🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
Cloud Security Fundamentals
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
SecurityFoundationalFreeComing Soon

Cloud Security Fundamentals

The Cloud Security Fundamentals course teaches how cloud-native security differs from traditional perimeter security — the shared responsibility model, identity-centric access, encryption services, network controls in cloud, posture management, and the cross-cutting patterns that apply across AWS, Azure, and GCP.

Who Should Take This

Engineers and IT staff who deploy or operate workloads on AWS, Azure, or GCP and want to build secure-by-default cloud foundations. Assumes basic familiarity with at least one cloud provider's core services. Learners finish able to apply shared-responsibility-aware architectures, configure least-privilege IAM, encrypt data with cloud KMS, and recognize common cloud misconfigurations.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Shared Responsibility and Cloud Models
3 topics

Shared Responsibility Model

  • Define the shared responsibility model and identify the responsibility split for IaaS, PaaS, and SaaS at conceptual depth.
  • Apply the shared responsibility model to a sample workload (EC2-based web app vs RDS managed DB vs SaaS CRM) and identify the customer's security responsibilities.

Cloud Service Categories

  • Distinguish IaaS (raw VMs/storage), PaaS (managed runtimes), SaaS (full applications), and FaaS (serverless) and identify a representative service for each.
  • Compare a self-managed EC2 + MySQL deployment with an Aurora Serverless deployment and analyze the security trade-offs.

Multi-Cloud and Hybrid Concepts

  • Identify the security challenges of multi-cloud (consistent IAM, fragmented logging, divergent baseline configs) and describe how abstraction tools (Terraform, OPA) help.
2Cloud Identity and Access
3 topics

Cloud IAM Primitives

  • Identify the core IAM constructs across providers: AWS IAM users/roles/policies, Azure AD/RBAC scopes, GCP IAM members/roles/bindings.
  • Apply role-based access at appropriate scope (account/subscription/project, not individual resources where avoidable) and explain the blast-radius implications.
  • Analyze a permissive IAM policy (e.g., AWS '*:*' on '*') and propose a scoped replacement grounded in observed access patterns.

Workload Identity

  • Define workload identity and identify AWS IAM roles for EC2/ECS/EKS, GCP service accounts with Workload Identity, and Azure managed identities.
  • Apply workload identity to eliminate long-lived access keys in CI/CD by federating GitHub/GitLab to short-lived cloud credentials via OIDC.

Privileged Access in Cloud

  • Identify cloud-native PAM patterns: AWS IAM Identity Center with permission sets, Azure PIM, GCP just-in-time access via IAM conditions.
  • Apply break-glass account design: separate emergency identity, hardware-key MFA, alerting on use, distinct from daily-use identities.
3Encryption and Key Management
3 topics

Cloud KMS Services

  • Identify AWS KMS, Azure Key Vault, and GCP KMS as cloud-native key management services and describe what each provides.
  • Apply customer-managed key (CMK) selection: when to use cloud-managed default keys vs customer-managed keys vs HSM-backed keys.

Envelope Encryption and Data Protection

  • Define envelope encryption and describe the DEK/KEK pattern with cloud KMS performing wrap/unwrap.
  • Apply at-rest encryption to S3/Blob/GCS, RDS/SQL/Cloud SQL, and EBS/Disk/PD using customer-managed keys with proper key policies.

Secrets Management

  • Identify AWS Secrets Manager, Azure Key Vault secrets, GCP Secret Manager, and HashiCorp Vault as cloud-secrets options.
  • Apply secret rotation, scoped IAM access to secrets, and integration with workload identity (no hard-coded fetch credentials).
4Network Security in Cloud
3 topics

VPCs and Subnets

  • Identify the core network constructs: AWS VPC + subnets + route tables, Azure VNet + subnets + UDRs, GCP VPC + subnets + routes.
  • Apply a baseline VPC design with public + private subnets, a NAT for egress, and route tables that prevent unintended internet exposure.

Security Groups and NSGs

  • Distinguish stateful security groups (AWS, GCP firewall rules) from stateful NSGs (Azure) and identify the implicit-deny default.
  • Apply least-privilege ingress rules: source-restricted (CIDR or security-group reference), specific ports, no 0.0.0.0/0 SSH or RDP.
  • Analyze a security group ruleset that exposes a database port to the internet and trace the resulting attack surface.

Private Connectivity and Egress

  • Identify private endpoints (AWS PrivateLink, Azure Private Endpoint, GCP Private Service Connect) and explain how they avoid traversing the public internet.
  • Apply egress controls: VPC endpoints/NAT for managed services, egress proxies for outbound HTTPS, and restricting the open internet from private subnets.
5Logging, Detection, and Posture
3 topics

Audit Logging

  • Identify AWS CloudTrail, Azure Activity Log, and GCP Cloud Audit Logs and describe what each captures (control-plane vs data-plane events).
  • Apply audit-log centralization: organization-wide log aggregation to a dedicated security/log archive account/subscription/project with restricted write access.

Cloud-Native Threat Detection

  • Identify AWS GuardDuty, Azure Defender for Cloud, and GCP Security Command Center as cloud-native threat detection services.
  • Apply baseline detection coverage: enable provider-native detection org-wide, integrate findings into a SIEM, and tune the highest-noise rules.

Posture Management (CSPM)

  • Define CSPM and identify cloud-native (Security Hub, Defender for Cloud, SCC) and third-party (Wiz, Prowler, ScoutSuite) options.
  • Apply CIS Foundations Benchmark scanning across an organization and triage findings by exploitability and exposure rather than total count.
  • Analyze a 'public S3 bucket' or 'overly permissive IAM' finding and trace the chain of misconfigurations that produced it.
6Compliance, Containers, and Common Failures
3 topics

Compliance and Benchmarks

  • Identify CIS Benchmarks, Well-Architected security pillar, and provider compliance frameworks (FedRAMP, PCI-DSS in cloud, HIPAA-eligible services) and describe their roles.
  • Apply a baseline compliance assessment using a CIS benchmark scanner and produce a prioritized remediation list grounded in business context.

