🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GCSA
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GCSA GIAC Certifications Coming Soon

GCSA

The GCSA training equips security engineers and DevOps practitioners with advanced techniques to automate cloud security controls, covering DevSecOps, IaC, CI/CD, container hardening, and secrets management.

120
Minutes
60
Questions
61/100
Passing Score
$979
Exam Cost

Who Should Take This

It is designed for mid‑level to senior security engineers, cloud architects, and DevOps engineers who already manage cloud environments and seek to embed automated security policies into their workflows. These professionals aim to reduce manual risk, accelerate compliance, and scale protection across multi‑cloud infrastructures.

What's Covered

1 Domain 1: DevSecOps Fundamentals
2 Domain 2: Infrastructure as Code Security
3 Domain 3: CI/CD Pipeline Security
4 Domain 4: Container Security Automation
5 Domain 5: Secrets Management
6 Domain 6: Compliance as Code
7 Domain 7: Automated Vulnerability Management

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 Domain 1: DevSecOps Fundamentals
3 topics

DevSecOps Culture and Principles

  • Describe the DevSecOps philosophy including shift-left security, shared responsibility between development and security teams, and continuous security feedback loops.
  • Identify the stages of a secure software delivery lifecycle from code commit through production deployment including security gates at each phase.
  • Describe threat modeling methodologies applicable to cloud-native applications including STRIDE, PASTA, and attack tree analysis for automated pipeline integration.
  • Evaluate organizational readiness for DevSecOps adoption by assessing team skill gaps, tooling maturity, and cultural barriers to security automation.

Security Automation Architecture

  • Describe event-driven security automation patterns using cloud-native services such as AWS Lambda, Azure Functions, and EventBridge for real-time response.
  • Implement webhook-based security integrations connecting source control events to automated scanning, notification, and remediation workflows.
  • Compare synchronous versus asynchronous security gate patterns in deployment pipelines evaluating impact on developer velocity and security coverage.

Security Metrics and Reporting

  • Identify key DevSecOps metrics including mean time to detect, mean time to remediate, vulnerability escape rate, and security gate pass rate for pipeline effectiveness measurement.
  • Implement security dashboards aggregating findings from SAST, DAST, SCA, and infrastructure scanning tools to provide unified visibility across the delivery pipeline.
2 Domain 2: Infrastructure as Code Security
3 topics

Terraform Security

  • Describe Terraform state file security risks including credential exposure, state tampering, and remote backend configuration requirements for encrypted storage.
  • Implement Terraform static analysis using tfsec, Checkov, and Terrascan to detect security misconfigurations in HCL before infrastructure provisioning.
  • Configure Terraform Sentinel or OPA policies to enforce organizational security guardrails preventing deployment of non-compliant resource configurations.
  • Implement secure Terraform module patterns including input validation, default secure configurations, and provider version constraints to prevent supply chain attacks.
  • Evaluate Terraform plan output to identify security-impacting changes including public exposure, encryption removal, and IAM policy modifications before apply.

CloudFormation and ARM Template Security

  • Describe AWS CloudFormation security features including stack policies, drift detection, termination protection, and IAM role scoping for stack operations.
  • Implement cfn-lint and cfn-nag scanning in CI pipelines to validate CloudFormation templates against security best practices before stack creation.
  • Configure CloudFormation Guard rules to enforce resource property constraints and prevent deployment of insecure configurations at the template validation stage.
  • Compare infrastructure as code security tooling across Terraform, CloudFormation, and ARM evaluating rule coverage, false positive rates, and integration complexity.

IaC Drift and State Management

  • Implement infrastructure drift detection using CloudFormation drift detection and Terraform plan to identify unauthorized manual changes to provisioned resources.
  • Configure automated drift remediation workflows that reconcile detected configuration deviations back to the declared infrastructure state.
  • Assess the security implications of infrastructure state file compromise including lateral movement risks and remediation steps for exposed Terraform state.
3 Domain 3: CI/CD Pipeline Security
2 topics

Pipeline Architecture Security

  • Describe CI/CD pipeline threat vectors including poisoned pipeline execution, dependency confusion, artifact tampering, and build environment compromise.
  • Implement pipeline-as-code with branch protection rules, required reviewers, and signed commits to prevent unauthorized modifications to build definitions.
  • Configure isolated build environments using ephemeral runners, rootless containers, and network-restricted build agents to minimize blast radius of compromised pipelines.
  • Analyze CI/CD pipeline audit logs to detect unauthorized workflow modifications, anomalous build patterns, and potential supply chain compromise indicators.

Software Supply Chain Security

  • Describe software supply chain security frameworks including SLSA levels, in-toto attestations, and SBOM generation for artifact provenance tracking.
  • Implement dependency scanning using tools such as Snyk, Dependabot, and OWASP Dependency-Check to identify vulnerable third-party libraries in application builds.
  • Configure artifact signing and verification using Sigstore, cosign, or AWS Signer to establish cryptographic provenance for build artifacts.
  • Evaluate SBOM completeness and accuracy for containerized applications assessing coverage of OS packages, language dependencies, and transitive dependencies.
4 Domain 4: Container Security Automation
2 topics

Docker Security

  • Describe Docker security primitives including namespaces, cgroups, capabilities, seccomp profiles, and AppArmor policies for container isolation.
  • Implement Docker image hardening using multi-stage builds, distroless base images, and Dockerfile best practices to minimize attack surface.
  • Configure automated container image scanning in CI pipelines using Trivy, Grype, or Snyk Container to gate deployments on vulnerability thresholds.
  • Assess Docker daemon security configurations including rootless mode, user namespaces, and content trust to determine appropriate hardening for production environments.

