What is the cloud shared responsibility model?

The shared responsibility model defines which security tasks the cloud provider owns vs the customer. IaaS: provider secures physical, hypervisor, and network; customer secures OS, applications, and data. PaaS: provider adds OS and runtime; customer secures application code and data. SaaS: provider secures everything except customer data and access management. Misunderstanding this model is the leading cause of cloud security breaches.

What is a VPC and how should it be segmented for security?

A Virtual Private Cloud (VPC) is an isolated virtual network in the cloud. Security best practice divides it into tiers: public subnets (internet-facing load balancers only), private subnets (application servers with no direct internet), and isolated subnets (databases with no outbound internet). Traffic between tiers is controlled by Security Groups (stateful, per-instance) and NACLs (stateless, per-subnet).

What are the security risks of running containers as root?

Running containers as root means that if a container is compromised via a vulnerability, the attacker has root-level access within the container. If a container escape vulnerability exists, root in the container can lead to root on the host system. Best practice: specify a non-root user in the Dockerfile, use read-only root filesystems, and apply Linux security modules (seccomp, AppArmor) to restrict syscalls.

What is Cloud Security Posture Management (CSPM)?

CSPM tools continuously monitor cloud environments for misconfigurations against security benchmarks (CIS, NIST). They detect issues like public S3 buckets, overly permissive IAM policies, unencrypted storage, security groups open to 0.0.0.0/0, and disabled logging. Examples: AWS Security Hub, Microsoft Defender for Cloud, GCP Security Command Center, Prisma Cloud. CSPM addresses the misconfiguration problem that accounts for the majority of cloud breaches.

What is the security risk of hypervisor vulnerabilities?

A hypervisor vulnerability could allow a VM to escape its isolation and access other VMs or the host OS — called a VM escape or hyperjacking attack. This is extremely rare but catastrophic when it occurs. Mitigations include keeping hypervisor software patched, isolating hypervisor management traffic to a dedicated management VLAN, disabling unused hypervisor features (clipboard sharing, 3D acceleration), and limiting hypervisor management access to authorized admins only.

GIAC GDSA Certification: Cloud Security Architecture Study Guide (Domain 5 of 6)

Domain 5 Overview — Cloud Security Architecture

Cloud security requires understanding which security responsibilities are shared between provider and customer, how to design secure cloud networks, protect container workloads, implement least-privilege IAM, and continuously monitor for misconfigurations.

Shared Responsibility Model — Quick View

Security Layer	IaaS (e.g., EC2)	PaaS (e.g., App Service)	SaaS (e.g., Office 365)
Physical / Facilities	Provider	Provider	Provider
Hypervisor / Host OS	Provider	Provider	Provider
Network Infrastructure	Provider	Provider	Provider
Guest OS / Patching	Customer	Provider	Provider
Runtime / Middleware	Customer	Provider	Provider
Application Code	Customer	Customer	Provider
Data Classification	Customer	Customer	Customer
Identity / IAM	Customer	Customer	Customer
Network Config (VPC/SG)	Customer	Shared	Provider

Red = Customer responsibility. Green = Provider. Yellow = Shared.

VPC Three-Tier Architecture

Public Subnet — Internet-Facing Only

Internet Gateway → Load Balancers (ALB/NLB), NAT Gateway, Bastion Host. Direct internet access. No application servers here.

Private Subnet — Application Tier

EC2/ECS application servers. No direct internet. Outbound via NAT Gateway. Inbound only from load balancers via Security Groups.

Isolated Subnet — Database Tier

RDS, ElastiCache, Elasticsearch. No internet route (no route to NAT Gateway or IGW). Inbound only from app subnet Security Groups.

Domain 5 Exam Focus Areas

Shared Responsibility

IaaS/PaaS/SaaS customer vs provider boundaries — exam tests who patches what

Security Groups vs NACLs

Stateful vs stateless, per-instance vs per-subnet — frequent exam topic

Container Security

Root containers, NetworkPolicy, image scanning, secrets management

IAM and CSPM

Roles vs access keys, CloudTrail, SCP/Azure Policy, CSPM for misconfiguration

Hypervisor Security

Type 1 vs Type 2, VM escape, management isolation, hyperjacking

Key Concepts — Cloud Security Architecture

Expand each topic for comprehensive coverage of Domain 5 exam objectives.

1. Cloud Delivery Models and Shared Responsibility +

Service Model Definitions:

IaaS (Infrastructure as a Service): Provider: physical hardware, hypervisor, networking, storage infrastructure. Customer: OS, middleware, runtime, applications, data, IAM configuration. Examples: AWS EC2, Azure VMs, GCP Compute Engine.
PaaS (Platform as a Service): Provider adds: OS patching, runtime, middleware. Customer: application code, data, IAM, some network config. Examples: AWS Elastic Beanstalk, Azure App Service, GCP App Engine.
SaaS (Software as a Service): Provider: everything except customer data and IAM configuration. Customer: data classification/protection, user access management, configuration of the SaaS application's security features. Examples: Microsoft 365, Salesforce, Google Workspace.

