Daily Blog #787: Things not to do when creating test clouds part 1

As a seasoned IT professional and instructor for SANS classes, I've learned the importance of maintaining a reliable and secure test environment. One crucial step in this process is generating test datasets that mimic real-world scenarios without compromising security or confidentiality. In my experience, creating a fictional company to host these tests has proven to be an effective way to achieve this goal.

This time around, I decided to simplify the process by setting up all cloud infrastructure within an AWS Virtual Private Server (VPS). The idea was to have a centralized hub for storing and saving snapshots of my test environments, making it easier to manage and reuse them in the future. However, what started as a convenient shortcut quickly turned into a costly lesson learned.

As I attempted to create new accounts from within an AWS EC2 instance, I inadvertently triggered a detection rule shared by some of the biggest cloud providers – Amazon Web Services (AWS), Microsoft, and Google. The warning was clear: "Never allow account sign-ups originating from an AWS EC2 IP—EVER." In other words, attempting to create new accounts from an AWS EC2 instance is not recommended due to the high risk of fraud originating from these IP ranges.

This may seem like a minor infraction, but the consequences can be severe. With the increasing sophistication of cyber threats and the rise of cloud-based attacks, it's essential to take precautions when creating test environments that mimic real-world scenarios. The takeaway is clear: Due to extensive fraud originating from cloud IP ranges, you must use either a VPS or your personal IP for account sign-ups and verification processes.

In our next installment, we'll dive into strategies for reliably receiving SMS verification codes in your test environment. Stay tuned for more insights and tips on maintaining a secure and reliable test environment that won't compromise your security or confidentiality.