Kubernetes Security Automation

  • Describe Kubernetes admission controller architecture including mutating and validating webhooks and their role in enforcing security policies at deploy time.
  • Implement Kubernetes admission policies using OPA Gatekeeper or Kyverno to enforce pod security standards, image allow lists, and resource quotas.
  • Configure Kubernetes network policies to restrict pod-to-pod communication and implement namespace-level microsegmentation in production clusters.
  • Implement automated Kubernetes security benchmarking using kube-bench against CIS Kubernetes Benchmarks with integration into CI/CD reporting.
  • Evaluate Kubernetes RBAC configurations to identify overly permissive roles, unused bindings, and privilege escalation paths within cluster namespaces.
5 Domain 5: Secrets Management
3 topics

Vault and Secret Stores

  • Describe HashiCorp Vault architecture including storage backends, seal mechanisms, auth methods, secret engines, and audit logging for centralized secrets management.
  • Identify cloud-native secrets management services including AWS Secrets Manager, AWS Systems Manager Parameter Store, and Azure Key Vault with their respective use cases.
  • Implement dynamic secret generation using Vault database secret engines to provide time-limited, unique credentials for each application instance.
  • Configure automatic secret rotation for AWS RDS credentials using Secrets Manager rotation Lambda functions with zero-downtime deployment strategies.

Secret Detection and Prevention

  • Implement pre-commit secret scanning using tools such as git-secrets, TruffleHog, and detect-secrets to prevent credential leakage in source control.
  • Configure GitHub Advanced Security secret scanning and push protection to detect and block commits containing API keys, tokens, and credentials.
  • Evaluate secret management maturity by assessing rotation frequency, access audit completeness, blast radius controls, and emergency revocation procedures.

Secrets in Container Orchestration

  • Describe Kubernetes native secret types including Opaque, TLS, and docker-registry secrets and their base64 encoding limitations for sensitive data storage.
  • Implement external secrets operators to synchronize secrets from Vault, AWS Secrets Manager, or Azure Key Vault into Kubernetes secrets with automatic rotation.
  • Configure sealed secrets or SOPS encryption to enable encrypted secret definitions in Git repositories while maintaining GitOps workflows for Kubernetes deployments.
6 Domain 6: Compliance as Code
2 topics

Policy Frameworks

  • Describe Open Policy Agent architecture including Rego policy language, bundle distribution, and decision logging for centralized policy enforcement.
  • Implement OPA policies for Kubernetes admission control, Terraform plan validation, and API authorization decisions using Rego rule definitions.
  • Configure AWS Config custom rules and conformance packs to codify organizational compliance requirements as continuously evaluated policy checks.
  • Compare policy-as-code engines including OPA, Sentinel, AWS Config, and Azure Policy evaluating expressiveness, integration points, and enforcement models.

Automated Audit and Evidence

  • Describe automated compliance evidence collection patterns including continuous control monitoring, audit trail aggregation, and machine-readable compliance reports.
  • Implement automated compliance reporting using AWS Audit Manager and Azure Compliance Manager to generate evidence for SOC 2, PCI DSS, and HIPAA audits.
  • Assess compliance-as-code program effectiveness by evaluating control coverage percentage, audit finding remediation velocity, and exception management processes.
7 Domain 7: Automated Vulnerability Management
2 topics

Vulnerability Scanning Automation

  • Describe cloud-native vulnerability scanning services including Amazon Inspector, Azure Defender vulnerability assessment, and their integration with security aggregation platforms.
  • Implement automated vulnerability scanning pipelines that trigger on infrastructure changes, new deployments, and scheduled intervals with threshold-based alerting.
  • Configure vulnerability finding aggregation and deduplication across multiple scanning tools to create a unified view of organizational vulnerability posture.
  • Analyze vulnerability scan findings to prioritize remediation based on exploitability, asset criticality, network exposure, and available compensating controls.

Remediation Automation

  • Implement automated patching workflows using AWS Systems Manager Patch Manager and Azure Update Management with rollback capabilities and compliance verification.
  • Configure auto-remediation for infrastructure misconfigurations using AWS Config remediation actions triggered by non-compliant resource evaluations.
  • Evaluate vulnerability management program metrics including mean time to remediation, SLA compliance rates, risk-based prioritization accuracy, and exception approval processes.

Scope

Included Topics

  • All domains in the GIAC Cloud Security Automation (GCSA) certification aligned to SANS SEC540: DevSecOps fundamentals, infrastructure as code security, CI/CD pipeline security, container security, secrets management, compliance as code, and automated vulnerability management.
  • Infrastructure as Code security for Terraform and CloudFormation including static analysis, policy enforcement, drift detection, and secure module patterns.
  • CI/CD pipeline hardening for GitHub Actions, GitLab CI, Jenkins, and AWS CodePipeline including artifact integrity, dependency scanning, and pipeline-as-code security.
  • Container security lifecycle from build through runtime including Docker image hardening, Kubernetes admission control, and container orchestration security automation.
  • Secrets management using HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and parameter stores with rotation, access policies, and dynamic secrets.
  • Compliance as code frameworks including Open Policy Agent, Sentinel, AWS Config Rules, and automated audit evidence collection.

Not Covered

  • Manual security review processes and compliance auditing without automation components.
  • Application-level secure coding practices such as input validation, output encoding, and session management.
  • Cloud provider pricing, billing, and cost optimization strategies.
  • Physical security controls and data center operations.
  • Offensive security techniques, exploit development, and penetration testing methodologies.

Official Exam Page

Learn more at GIAC Certifications

Visit

GCSA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.