CCSE COmmands
Module 02: Platform and Infrastructure Security in Cloud
Exercise 3: Creating Secure EC2 Instances in AWS Virtual Private Cloud (VPC)
Step 100
ping <"Public IP address of the public instance">
Exercise 8: Securing GCP Instances using Firewall Rules
Step 30
ping 34.138.103.94
Step 36
ping 34.138.103.94 -t
Exercise 9: Implementing Secure Deployments in GKE with Binary Authorization
Step 11
gcloud projects list
Step 12
gcloud config set project nifty-province-322704
Step 13
export PROJECT_ID=$(gcloud config get-value project)
Step 14
gcloud services enable \
container.googleapis.com \
containeranalysis.googleapis.com
Step 17
gcloud beta container clusters create \
--enable-binauthz \
--zone us-central1-a \
ecc-binauthz-lab
Step 18
gcloud container clusters get-credentials \
--zone us-central1-a \
ecc-binauthz-lab
Step 19
cat << EOF > Dockerfile
FROM alpine
CMD tail -f /dev/null
EOF
Step 20
export CONTAINER_PATH=us.gcr.io/$PROJECT_ID/hello-eccuser
docker build -t $CONTAINER_PATH ./
Step 21
gcloud auth configure-docker --quiet
docker push $CONTAINER_PATH
Step 24
kubectl create deployment hello-eccuser --image=$CONTAINER_PATH
Step 25
kubectl get pods
Step 26
cat > ./policy.yaml << EOM
globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
evaluationMode: ALWAYS_DENY
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
EOM
Step 27
gcloud container binauthz policy import policy.yaml
Step 28
kubectl delete deployment --all
kubectl delete event -–all
Step 29
kubectl create deployment hello-eccuser --image=$CONTAINER_PATH
Step 30
kubectl get pods
Step 32
cat > ./create_note_request.json << EOM
{
"attestation": {
"hint": {
"human_readable_name": "This note represents an attestation authority"
}
}
}
EOM
Step 33
export NOTE_ID=my-attestor-note
curl -vvv -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
--data-binary @./create_note_request.json \
"https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/?noteId=${NOTE_ID}"
Step 35
export ATTESTOR_ID=my-binauthz-attestor
gcloud container binauthz attestors create $ATTESTOR_ID \
--attestation-authority-note=$NOTE_ID \
--attestation-authority-note-project=${PROJECT_ID}
Step 36
gcloud container binauthz attestors list
Step 37
export KEY_LOCATION=global
export KEYRING=binauthz-keys
export KEY_NAME=lab-key
export KEY_VERSION=1
Step 38
gcloud kms keyrings create "${KEYRING}" --location="${KEY_LOCATION}"
Step 39
gcloud kms keys create "${KEY_NAME}" \
--keyring="${KEYRING}" --location="${KEY_LOCATION}" \
-purpose asymmetric-signing --default-algorithm="ec-sign-p256-sha256"
Step 40
gcloud beta container binauthz attestors public-keys add \
--attestor="${ATTESTOR_ID}" \
--keyversion-project="${PROJECT_ID}" \
--keyversion-location="${KEY_LOCATION}" \
--keyversion-keyring="${KEYRING}" \
--keyversion-key="${KEY_NAME}" \
--keyversion="${KEY_VERSION}"
Step 41
gcloud beta container binauthz attestors list
Step 42
export DIGEST=$(gcloud container images describe ${CONTAINER_PATH}:latest \
--format='get(image_summary.digest)')
Step 43
gcloud beta container binauthz attestations sign-and-create \
--artifact-url="${CONTAINER_PATH}@${DIGEST}" \
--attestor="${ATTESTOR_ID}" \
--attestor-project="${PROJECT_ID}" \
--keyversion-project="${PROJECT_ID}" \
--keyversion-location="${KEY_LOCATION}" \
--keyversion-keyring="${KEYRING}" \
--keyversion-key="${KEY_NAME}" \
--keyversion="${KEY_VERSION}"
Step 44
gcloud container binauthz attestations list \
--attestor=$ATTESTOR_ID --attestor-project=${PROJECT_ID}
Step 45
cat << EOF > updated_policy.yaml
globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/${PROJECT_ID}/attestors/${ATTESTOR_ID}
EOF
Step 46
gcloud container binauthz policy import updated_policy.yaml
Step 47
kubectl create deployment hello-eccuser-signed --image="${CONTAINER_PATH}@${DIGEST}"
Step 48
kubectl get pods
Exercise 10: Implementing a Private Secure Connection Between Instances with VPC Network Peering
Step 56
ping < internal IP address>
Step 70
ping < internal IP address>
Module 03: Application Security in Cloud
Exercise 4: Restricting Access to App Engine Applications in GCP with Cloud IAP
