Lab Challenges
AWS Lambda Privilege Escalation
CloudGoat scenario exploring security risks in serverless computing by exploiting a vulnerable AWS Lambda function
Problem Statement
A vulnerable Lambda function that applies policies to users could be exploited to escalate privileges due to insufficient input validation
Approach
1. Assumed a role with Lambda invocation privileges 2. Discovered the policy-applier Lambda function 3. Analyzed the function's source code to find SQL injection vulnerability 4. Crafted a payload to inject AdministratorAccess policy 5. Verified privilege escalation by accessing secrets
Key Lessons Learned
- →Importance of input validation in serverless functions
- →Need for least privilege in Lambda execution roles
- →Dangers of mixing data and control planes in serverless
- →Value of regular code reviews for Lambda functions
AWS KMS Implementation for Data Protection
Hands-on implementation of AWS Key Management Service to secure cloud storage and compute resources
Problem Statement
Need to protect sensitive data across multiple AWS services using centralized encryption key management
Approach
1. Created a symmetric KMS key with proper permissions 2. Integrated KMS with S3 for server-side encryption 3. Configured EC2 volume encryption using KMS 4. Set up Amazon Redshift encryption with KMS 5. Implemented bucket keys for cost optimization
Key Lessons Learned
- →KMS simplifies encryption while maintaining security
- →Centralized key management improves security posture
- →Bucket keys can reduce KMS API costs significantly
- →Consistent encryption across services prevents data leaks
IAM Privilege Escalation via Policy Rollback
CloudGoat scenario demonstrating how IAM policy versioning can lead to privilege escalation
Problem Statement
A user with iam:SetDefaultPolicyVersion permission could revert to an older, more permissive policy version
Approach
1. Identified available IAM policy versions 2. Analyzed historical versions for excessive permissions 3. Discovered v4 policy granted full admin access 4. Used SetDefaultPolicyVersion to activate v4 5. Verified escalated privileges
Key Lessons Learned
- →Policy versioning introduces hidden attack surfaces
- →Historical policy versions should be audited regularly
- →The iam:SetDefaultPolicyVersion permission is highly sensitive
- →Implement MFA for sensitive IAM actions
- →Consider policy version deletion when downgrading permissions
Azure Security Monitoring & Sentinel Implementation
Comprehensive security monitoring implementation including Azure Monitor, Defender for Cloud, JIT VM access, and Microsoft Sentinel
Problem Statement
Need to establish enterprise-grade security monitoring, threat protection, and incident response capabilities across Azure infrastructure
Approach
1. Deployed Azure Monitor with Log Analytics and Data Collection Rules 2. Enabled Microsoft Defender for Cloud with enhanced security features 3. Implemented Just-in-Time VM access to reduce attack surface 4. Configured Microsoft Sentinel for SIEM/SOAR capabilities 5. Created custom alerts and playbooks for automated incident response
Key Lessons Learned
- →Centralized monitoring is essential for cloud security visibility
- →JIT access significantly reduces VM vulnerability to brute force attacks
- →Sentinel playbooks enable automated response to security incidents
- →Data collection rules must be carefully designed for relevant security events
- →Threat detection requires correlation across multiple data sources
Azure SQL Database Always Encrypted with Key Vault
Implementation of Always Encrypted for sensitive data protection in Azure SQL Database using Azure Key Vault
Problem Statement
Need to protect sensitive patient data in SQL database while maintaining application functionality
Approach
1. Deployed Azure Key Vault with proper access policies 2. Configured SQL Database with Always Encrypted 3. Created column master keys in Key Vault 4. Implemented data classification for GDPR compliance 5. Developed application with proper key access integration
Key Lessons Learned
- →Always Encrypted protects data at rest, in transit, and in use
- →Key management is critical for encryption implementations
- →Proper application integration is required for seamless encryption
- →Data classification helps meet compliance requirements
- →Access policies must balance security and functionality
Azure Storage Security with Service Endpoints
Securing Azure file shares using service endpoints and network security groups
Problem Statement
Need to restrict storage access to specific subnets while preventing internet exposure
Approach
1. Created virtual network with public/private subnets 2. Configured storage service endpoints on private subnet 3. Implemented NSGs to restrict storage access 4. Tested connectivity from different subnets 5. Validated security controls through penetration testing
Key Lessons Learned
- →Service endpoints keep storage traffic within Azure backbone
- →NSGs provide granular network access control
- →Security controls must be tested from all access paths
- →Private subnets can isolate sensitive resources
- →Storage accounts should have minimal public exposure
Azure SQL Database Security Hardening
Comprehensive security configuration for Azure SQL Database including threat protection and auditing
Problem Statement
Need to protect SQL database from injection attacks while meeting compliance requirements
Approach
1. Enabled Microsoft Defender for SQL 2. Configured data discovery and classification 3. Implemented server and database level auditing 4. Set up vulnerability assessment 5. Tested security controls with simulated attacks
Key Lessons Learned
- →Defender for SQL provides essential threat protection
- →Data classification supports compliance efforts
- →Auditing is critical for forensic investigations
- →Vulnerability assessments identify misconfigurations
- →Security controls should be tested regularly
Securing ACR and AKS Infrastructure
End-to-end security configuration for containerized workloads in Azure
Problem Statement
Need to securely deploy and manage containerized applications in Azure
Approach
1. Created secured Azure Container Registry 2. Built Docker images with security best practices 3. Deployed AKS cluster with proper network controls 4. Configured RBAC and pod security policies 5. Implemented internal/external service segmentation
Key Lessons Learned
- →Container registries require proper access controls
- →AKS networking must be carefully planned
- →Least privilege applies to container workloads
- →Images should be scanned for vulnerabilities
- →Internal services need additional protection
Azure Firewall Implementation & Traffic Control
Deployment and configuration of Azure Firewall to enforce network security policies and control traffic flow
Problem Statement
Need to implement granular network access controls for Azure workloads while allowing specific required outbound traffic
Approach
1. Deployed virtual network with workload and jump host subnets 2. Provisioned Azure Firewall with proper routing 3. Created application rules to restrict web access to bing.com only 4. Configured network rules for DNS resolution 5. Validated firewall rules through comprehensive testing
Key Lessons Learned
- →Firewall rules must be carefully designed to balance security and functionality
- →Route tables are essential for forcing traffic through the firewall
- →Application rules provide granular control over FQDN access
- →Network rules are needed for protocol-specific requirements like DNS
- →Testing from multiple access paths validates security controls
- →Jump hosts provide secure management access to restricted subnets