Customer Always Responsible For:

Data classification and protection — regardless of service model
Identity and access management — who can access your cloud resources
Compliance obligations — GDPR, HIPAA, PCI DSS compliance is customer responsibility even in cloud
Security configuration of cloud services — provider provides tools, customer must use them correctly

Common Misconceptions:

"Cloud is secure by default" — false. Provider secures infrastructure; customer secures their configuration. Public S3 buckets, open security groups, disabled MFA are all customer failures.
"Provider handles compliance" — false. Provider can be certified (SOC2, ISO27001), but customer's use of the platform must also comply.
"Migration to cloud improves security automatically" — false. Lifting-and-shifting poor on-premises security practices to cloud doesn't improve security.

Provider Certification Review: Review cloud provider SOC2 Type II reports, ISO27001 certificates, and FedRAMP authorization (for US government) during due diligence. These confirm provider's security controls — not customer's configuration quality.

2. Hypervisor Security — Hardening and VM Isolation +

Hypervisor Types:

Type 1 (Bare Metal): Runs directly on hardware — no host OS. VMware vSphere/ESXi, Microsoft Hyper-V Server, KVM. Better performance and security isolation. Production data centers use Type 1.
Type 2 (Hosted): Runs on top of a host OS. VMware Workstation, VirtualBox. Host OS vulnerabilities can affect all VMs. Development/test use only.

Hypervisor Hardening:

VMware vSphere Security Hardening Guide — disable unnecessary services, enable lockdown mode, use dedicated vCenter NIC
Hyper-V Server Core — minimal attack surface (no GUI, minimal components)
Management network isolation: dedicated physical NIC and VLAN for hypervisor management (vCenter, IPMI/iDRAC). Never share with VM traffic.
Disable unused features: USB passthrough, clipboard sharing between host/VM, 3D graphics acceleration, serial/parallel port passthrough
VM sprawl: unmanaged VMs = forgotten systems with unpatched OS. Implement VM lifecycle management — regular inventory and decommission of unused VMs.
Snapshot management: snapshots reference old disk state. Stale snapshots may contain vulnerable OS versions. Limit snapshot count; delete old ones.

Hyperjacking Attack: Attacker installs a thin malicious hypervisor below the legitimate OS, making the OS a VM running on the attacker's hypervisor. Extremely sophisticated, rare in practice. Detection: TPM attestation — hardware root of trust verifies boot chain integrity. Secure Boot, UEFI password for BIOS protection.

VM Escape: Exploit in hypervisor software allows VM to break out of isolation and access host OS or other VMs. Historically rare (VMware VM escape CVEs). Mitigations: keep hypervisor patched, disable guest VM communication features (clipboard), restrict VM privileges.

3. Cloud Network Segmentation — VPC Design, Security Groups, and NACLs +

Security Groups (AWS) / NSGs (Azure) — Stateful, Per-Instance:

Attached to elastic network interfaces (ENIs/NICs), not subnets
Stateful: return traffic is automatically allowed — only need to define inbound rules for inbound-initiated connections
Default deny — no inbound traffic unless explicitly allowed
Reference other Security Groups as source — e.g., "allow inbound 3306 from sg-app-servers" (not IP ranges)
Multiple SGs can be applied to one instance — rules are unioned (all applies)

NACLs — Stateless, Per-Subnet:

Applied at the subnet level — affects all resources in the subnet
Stateless: must define both inbound AND outbound rules. Inbound allow port 80 + outbound allow ephemeral ports 1024-65535 for responses.
Numbered rules — evaluated in order (lowest number first). First match wins.
Explicit deny rules available (unlike Security Groups which are allow-only)
Useful for subnet-level blocking (blacklisting bad IPs) as a second layer

VPC Flow Logs: Capture metadata for all network traffic (src/dst IP, ports, bytes, accept/reject). Equivalent to NetFlow. Stored in S3 or CloudWatch Logs. Essential for incident forensics, traffic pattern analysis, security group validation. Enable on all production VPCs.

Egress Filtering: Prevent C2 callbacks and data exfiltration. NAT Gateway with outbound Security Group restrictions. Web proxy for HTTP/HTTPS inspection. AWS Network Firewall for stateful Suricata rules on egress.

VPC Endpoints (PrivateLink): Access AWS services (S3, DynamoDB, SQS) from private subnets without internet routing — traffic stays within AWS network. Gateway endpoints (S3, DynamoDB — free). Interface endpoints (most services — ENI with private IP). Prevents data exfiltration via public internet path to AWS services.

Transit Gateway: Hub-and-spoke connectivity between multiple VPCs and on-premises. Avoids full VPC peering mesh (n*(n-1)/2 peering connections). Centralize security inspection (firewall in inspection VPC).