Step 20
gcloud projects list
Step 21
gcloud config set project [project_ID]
Step 22
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Step 23
cd python-docs-samples/appengine/standard/users/
Step 24
gcloud app deploy
Step 59
rm -rf python-docs-samples.git
Module 04: Data Security in Cloud
Exercise 3: Restricting Non-SSL Access for S3 Objects using Bucket Policies
Step 36
{ "Statement":[ { "Action": "s3:*", "Effect":"Deny", "Principal": "*", "Resource":"arn:aws:s3:::training-group002/*", "Condition":{ "Bool": { "aws:SecureTransport": false } } } ] }
Exercise 5: Preventing Deletion of Backups Using an Amazon Backup Vault Resource-based Access Policy
Step 33
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::000281434571:user/John" }, "Action": [ "backup:DeleteBackupVault" ], "Resource": "arn:aws:backup:us-east-2:000281434571:backup-vault:AwsBackup2_imp" } ] }
Exercise 9: Preventing Accidental Deletion of Resources Using Azure Resource Locking
Step 12
New-AzResourceGroup -Name "myResourceGroup2556" -Location "EastUS"
Step 13
New-AzVm `
-ResourceGroupName "myResourceGroup2556" `
-Name "myVM2556" `
-Location "East US" `
-VirtualNetworkName "myVnet" `
-SubnetName "mySubnet" `
-SecurityGroupName "myNetworkSecurityGroup" `
-PublicIpAddressName "myPublicIpAddress" `
-OpenPorts 80,3389
Step 16
Get-AzResource
Step 18
New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName myVM2556 -ResourceType Microsoft.Compute/virtualMachines -ResourceGroupName myResourceGroup2556
Step 20
New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName myResourceGroup2556
Step 22
Get-AzResourceLock
Step 23
Remove-AzVM -ResourceGroupName "myResourceGroup2556" -Name "myVM2556"
Step 26
$rgName = "myResourceGroup2556"
Get-AzResourceLock | Where-Object ResourceGroupName -eq $rgName | Remove-AzResourceLock -Force
Step 27
Remove-AzVM -ResourceGroupName "myResourceGroup2556" -Name "myVM2556"
Exercise 10: Restricting Network Access to Azure Storage Account Using Virtual Network Service Endpoints
Step 109
$acctKey = ConvertTo-SecureString -String "<storage-account-key>" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\<storage-account-name>", $acctKey
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\my-file-share" -Credential $credential
Step 110
ping bing.com
Step 124
$acctKey = ConvertTo-SecureString -String "<storage-account-key>" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\<storage-account-name>", $acctKey
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\my-file-share" -Credential $credential
Exercise 11: Protecting Secrets in Azure with Key Vault
Step 40
az keyvault secret show --name userpassword --vault-name ecc-keyvault-321 --query value --output tsv
Exercise 12: Implementing Encryption and Decryption of Data with Google Cloud KMS
Step 24
gcloud projects list
Step 25
gcloud config set project nifty-province-322704
Step 26
echo "hackers-are-here-where-are-you" > ./eccdata.txt
step 27
gcloud kms encrypt \
--key eccsecuritykey-1 \
--keyring ecckey-1 \
--location global \
--plaintext-file ./eccdata.txt \
--ciphertext-file ./eccdata.txt.enc
Step 28
cloudshell open eccdata.txt.enc
Step 30
gcloud kms decrypt \
--location global \
--keyring ecckey-1 \
--key eccsecuritykey-1 \
--plaintext-file - \
--ciphertext-file ./eccdata.txt.enc
Step 33
gcloud kms keys versions create \
--location "global" \
--keyring "ecckey-1" \
--key "eccsecuritykey-1" \
--primary
Step 34
gcloud kms keys versions disable "1" \
--location "global" \
--keyring "ecckey-1" \
--key "eccsecuritykey-1"
Step 36
rm eccdata.txt
Exercise 13: Inspecting Sensitive Information in GCP with Cloud DLP
Step 23
gcloud projects list
Step 24
gcloud config set project nifty-province-322704
Step 28
export GOOGLE_APPLICATION_CREDENTIALS=~/<name of JSON file>
Step 29
git clone https://github.com/googleapis/nodejs-dlp.git
Step 30
cd nodejs-dlp/samples
Step 31
npm install
Step 32
GCLOUD_PROJECT=<PROJECT_ID>
Step 33
node inspectString.js < Project_ID> "My phone number is +9999999999."
Step 35
node inspectString.js < Project_ID> "My email id is [email protected]."
Step 38
rm -rf nodejs-dlp.git
Module 05: Security Operations in Cloud
Exercise 4: Restricting Remote Desktop Access to Virtual Machines Using Network Security Group (NSG) in Azure
Step 14
New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"
Step 15
New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVM1" `
-Location "East US"
Step 19
New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVM2" `
-Location "East US"
Step 31
Test-NetConnection 52.188.12.68 -port 3389
Step 52
Test-NetConnection 52.188.12.68 -port 3389
Step 62
Test-NetConnection 52.188.12.68 -port 3389
Step 69
Test-NetConnection 52.188.14.48 -port 3389
Step 87
Test-NetConnection 52.188.14.48 -port 3389
Step 91
Test-NetConnection 52.188.12.68 -port 3389
Exercise 6: Scanning for Vulnerabilities in App Engine Applications with Google Cloud Web Security Scanner
Step 16
gcloud projects list
Step 17
gcloud config set project [project_ID]
Step 18
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Step 19
cd python-docs-samples/appengine/standard/hello_world
Step 20
ls
Step 21
nano main.py
Step 24
dev_appserver.py app.yaml
Step 29
gcloud app deploy
Module 06: Penetration Testing in Cloud
AWS Command Line Interface (amazon.com)
Exercise 1: Identifying Misconfigured S3 Buckets in AWS by Penetration Testing
Step 40
aws s3api put-bucket-acl --bucket ccse-demobucket-2 --grant-write-acp uri=http://acs.amazonaws.com/groups/global/AllUsers
Step 41
aws s3api put-bucket-acl --bucket ccse-demobucket-2 --grant-full-control uri=http://acs.amazonaws.com/groups/global/AllUsers
Step 55
aws --version
Step 56
where aws
Step 64
aws --no-sign-request s3 ls s3://ccse-demobucket-1
Step 66
aws s3api get-bucket-acl --bucket ccse-demobucket-1 --no-sign-request
Step 68
aws --no-sign-request s3 ls s3://ccse-demobucket-2
Step 70
aws s3api get-bucket-acl --bucket ccse-demobucket-2 --no-sign-request
Step 74
aws s3api get-bucket-acl --bucket ccse-demobucket-2 --no-sign-request
Exercise 2: Identifying Publicly Accessible Data with Compromised AWS API Keys
Step 40
aws –version
Step 41
aws configure --profile ccsetest
Step 43
aws sts get-caller-identity --profile ccsetest
Step 45
aws ec2 describe-security-groups --region us-east-2 --profile ccsetest
Step 47
aws ec2 describe-instances --region us-east-1 --profile ccsetest
Step 48
aws ec2 describe-security-groups --region us-east-2 --profile ccsetest
Module 07: Incident Response in Cloud
Exercise 3: Monitoring Suspicious Network Traffic with VPC Flow Logs in GCP
Step 40
sudo apt-get update
Step 41
sudo apt-get install apache2 -y
Step 42
echo '<!doctype html><html><body><h1>Hello ECCUSER!</h1></body></html>' | sudo tee /var/www/html/index.html
Step 43
exit
Step 64
gcloud projects list
Step 66
export MY_SERVER=<EXTERNAL_IP>
Step 67
for ((i=1;i<=50;i++)); do curl $MY_SERVER; done
Step 73
SELECT
jsonPayload.src_vpc.vpc_name,
SUM(CAST(jsonPayload.bytes_sent AS INT64)) AS bytes,
jsonPayload.src_vpc.subnetwork_name,
jsonPayload.connection.src_ip,
jsonPayload.connection.src_port,
jsonPayload.connection.dest_ip,
jsonPayload.connection.dest_port,
jsonPayload.connection.protocol
FROM
`type_your_table_id`
GROUP BY
jsonPayload.src_vpc.vpc_name,
jsonPayload.src_vpc.subnetwork_name,
jsonPayload.connection.src_ip,
jsonPayload.connection.src_port,
jsonPayload.connection.dest_ip,
jsonPayload.connection.dest_port,
jsonPayload.connection.protocol
ORDER BY
bytes DESC
LIMIT
15
Step 76
SELECT
jsonPayload.connection.src_ip,
jsonPayload.connection.dest_ip,
SUM(CAST(jsonPayload.bytes_sent AS INT64)) AS bytes,
jsonPayload.connection.dest_port,
jsonPayload.connection.protocol
FROM
`type_your_table_id`
WHERE jsonPayload.reporter = 'DEST'
GROUP BY
jsonPayload.connection.src_ip,
jsonPayload.connection.dest_ip,
jsonPayload.connection.dest_port,
jsonPayload.connection.protocol
ORDER BY
bytes DESC
LIMIT
15
Exercise 4: Detecting Incidents in GCP with Cloud Monitoring
Step 14
sudo apt-get update
Step 15
sudo apt-get install apache2 php7.0
Step 16
Y
Step 25
curl -sSO https://dl.google.com/cloudagents/add-monitoring-agent-repo.sh
Step 26
sudo bash add-monitoring-agent-repo.sh
Step 27
sudo apt-get update
Step 28
sudo apt-get install stackdriver-agent
Step 29
Y
Step 30
curl -sSO https://dl.google.com/cloudagents/add-logging-agent-repo.sh
Step 31
sudo bash add-logging-agent-repo.sh
Step 32
sudo apt-get update
Step 33
sudo apt-get install google-fluentd
Step 34
exit
Module 08: Forensic Investigation in Cloud
Exercise 1: Examining Logs on Amazon CloudWatch Console
Step 71
wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
Step 72
dpkg -i amazon-cloudwatch-agent.deb .
Step 73
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
Step 83
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json
Exercise 2: Forensically Acquiring and Examining VM in Microsoft Azure
Step 60
az login --tenant < paste the copied tenant ID here >
Step 61
az vm show --resource-group Production --name production-ubuntu --query "storageProfile.osDisk.name"
Step 62
az snapshot create --resource-group Production --name evidencesnapshot --location eastus --source
Step 64
az snapshot grant-access --resource-group Production --name evidencesnapshot --duration-in-seconds 3600 --access-level read
Step 67
az storage account create --resource-group Forensics --location eastus --name ccsestorage --kind storageV2 --sku Standard_LRS
Step 69
az storage account keys list --resource-group Forensics --account-name ccsestorage --query "[0].value" --output json
Step 71
az storage share create --account-name ccsestorage --account-key "< paste the output for storage key here >" --name ccsefileshare --quota 39
Step 74
az storage file copy start --source-uri '"< copy and paste the output for SAS URI here >"' --destination-share ccsefileshare --destination-path azureevidencefile.dd --account-name ccsestorage --account-key < copy and paste the output for storage account key here >
Step 75
az storage file show --path azureevidencefile.dd --share-name ccsefileshare --account-name ccsestorage --account-key < copy and paste the output for storage account key here> --query "properties.copy.status"
Step 77
az snapshot delete --resource-group Production --name evidencesnapshot
Module 09: Business Continuity and Disaster Recovery in Cloud
Exercise 4: Implementing Disaster Recovery in Azure using Storage Data Replication and Failover
Step 12
export RESOURCEGROUP=learn-storage-replication-rg
Step 13
export AZURE_STORAGE_ACCOUNT=csg100320013ea52967
Step 14
export LOCATION=westus2
Step 17
az group create --location westus2 --resource-group MyResourceGroup
Step 18
az storage account create --name eccstorageaccount --resource-group MyResourceGroup --location westus --sku Standard_GRS --encryption-services blob --kind StorageV2
Step 19
az storage account keys list --account-name eccstorageaccount --resource-group MyResourceGroup --output table
Step 23
export AZURE_STORAGE_KEY="account-key"
Step 24
export BLOB_CONTAINER_NAME=demoblobcontainer
Step 27
az storage container create --account-key storagekey --account-name storageaccountname --name blobcontainername
Step 30
touch video.mp4
Step 31
cat > video.mp4
Step 32
cat video.mp4
Step 35
az storage blob upload --container-name demoblobcontainer --name video --file video.mp4 --account-name eccstorageaccount --account-key storageaccountkey
Step 36
az storage blob list --container-name demoblobcontainer --account-name eccstorageaccount --output table
Exercise 6: Creating Snapshot of a VM instance and Restoring the instance using the Snapshot in GCP
Step 18
ls
Step 38
ls
Exercise 7: Ensuring Service Availability using HTTP Load Balancing in GCP
Step 89
sudo apt-get -y install siege
Step 90
export LB_IP= < IP_v4_LB>
Step 91
siege -c 250 http://$LB_IP
Module 10: Governance, Risk Management, and Compliance in Cloud
Exercise 1: Restricting Deployment of S3 Buckets to a Specific Region using IAM Policy in AWS
Step 25
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": "us-east-2"}}
}
]
}
Module 11: Standards, Policies, and Legal Issues in Cloud
Exercise 1: Conducting Security Audit in AWS with AWS Trusted Advisor
Step 29
aws s3api put-bucket-acl --bucket vulns3bucket --grant-write-acp uri=http://acs.amazonaws.com/groups/global/AllUsers
Step 30
aws s3api put-bucket-acl --bucket vulns3bucket --grant-full-control uri=http://acs.amazonaws.com/groups/global/AllUsers
Exercise 3: Creating Secure EC2 Instances in AWS Virtual Private Cloud (VPC)
Step 100
ping <"Public IP address of the public instance">
Exercise 8: Securing GCP Instances using Firewall Rules
Step 30
ping 34.138.103.94
