Cloud+: Security &
Compliance

Map out exactly where provider security ends and customer security begins for IaaS, PaaS, and SaaS. Draw the dividing line for each service type.

Memorize Preventive / Detective / Corrective categories. For each AWS/Azure service (GuardDuty, CloudTrail, Shield), classify what type of control it represents.

Understand CVSS scoring tiers (Critical/High/Medium/Low), CVE lifecycle, and the workflow from scan to patch. Practice with AWS Inspector and Nessus conceptually.

Contrast traditional perimeter security with Zero Trust. Map ZTNA, microsegmentation, and mTLS to real cloud services. Understand why VPNs alone are insufficient.

Drill SSE-S3 vs SSE-KMS vs SSE-C distinctions. Understand when to use CloudHSM vs KMS. Know FIPS 140-2 Level 3 requirements and what satisfies them.

For each standard (PCI DSS, SOC 2, ISO 27001, HIPAA, GDPR, FedRAMP), identify the specific technical controls required and the cloud services that satisfy them.

Focus on questions that present a security incident or compliance gap and ask you to identify the correct control or response. Use the quiz to test applied knowledge.

Understand Users, Groups, Roles, Policies in AWS (and equivalents in Azure/GCP). Practice writing least-privilege policy statements. Know RBAC vs ABAC differences.

Know when MFA is mandatory (root account, admin users, console access). Understand PAM concepts: just-in-time access, session recording, and approval workflows.

Learn AWS Systems Manager Patch Manager and Azure Update Manager. Understand the scan-assess-approve-deploy cycle and how to handle critical patches vs. scheduled windows.

Study AWS Config Rules and Azure Policy for compliance-as-code. Know how to set up continuous compliance monitoring and automatic remediation for common misconfigurations.

Master CloudTrail (AWS) and Azure Activity Log. Know what events are logged, how long logs are retained, and how to use logs for compliance reporting and forensic investigation.

For your cloud platform (AWS/Azure/GCP), document what you are responsible for vs. the provider. Focus on the controls you own: IAM, OS patching, network security groups, data encryption.

Take the 10-question quiz. Focus on questions about which service to use for a specific requirement and what your customer responsibility is in a given scenario.

Study the SNRN framework: Scan images (Trivy/Snyk), Non-root user, Read-only filesystem, Network policies. Understand why each matters with a concrete attack scenario.

Never store secrets in code, environment variables, or container images. Learn AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, and Kubernetes Secrets — and when to use each.

Understand managed identities (Azure) and EC2 instance profiles (AWS) for application authentication. Learn why you should never hard-code credentials and how IMDS provides temporary credentials.

Review the 10 categories: injection, broken auth, sensitive data exposure, XXE, broken access control, misconfiguration, XSS, insecure deserialization, known vulnerabilities, logging failures.

Know when your application must handle encryption vs. delegating to the platform. Understand TLS enforcement, certificate handling via ACM/Key Vault, and why you should not roll your own crypto.

Study Pod Security Standards (Privileged / Baseline / Restricted). Know how to configure runAsNonRoot, readOnlyRootFilesystem, and Network Policies in deployment manifests.

Understand shifting security left: image scanning in pipelines, dependency scanning, SAST/DAST tools, and blocking deployments that fail security gates — then practice the quiz questions.