← Back to Paths
[PLACEHOLDER hero banner]
Cloud Security Fundamentals
Harden AWS or GCP environments by mastering IAM, network security, secrets, and threat detection from day one.
CREATED BY
M
Meera P. [PLACEHOLDER] ★ 5.0
Team Lead, Data Science at AdMetrics | 9+ years of experience
About this Path
For cloud engineers, DevOps practitioners, and developers who build on AWS or GCP and need to go beyond checkbox compliance to genuine security ownership. You will master least-privilege IAM, VPC segmentation, encryption in transit and at rest, secrets lifecycle management, and continuous threat detection with native cloud tooling. Outcome: pass a security review and confidently own the security posture of a cloud workload.
Path Overview
Intermediate LevelCertificate of CompletionAbout 38 hours to completeEnglish language16+ curated videosLearn online at your own pace5 modules with resourcesGamified & interactive
Path Curriculum
Least-Privilege IAM: policies, roles, and condition keys
Write scoped policies with aws:RequestedRegion and aws:ResourceTag conditions.
AWS Organizations, SCPs, and Permission Boundaries
Enforce guardrails across accounts without micromanaging individual policies.
Federated Identity: OIDC, SAML, and IAM Identity Center
Replace long-lived access keys with SSO and OIDC role assumption.
Service Accounts and Workload Identity on GCP
Bind Kubernetes service accounts to GCP service accounts with Workload Identity.
VPC Design: public vs private subnets, NAT, and Transit Gateway
Architect multi-account networks so workloads never have unnecessary internet routes.
Security Groups vs NACLs: stateful and stateless filtering
Apply the right control layer for instance-level and subnet-level traffic rules.
VPC Endpoints and PrivateLink: eliminating internet exposure
Route S3, Secrets Manager, and ECR traffic inside the AWS network.
WAF, Shield, and DDoS Mitigation Patterns
Attach WAF managed rule groups to CloudFront and ALB to block OWASP Top 10.
KMS Key Policies, Grants, and Envelope Encryption
Control who can use CMKs and audit every decrypt call via CloudTrail.
S3 Bucket Policies: Block Public Access, SSE-KMS, and CORS
Prevent accidental public exposure and enforce server-side encryption by policy.
TLS Everywhere: ACM, certificate pinning, and HSTS
Automate certificate renewal and enforce modern TLS versions on ALBs and APIs.
AWS Secrets Manager: storing, rotating, and auditing secrets
Enable automatic rotation for RDS passwords and audit access via CloudTrail.
HashiCorp Vault: dynamic secrets and lease management
Issue short-lived database credentials and revoke them automatically on expiry.
Parameter Store vs Secrets Manager: choosing the right tool
Use Parameter Store for non-sensitive config and Secrets Manager for credentials.
Detecting Secret Sprawl in Code and CI Pipelines
Run Gitleaks pre-commit and in GitHub Actions to catch leaked credentials early.
GuardDuty and Security Hub: continuous threat detection
Enable findings aggregation across accounts and triage high-severity alerts.
CloudTrail and EventBridge: automated remediation rules
Trigger Lambda to revoke overly permissive security group rules on creation.
Checkov and tfsec: scanning Terraform before apply
Fail CI on critical misconfigurations like public S3 buckets or open port 22.
CIS Benchmark Assessment and Remediation Workflow
Use AWS Security Hub CIS checks to build a prioritized remediation backlog.
What you'll learn
- ✓Design IAM policies following least-privilege using condition keys, permission boundaries, and SCPs in AWS Organizations.
- ✓Segment cloud networks with VPCs, subnets, security groups, NACLs, and private endpoints to eliminate unintended exposure.
- ✓Enforce encryption at rest and in transit using KMS key policies, S3 bucket policies, and TLS certificate automation with ACM.
- ✓Manage secrets lifecycle with AWS Secrets Manager and HashiCorp Vault including automatic rotation and audit logging.
- ✓Detect threats in real time using GuardDuty, Security Hub, and CloudTrail with automated EventBridge remediation rules.
- ✓Run infrastructure security scans with Checkov and tfsec inside CI pipelines to catch misconfigurations before deployment.