Step 36
ping 34.138.103.94 -t
Exercise 9: Implementing Secure Deployments in GKE with Binary Authorization
Step 11
gcloud projects list
Step 12
gcloud config set project nifty-province-322704
Step 13
export PROJECT_ID=$(gcloud config get-value project)
Step 14
gcloud services enable \
container.googleapis.com \
containeranalysis.googleapis.com
Step 17
gcloud beta container clusters create \
--enable-binauthz \
--zone us-central1-a \
ecc-binauthz-lab
Step 18
gcloud container clusters get-credentials \
--zone us-central1-a \
ecc-binauthz-lab
Step 19
cat << EOF > Dockerfile
FROM alpine
CMD tail -f /dev/null
EOF
Step 20
export CONTAINER_PATH=us.gcr.io/$PROJECT_ID/hello-eccuser
docker build -t $CONTAINER_PATH ./
Step 21
gcloud auth configure-docker --quiet
docker push $CONTAINER_PATH
Step 24
kubectl create deployment hello-eccuser --image=$CONTAINER_PATH
Step 25
kubectl get pods
Step 26
cat > ./policy.yaml << EOM
globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
evaluationMode: ALWAYS_DENY
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
EOM
Step 27
gcloud container binauthz policy import policy.yaml
Step 28
kubectl delete deployment --all
kubectl delete event -–all
Step 29
kubectl create deployment hello-eccuser --image=$CONTAINER_PATH
Step 30
kubectl get pods
Step 32
cat > ./create_note_request.json << EOM
{
"attestation": {
"hint": {
"human_readable_name": "This note represents an attestation authority"
}
}
}
EOM
Step 33
export NOTE_ID=my-attestor-note
curl -vvv -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
--data-binary @./create_note_request.json \
"https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/?noteId=${NOTE_ID}"
Step 35
export ATTESTOR_ID=my-binauthz-attestor
gcloud container binauthz attestors create $ATTESTOR_ID \
--attestation-authority-note=$NOTE_ID \
--attestation-authority-note-project=${PROJECT_ID}
Step 36
gcloud container binauthz attestors list
Step 37
export KEY_LOCATION=global
export KEYRING=binauthz-keys
export KEY_NAME=lab-key
export KEY_VERSION=1
Step 38
gcloud kms keyrings create "${KEYRING}" --location="${KEY_LOCATION}"
Step 39
gcloud kms keys create "${KEY_NAME}" \
--keyring="${KEYRING}" --location="${KEY_LOCATION}" \
-purpose asymmetric-signing --default-algorithm="ec-sign-p256-sha256"
Step 40
gcloud beta container binauthz attestors public-keys add \
--attestor="${ATTESTOR_ID}" \
--keyversion-project="${PROJECT_ID}" \
--keyversion-location="${KEY_LOCATION}" \
--keyversion-keyring="${KEYRING}" \
--keyversion-key="${KEY_NAME}" \
--keyversion="${KEY_VERSION}"
Step 41
gcloud beta container binauthz attestors list
Step 42
export DIGEST=$(gcloud container images describe ${CONTAINER_PATH}:latest \
--format='get(image_summary.digest)')
Step 43
gcloud beta container binauthz attestations sign-and-create \
--artifact-url="${CONTAINER_PATH}@${DIGEST}" \
--attestor="${ATTESTOR_ID}" \
--attestor-project="${PROJECT_ID}" \
--keyversion-project="${PROJECT_ID}" \
--keyversion-location="${KEY_LOCATION}" \
--keyversion-keyring="${KEYRING}" \
--keyversion-key="${KEY_NAME}" \
--keyversion="${KEY_VERSION}"
Step 44
gcloud container binauthz attestations list \
--attestor=$ATTESTOR_ID --attestor-project=${PROJECT_ID}
Step 45
cat << EOF > updated_policy.yaml
globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/${PROJECT_ID}/attestors/${ATTESTOR_ID}
EOF
Step 46
gcloud container binauthz policy import updated_policy.yaml
Step 47
kubectl create deployment hello-eccuser-signed --image="${CONTAINER_PATH}@${DIGEST}"
Step 48
kubectl get pods
Exercise 10: Implementing a Private Secure Connection Between Instances with VPC Network Peering
Step 56
ping < internal IP address>
Step 70
ping < internal IP address>
Module 03: Application Security in Cloud
Exercise 4: Restricting Access to App Engine Applications in GCP with Cloud IAP
Step 20
gcloud projects list
Step 21
gcloud config set project [project_ID]
Step 22
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Step 23
cd python-docs-samples/appengine/standard/users/
Step 24
gcloud app deploy
Step 59
rm -rf python-docs-samples.git
Module 04: Data Security in Cloud
Exercise 3: Restricting Non-SSL Access for S3 Objects using Bucket Policies
Step 36
{ "Statement":[ { "Action": "s3:*", "Effect":"Deny", "Principal": "*", "Resource":"arn:aws:s3:::training-group002/*", "Condition":{ "Bool": { "aws:SecureTransport": false } } } ] }
Exercise 5: Preventing Deletion of Backups Using an Amazon Backup Vault Resource-based Access Policy
Step 33
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::000281434571:user/John" }, "Action": [ "backup:DeleteBackupVault" ], "Resource": "arn:aws:backup:us-east-2:000281434571:backup-vault:AwsBackup2_imp" } ] }
Exercise 9: Preventing Accidental Deletion of Resources Using Azure Resource Locking
Step 12
New-AzResourceGroup -Name "myResourceGroup2556" -Location "EastUS"
Step 13
New-AzVm `
-ResourceGroupName "myResourceGroup2556" `
-Name "myVM2556" `
-Location "East US" `
-VirtualNetworkName "myVnet" `
-SubnetName "mySubnet" `
-SecurityGroupName "myNetworkSecurityGroup" `
-PublicIpAddressName "myPublicIpAddress" `
-OpenPorts 80,3389
Step 16
Get-AzResource
Step 18
New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName myVM2556 -ResourceType Microsoft.Compute/virtualMachines -ResourceGroupName myResourceGroup2556
Step 20
New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName myResourceGroup2556
Step 22
Get-AzResourceLock
Step 23
Remove-AzVM -ResourceGroupName "myResourceGroup2556" -Name "myVM2556"
Step 26
$rgName = "myResourceGroup2556"
Get-AzResourceLock | Where-Object ResourceGroupName -eq $rgName | Remove-AzResourceLock -Force
Step 27
Remove-AzVM -ResourceGroupName "myResourceGroup2556" -Name "myVM2556"
Exercise 10: Restricting Network Access to Azure Storage Account Using Virtual Network Service Endpoints
Step 109
$acctKey = ConvertTo-SecureString -String "<storage-account-key>" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\<storage-account-name>", $acctKey
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\my-file-share" -Credential $credential
Step 110
ping bing.com
Step 124
$acctKey = ConvertTo-SecureString -String "<storage-account-key>" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\<storage-account-name>", $acctKey
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\my-file-share" -Credential $credential
Exercise 11: Protecting Secrets in Azure with Key Vault
Step 40
az keyvault secret show --name userpassword --vault-name ecc-keyvault-321 --query value --output tsv
Exercise 12: Implementing Encryption and Decryption of Data with Google Cloud KMS
Step 24
gcloud projects list
Step 25
gcloud config set project nifty-province-322704
Step 26
echo "hackers-are-here-where-are-you" > ./eccdata.txt
step 27
gcloud kms encrypt \
--key eccsecuritykey-1 \
--keyring ecckey-1 \
--location global \
--plaintext-file ./eccdata.txt \
--ciphertext-file ./eccdata.txt.enc
Step 28
cloudshell open eccdata.txt.enc
Step 30
gcloud kms decrypt \
--location global \
--keyring ecckey-1 \
--key eccsecuritykey-1 \
--plaintext-file - \
--ciphertext-file ./eccdata.txt.enc
Step 33
gcloud kms keys versions create \
--location "global" \
--keyring "ecckey-1" \
--key "eccsecuritykey-1" \
--primary
Step 34
gcloud kms keys versions disable "1" \
--location "global" \
--keyring "ecckey-1" \
--key "eccsecuritykey-1"
Step 36
rm eccdata.txt
Exercise 13: Inspecting Sensitive Information in GCP with Cloud DLP
Step 23
gcloud projects list
Step 24
gcloud config set project nifty-province-322704
Step 28
export GOOGLE_APPLICATION_CREDENTIALS=~/<name of JSON file>
Step 29
git clone https://github.com/googleapis/nodejs-dlp.git
Step 30
cd nodejs-dlp/samples
Step 31
npm install
Step 32
GCLOUD_PROJECT=<PROJECT_ID>
Step 33
node inspectString.js < Project_ID> "My phone number is +9999999999."
Step 35
node inspectString.js < Project_ID> "My email id is [email protected]."
Step 38
rm -rf nodejs-dlp.git
Module 05: Security Operations in Cloud
Exercise 4: Restricting Remote Desktop Access to Virtual Machines Using Network Security Group (NSG) in Azure
Step 14
New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"
Step 15
New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVM1" `
-Location "East US"
Step 19
New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVM2" `
-Location "East US"
Step 31
Test-NetConnection 52.188.12.68 -port 3389
Step 52
Test-NetConnection 52.188.12.68 -port 3389
Step 62
Test-NetConnection 52.188.12.68 -port 3389
Step 69
Test-NetConnection 52.188.14.48 -port 3389
Step 87
Test-NetConnection 52.188.14.48 -port 3389
Step 91
Test-NetConnection 52.188.12.68 -port 3389
Exercise 6: Scanning for Vulnerabilities in App Engine Applications with Google Cloud Web Security Scanner
Step 16
gcloud projects list
Step 17
gcloud config set project [project_ID]
Step 18
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Step 19
cd python-docs-samples/appengine/standard/hello_world
Step 20
ls
Step 21
nano main.py
Step 24
dev_appserver.py app.yaml
Step 29
gcloud app deploy
Module 06: Penetration Testing in Cloud
AWS Command Line Interface (amazon.com)
Exercise 1: Identifying Misconfigured S3 Buckets in AWS by Penetration Testing
Step 40
aws s3api put-bucket-acl --bucket ccse-demobucket-2 --grant-write-acp uri=http://acs.amazonaws.com/groups/global/AllUsers
Step 41
aws s3api put-bucket-acl --bucket ccse-demobucket-2 --grant-full-control uri=http://acs.amazonaws.com/groups/global/AllUsers
Step 55
aws --version
Step 56
where aws
Step 64
aws --no-sign-request s3 ls s3://ccse-demobucket-1
Step 66
aws s3api get-bucket-acl --bucket ccse-demobucket-1 --no-sign-request
Step 68
aws --no-sign-request s3 ls s3://ccse-demobucket-2
Step 70
aws s3api get-bucket-acl --bucket ccse-demobucket-2 --no-sign-request
Step 74
aws s3api get-bucket-acl --bucket ccse-demobucket-2 --no-sign-request
Exercise 2: Identifying Publicly Accessible Data with Compromised AWS API Keys
Step 40
aws –version
Step 41
aws configure --profile ccsetest
Step 43
aws sts get-caller-identity --profile ccsetest
Step 45
aws ec2 describe-security-groups --region us-east-2 --profile ccsetest
Step 47
aws ec2 describe-instances --region us-east-1 --profile ccsetest
Step 48
aws ec2 describe-security-groups --region us-east-2 --profile ccsetest
Module 07: Incident Response in Cloud
Exercise 3: Monitoring Suspicious Network Traffic with VPC Flow Logs in GCP
Step 40
sudo apt-get update
Step 41
sudo apt-get install apache2 -y
Step 42
echo '<!doctype html><html><body><h1>Hello ECCUSER!</h1></body></html>' | sudo tee /var/www/html/index.html
Step 43
exit
Step 64
gcloud projects list
Step 66
export MY_SERVER=<EXTERNAL_IP>
Step 67
for ((i=1;i<=50;i++)); do curl $MY_SERVER; done
Step 73
SELECT
jsonPayload.src_vpc.vpc_name,
SUM(CAST(jsonPayload.bytes_sent AS INT64)) AS bytes,
jsonPayload.src_vpc.subnetwork_name,
jsonPayload.connection.src_ip,
jsonPayload.connection.src_port,
jsonPayload.connection.dest_ip,
jsonPayload.connection.dest_port,
jsonPayload.connection.protocol
FROM
`type_your_table_id`
GROUP BY
jsonPayload.src_vpc.vpc_name,
jsonPayload.src_vpc.subnetwork_name,
jsonPayload.connection.src_ip,
jsonPayload.connection.src_port,
jsonPayload.connection.dest_ip,
jsonPayload.connection.dest_port,
jsonPayload.connection.protocol
ORDER BY
bytes DESC
LIMIT
15
Step 76
SELECT
jsonPayload.connection.src_ip,
jsonPayload.connection.dest_ip,
SUM(CAST(jsonPayload.bytes_sent AS INT64)) AS bytes,
jsonPayload.connection.dest_port,
jsonPayload.connection.protocol
FROM
`type_your_table_id`
WHERE jsonPayload.reporter = 'DEST'
GROUP BY
jsonPayload.connection.src_ip,
jsonPayload.connection.dest_ip,
jsonPayload.connection.dest_port,
jsonPayload.connection.protocol
ORDER BY
bytes DESC
LIMIT
15
Exercise 4: Detecting Incidents in GCP with Cloud Monitoring
Step 14
sudo apt-get update
Step 15
sudo apt-get install apache2 php7.0
Step 16
Y
Step 25
curl -sSO https://dl.google.com/cloudagents/add-monitoring-agent-repo.sh
Step 26
sudo bash add-monitoring-agent-repo.sh
Step 27
sudo apt-get update
Step 28
sudo apt-get install stackdriver-agent
Step 29
Y
Step 30
curl -sSO https://dl.google.com/cloudagents/add-logging-agent-repo.sh
Step 31
sudo bash add-logging-agent-repo.sh
Step 32
sudo apt-get update
Step 33
sudo apt-get install google-fluentd
Step 34
exit
Module 08: Forensic Investigation in Cloud
Exercise 1: Examining Logs on Amazon CloudWatch Console
Step 71
wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
Step 72
dpkg -i amazon-cloudwatch-agent.deb .