Container and Kubernetes Security

  • Identify the cloud-Kubernetes shared responsibility split (control plane managed by provider, worker nodes and workloads by customer in EKS/AKS/GKE).
  • Apply baseline Kubernetes security: image scanning, signed images, network policies, pod security admission, restricted service accounts.

Common Cloud Misconfigurations

  • Identify the canonical cloud misconfiguration list: public storage buckets, exposed databases, overly permissive IAM, unencrypted volumes, exposed metadata service.
  • Apply IMDSv2 (AWS), instance metadata hardening, and service-account token projection patterns to mitigate metadata-service abuse.
  • Analyze the Capital One 2019 breach (or a comparable SSRF-to-metadata-to-S3 chain) and identify each control that should have prevented or detected each step.
7DevOps, IaC, and Pipeline Security
8 topics

Infrastructure as Code Security

  • Identify Terraform, CloudFormation, Bicep, and Pulumi as the dominant cloud IaC tools and identify the security benefits of declarative, reviewable, version-controlled infrastructure.
  • Apply IaC security scanning: tfsec, Checkov, KICS, or cfn-nag in CI to catch insecure configurations before deploy.
  • Analyze a Terraform module that creates an S3 bucket with default ACLs and identify the specific changes needed for a secure baseline (block public access, encryption, logging, versioning).

Cloud-Native Secret Management

  • Identify common patterns for delivering secrets to cloud workloads: KMS-encrypted env vars, secret managers + IAM, and OIDC-federated short-lived credentials.
  • Apply secret-zero patterns: avoid the chicken-and-egg of 'how do I authenticate to the secret store?' by using workload identity / instance metadata.

CI/CD to Cloud Authentication

  • Identify GitHub OIDC, GitLab OIDC, and CircleCI OIDC federation as the modern alternatives to long-lived access keys for CI/CD-to-cloud authentication.
  • Apply OIDC federation: configure cloud trust to a specific repo/branch/workflow with scoped role permissions, and remove static access keys.
  • Analyze a CI pipeline that uses a long-lived access key stored in repository secrets and propose the OIDC migration steps.

Cloud Account Structure

  • Identify cloud organization patterns: AWS Organizations + OUs, Azure management groups, GCP folders/projects, and the security benefit of multi-account/subscription/project boundaries.
  • Apply landing-zone patterns: separate accounts for production / non-production / log-archive / security / shared-services with SCPs / Azure Policy / org policies preventing cross-boundary blast.
  • Analyze a 'one big AWS account with everything in it' scenario and propose a multi-account migration sequence with quantified blast-radius reduction.

Cost-Aware Security and Backups

  • Identify the security relevance of backups (ransomware recovery), versioning, MFA-Delete on object storage, and immutable / object-lock storage.
  • Apply 3-2-1 backup principles in a cloud context: production data + cross-region copy + cross-account/immutable copy with restoration tested at least annually.

Tenant Isolation in Multi-Tenant Cloud

  • Identify tenant-isolation patterns: silo (separate account per tenant), pool (shared infrastructure with policy-enforced separation), and bridge (mixed) — and identify their trade-offs.
  • Apply ABAC tags + IAM conditions to enforce tenant isolation in pool-model multi-tenant deployments.
  • Analyze a leaked-bucket-policy scenario in a multi-tenant SaaS where bucket policies omit a tenant condition and propose detection and prevention controls.

Cloud Incident Response

  • Identify cloud-native IR primitives: snapshot-and-quarantine for compromised VMs, IAM credential rotation, role-trust review, and forensic copy via cloud APIs.
  • Apply a cloud IR playbook for 'compromised IAM access key' that includes immediate revocation, scope-of-impact analysis from CloudTrail, and key-creator review.
  • Analyze a credential-leak scenario where developer credentials were accidentally pushed to GitHub and trace each remediation step in time-sensitive order.

Cloud Cryptographic Boundaries

  • Identify Cloud HSM offerings (AWS CloudHSM, Azure Dedicated HSM, GCP Cloud HSM) and identify when single-tenant HSMs are required (FIPS 140-2/3 high-assurance, regulatory mandates).
  • Apply Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) patterns and analyze the operational cost vs. control trade-off vs. provider-managed keys.

Scope

Included Topics

  • Shared responsibility model across IaaS, PaaS, SaaS and the three major cloud providers.
  • Cloud IAM: roles, policies, service principals, workload identity, and least-privilege design.
  • Encryption: KMS-managed keys, customer-managed keys (CMK), envelope encryption, at-rest and in-transit defaults.
  • Cloud network security: VPCs/VNets, security groups, NSGs, private endpoints, NAT/egress controls.
  • Cloud-native logging and monitoring: CloudTrail, Activity Logs, Audit Logs, GuardDuty, Defender, SCC.
  • Posture management (CSPM): Security Hub, Defender for Cloud, SCC, Prowler, ScoutSuite.
  • Common cloud misconfigurations: public S3 buckets, overly permissive roles, exposed metadata, default secrets.
  • Compliance and benchmarks: CIS benchmarks, Well-Architected security pillar, FedRAMP/PCI-DSS in cloud context.
  • Container and Kubernetes security at conceptual depth: workload identity, network policies, image scanning.

Not Covered

  • Vendor-specific certification depth (covered in CSP-specific specs).
  • Detailed Kubernetes security (covered in CKS).
  • Deep packet inspection and traditional perimeter NGFW configuration.

Cloud Security Fundamentals is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified