On (AWS SSO), AWS Directory Service, and Amazon Cognito. This module also covers how to use AWS Organizations to manage identities in a hierarchical and effective manner.

Module Objectives

•  Authorize access to AWS services by using IAM users, groups, and roles.

•  Differentiate between different types of security credentials in IAM.

•  Authorize access to AWS services by using identity-based and resource-based policies.

•  Identity other AWS services that provide authentication and access management services.

•  Centrally manage and enforce policies for multiple AWS accounts.

Activities

Minimum Content Time: 5.25 hours

• Live Session (3 hours)

• AWS Module 3 video lessons (36 min)

  • AWS Video Demonstration: Amazon S3 Cross-Account Resource-Based Policy

• Hands-on Lab 3.1 (1 hr)

• Knowledge Check 5 (20 min)

Hands-on Labs

Lab 3.1: Using Resource-Based Policies to Secure an S3 Bucket

Analyze how AWS IAM policies define access permissions by configuring and applying identity-based policies and roles to IAM users, and resource-based policies to Amazon S3 buckets.

After completing this lab, you should be able to do the following:

• Recognize how to use IAM identity-based policies and resource-based policies to define fine-grained access control to AWS services and resources.

• Describe how an IAM user can assume an IAM role to gain different access permissions to an AWS account.

• Explain how Amazon S3 bucket policies and IAM identity-based policies that are assigned to IAM users and roles affect what users can see or modify across different AWS services in the AWS Management Console.

AWS Academy Topics

The purpose of this module is to introduce how to secure your infrastructure. This module explains how to use a Amazon VPC (virtual private cloud), and describes VPC components and security features for multi-tiered applications. We examine how to use Amazon VPC security groups, network access control lists (NACLs), and subnets to make networks more secure and efficient. The module also describes how VPC internet gateways, NAT gateways, and route tables control where network traffic is directed. It then describes how Amazon EC2 Elastic Load Balancers help to ensure availability by distributing incoming application traffic and scaling resources, including Amazon EC2 instances, to meet traffic demands. Finally, we learn about best practices to protect compute resources using Amazon Inspector and AWS Systems Manager.

Module Objectives

• Define the components of a VPC (virtual private cloud).

• Recognize account boundaries.

• Describe AWS services that are available to protect networks and resources.

Activities

Minimum Content Time: 6.25 hours

• Live Session (3.0 hours)

• AWS Module 4 video lessons (30 min)

• Hands-on Lab 4.1 (1.5 hours)

• Knowledge Check 4 (20 min)

Hands-on Lab

Lab 4.1: Securing VPC Resources by Using Security Groups

Configure secure access to EC2 instances (virtual machines) using SSH and AWS Systems Manager Session Manager, by configuring and applying security groups (virtual firewalls) and network access control lists (ACL).

After completing this lab, you should be able to do the following:

• Examine security groups to determine what traffic is allowed.

• Change which security groups are applied to EC2 instances.

• Create new security groups.

• Update the inbound rules on security groups to follow the principle of least privilege.

• Understand how security groups can reference other security groups.

• Configure a network access control list (ACL) to block traffic on a specific TCP port.

• Connect to an instance in a private subnet by using SSH.

• Connect to an instance in a private subnet by using AWS Systems Manager Session Manager.

AWS Academy Topics

The purpose of this module is to introduce how to protect data at rest and data in transit. The module begins with an overview of why it’s important to protect data at rest. Then, the module introduces protection features in Amazon Simple Storage Service (Amazon S3), including AWS IAM policies to implement least privileges, the Block Public Access feature for confidentiality, object locks for data integrity, and S3 versioning for data availability. Next, we see an overview of client-side and server-side encryption, and the types of encryption that Amazon S3 supports. We then learn how to use AWS Key Management Service (KMS) to encrypt objects in Amazon S3 and Amazon EBS volumes. After that, the module discusses how to protect data in transit with an introduction to AWS Certificate Manager (ACM) service, best practices for protecting data in Amazon S3. We wrap up by examining additional data protection services: AWS Secrets Manager to manage secrets used by resources, including database credentials, passwords, and third-party API keys; and Amazon Macie for data classification in S3, including PII financial data, encryption keys, and credentials.

Module Objectives

• Describe how to protect data at rest and in transit.

• Identify Amazon S3 protection features.

• Encrypt data in Amazon S3.

• Differentiate between client-side encryption (CSE) and server-side encryption (SSE).

• Identify Amazon Web Services (AWS) services that help protect their data.

Activities

Minimum Content Time: 5.25 hours

• Live Session (3 hours)

• AWS Module 5 video lessons (40 min)

• Hands-on Lab 5.1 (1.25 hours)

• AWS Knowledge Check 7 (20 min)

Hands-on Lab

Lab 5.1: Encrypting Data at Rest by Using AWS KMS

Use AWS Key Management Service (AMS KMS) to encrypt objects stored in Amazon S3 and in Amazon EBS volumes, and audit key usage in AWS CloudTrail event history.

After completing this lab, you should be able to do the following:

• Create an AWS KMS customer managed key to encrypt and decrypt data at rest.

• Store an encrypted object in an S3 bucket by using an encryption key.

• Attempt public access and signed access to an encrypted S3 object.

• Monitor encryption key usage by using the CloudTrail event history.

• Encrypt the root volume of an existing Amazon Elastic Compute Cloud (Amazon EC2) instance.

• Disable and re-enable an AWS KMS key and observe the effects on data access.

AWS Academy Topics

The purpose of this module is to introduce logging and monitoring in the AWS environment. This module explains the concepts of logging and monitoring, and we learn how to gain insight into the information that is contained within Amazon CloudTrail log files. The module examines how that information is used in a monitoring environment to enhance security throughout the AWS environment, including Amazon S3 server access logging, Amazon VPC flow logs, and Elastic Load Balancing (ELB) access logs. This module also covers best practices for logging and monitoring using Amazon CloudWatch, and introduces additional AWS services that can be used to improve the overall security posture of an AWS environment: AWS Trusted Advisor, Amazon EventBridge, AWS Security Hub, and AWS Config.

Module Objectives

• Log and monitor access and control to help identify security threats.

• Read and interpret log reports to identify security threats.

• Monitor and report on your AWS resources and applications.

• Recognize when to use Amazon CloudWatch and when to use AWS CloudTrail.

Activities

Minimum Content Time:  5 hours

• Live Session (3 hours)

  • Activity: Reading a CloudTrail Log File

• AWS Module 6 video lessons (25 minutes)

  • AWS Video Demonstration: AWS Security Hub

• Hands-on Lab 6.1 (1.25 hours)

• AWS Knowledge Check 8 (20 minutes)

Hands-on Lab

Lab 6.1: Monitoring and Alerting with CloudTrail and CloudWatch

Use AWS Cloudtrail, CloudWatch, and Amazon SNS to monitor and audit API calls made in AWS IAM account, and Amazon EventBridge to provide alerts when a security incident occurs.

After completing this lab, you should be able to do the following:

• Analyze event details in the CloudTrail event history.

• Create a CloudTrail trail with CloudWatch logging enabled.

• Create an SNS topic and an email subscription to it.

• Configure an EventBridge rule to monitor changes to resources in an AWS account.

• Create CloudWatch metric filters and CloudWatch alarms.

• Query CloudTrail logs by using CloudWatch Logs Insights.

AWS Academy Topics

The purpose of this module is to help us understand how to respond to and manage an incident. The module describes the phases of incident response and the AWS services that support each phase, including the following services that support discovery & recognition: AWS Trusted Advisor, Amazon CloudWatch, Amazon Inspector, Amazon GuardDuty, AWS Shield, and AWS Config. It then describes services that support the resolution and recovery phase: AWS Systems Manager, AWS CloudFormation, Amazon SNS, AWS Step Functions, and AWS Lambda.  The module also provides best practices for handling an incident.

Module Objectives

• Identify a security incident.

• Describe AWS services that are used for incident recognition and remediation.

• Identify best practices for incident response.

Activities

Minimum Content Time: 6.0 hours

• Live Session (3 hours)

• AWS Module 7 video lessons (80 minutes)

• Hands-on Lab 7.1 (1.25 hours)

• AWS Knowledge Check 9 (20 minutes)

Hands-on Lab

Lab 7.1: Remediating an Incident by Using AWS Config and Lambda

Use AWS Config service, AWS Lambda, and Amazon CloudWatch to monitor, identify and report security incidents arising from changes to specific resources. After completing this lab, you should be able to do the following:

• Explain how to use AWS Identity and Access Management (IAM) roles to grant AWS services access to other AWS services.

• Enable AWS Config to monitor resources in an AWS account.

• Configure an AWS VPC security group to emulate a security incident.  

• Create an AWS Lambda function and import function code.

• Create and enable a custom AWS Config rule that uses a Lambda function.

• Test the behavior of an AWS Config rule to ensure it's working as intended.

• Analyze Amazon CloudWatch logs to audit when AWS Config rules are invoked.

AWS Academy Topics

The purpose of this module is to familiarize you with resources that can help you prepare for the AWS Certified Security – Specialty exam.

Module Objectives

• Identify the next steps to prepare for the AWS Certified Security – Specialty certification.

• Identify where to find resources.

Activities

Minimum Content Time: 3.75 hours

• Live Session (3 hours)

• Course Assessment (45 minutes)