Step 73
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
Step 83
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json
Exercise 2: Forensically Acquiring and Examining VM in Microsoft Azure
Step 60
az login --tenant < paste the copied tenant ID here >
Step 61
az vm show --resource-group Production --name production-ubuntu --query "storageProfile.osDisk.name"
Step 62
az snapshot create --resource-group Production --name evidencesnapshot --location eastus --source
Step 64
az snapshot grant-access --resource-group Production --name evidencesnapshot --duration-in-seconds 3600 --access-level read
Step 67
az storage account create --resource-group Forensics --location eastus --name ccsestorage --kind storageV2 --sku Standard_LRS
Step 69
az storage account keys list --resource-group Forensics --account-name ccsestorage --query "[0].value" --output json
Step 71
az storage share create --account-name ccsestorage --account-key "< paste the output for storage key here >" --name ccsefileshare --quota 39
Step 74
az storage file copy start --source-uri '"< copy and paste the output for SAS URI here >"' --destination-share ccsefileshare --destination-path azureevidencefile.dd --account-name ccsestorage --account-key < copy and paste the output for storage account key here >
Step 75
az storage file show --path azureevidencefile.dd --share-name ccsefileshare --account-name ccsestorage --account-key < copy and paste the output for storage account key here> --query "properties.copy.status"
Step 77
az snapshot delete --resource-group Production --name evidencesnapshot
Module 09: Business Continuity and Disaster Recovery in Cloud
Exercise 4: Implementing Disaster Recovery in Azure using Storage Data Replication and Failover
Step 12
export RESOURCEGROUP=learn-storage-replication-rg
Step 13
export AZURE_STORAGE_ACCOUNT=csg100320013ea52967
Step 14
export LOCATION=westus2
Step 17
az group create --location westus2 --resource-group MyResourceGroup
Step 18
az storage account create --name eccstorageaccount --resource-group MyResourceGroup --location westus --sku Standard_GRS --encryption-services blob --kind StorageV2
Step 19
az storage account keys list --account-name eccstorageaccount --resource-group MyResourceGroup --output table
Step 23
export AZURE_STORAGE_KEY="account-key"
Step 24
export BLOB_CONTAINER_NAME=demoblobcontainer
Step 27
az storage container create --account-key storagekey --account-name storageaccountname --name blobcontainername
Step 30
touch video.mp4
Step 31
cat > video.mp4
Step 32
cat video.mp4
Step 35
az storage blob upload --container-name demoblobcontainer --name video --file video.mp4 --account-name eccstorageaccount --account-key storageaccountkey
Step 36
az storage blob list --container-name demoblobcontainer --account-name eccstorageaccount --output table
Exercise 6: Creating Snapshot of a VM instance and Restoring the instance using the Snapshot in GCP
Step 18
ls
Step 38
ls
Exercise 7: Ensuring Service Availability using HTTP Load Balancing in GCP
Step 89
sudo apt-get -y install siege
Step 90
export LB_IP= < IP_v4_LB>
Step 91
siege -c 250 http://$LB_IP
Module 10: Governance, Risk Management, and Compliance in Cloud
Exercise 1: Restricting Deployment of S3 Buckets to a Specific Region using IAM Policy in AWS
Step 25
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": "us-east-2"}}
}
]
}
Module 11: Standards, Policies, and Legal Issues in Cloud
Exercise 1: Conducting Security Audit in AWS with AWS Trusted Advisor
Step 29
aws s3api put-bucket-acl --bucket vulns3bucket --grant-write-acp uri=http://acs.amazonaws.com/groups/global/AllUsers
Step 30
aws s3api put-bucket-acl --bucket vulns3bucket --grant-full-control uri=http://acs.amazonaws.com/groups/global/AllUsers