4. Container Security — Images, Runtime, Kubernetes +

Container Image Security:

Image scanning: Trivy, Clair, Snyk — scan layers for CVEs before deployment. Integrate into CI/CD pipeline (fail build if critical CVE). AWS ECR, Azure ACR have built-in scanning.
Minimal base images: Alpine Linux (~5MB) vs Ubuntu (~188MB). Smaller base = fewer packages = less attack surface. Distroless images (Google) have no package manager or shell.
Never use :latest tag: Non-deterministic — :latest changes with new pushes, breaks reproducibility, and can silently introduce vulnerabilities. Pin to specific digest: image@sha256:abc123...
Multi-stage builds: Build stage (full compiler, dev tools) → copy only artifact to minimal runtime image. Dev tools not in production image. Compile-only dependencies removed.
Non-root user: Dockerfile: USER appuser (create with useradd). Running as root = container escape → root on host (with write access to host filesystem). Critical security requirement.
Read-only root filesystem: Dockerfile: --read-only flag. Attacker cannot write malware to container filesystem. Writable volumes only for known paths.

Kubernetes Security:

NetworkPolicy: Default Kubernetes allows all pod-to-pod communication within cluster. NetworkPolicy implements firewall rules between pods. Best practice: default-deny all ingress and egress, then explicitly allow required paths. Requires compatible CNI (Calico, Cilium, Weave).
Pod Security Admission (PSA): Replaces deprecated PodSecurityPolicy. Enforce/warn/audit modes. Baseline profile: no privileged containers. Restricted profile: no root, no host namespace, read-only root FS.
Secrets management: Never bake secrets into Docker images (accessible via docker inspect) or environment variables (visible in pod spec). Use Kubernetes Secrets (base64, not encrypted by default — enable etcd encryption at rest), or HashiCorp Vault with Vault Agent injector, or AWS Secrets Manager via External Secrets Operator.
RBAC: Principle of least privilege for service accounts. Avoid binding ClusterAdmin to application service accounts. Create specific roles per application namespace.

Runtime Security: Falco (CNCF) monitors Linux syscalls and generates alerts when container behavior deviates from expected patterns — detect unexpected network connections, file writes in read-only paths, shell spawns in containers. Supply chain: sign images with cosign/Notary, verify signatures before deployment (admission controller policy).

5. Cloud IAM, Surface Reduction, and CSPM +

IAM Roles vs Long-Term Access Keys:

IAM Roles (preferred): Use AWS STS to generate temporary credentials (15 min to 12 hours). Automatically rotate. No credential management required. Assigned to EC2 instance profile, Lambda execution role, ECS task role.
Long-term access keys (avoid): Never expire unless manually rotated. Commonly committed to source code repositories (truffleHog, git-secrets detect this). Use ONLY for local development; use roles in production. Require MFA for sensitive API calls.
Detect exposed access keys: GuardDuty, AWS Config rules, git-secrets pre-commit hook

Principle of Least Privilege for Cloud IAM:

Avoid wildcard permissions: "s3:*" on "*" resource. Specify exactly: "s3:GetObject" on "arn:aws:s3:::specific-bucket/*"
Never use AdministratorAccess/Owner roles for applications — only for break-glass scenarios with MFA
Cross-account roles: define explicit trust policies. Confused deputy problem — validate ExternalId parameter
AWS SCPs / Azure Policy: guardrails applied at the organization/management group level. Prevent any account from disabling CloudTrail, creating IAM users without MFA, deploying to unapproved regions.

CloudTrail / Activity Logs:

AWS CloudTrail logs all API calls: who, what resource, from which IP, at what time. Stored in S3 — immutable audit trail.
High-priority CloudTrail alerts: root account login (should never happen), access key deletion, IAM user creation, CloudTrail disabled, security group opened to 0.0.0.0/0, S3 bucket policy changed to public
Forward to SIEM (Splunk, Sentinel) via CloudWatch Events and Kinesis

CSPM (Cloud Security Posture Management):

Continuously checks cloud configuration against CIS Benchmarks, NIST 800-53, PCI DSS, HIPAA controls
AWS Security Hub: aggregates findings from GuardDuty, Inspector, Macie, Config. Dashboard with severity. CIS Benchmark compliance score.
Microsoft Defender for Cloud: multi-cloud support (AWS, GCP, Azure). Secure Score. Regulatory compliance dashboard.
Prisma Cloud (Palo Alto): multi-cloud CSPM + CWPP (workload protection). Most comprehensive.
Top detections: public S3 buckets, open security groups (0.0.0.0/0 on port 22/3389), root account without MFA, CloudTrail disabled, unencrypted RDS, unrestricted IAM policies

6. Cloud Security Controls — WAF, DDoS, Monitoring Services +

Cloud WAF:

AWS WAF: attach to CloudFront, ALB, API Gateway, AppSync. Managed rule groups (AWS, partners). Custom rules with rate limiting and geo-blocking. Logs to S3/CloudWatch.
Azure WAF: on Application Gateway or Front Door. OWASP CRS managed rules. Bot protection.
OWASP Core Rule Set protects against: SQLi, XSS, local/remote file inclusion, command injection, PHP attacks, Java exploits.

Cloud DDoS Protection:

AWS Shield Standard: free, automatic protection on all AWS accounts. Protects against common L3/L4 attacks (SYN floods, UDP reflection). No configuration required.
AWS Shield Advanced: $3,000/month base. DDoS Response Team (DRT) access, cost protection for scaling during attacks, network flow monitoring, advanced detection. Required for L7 protection with WAF integration.
Azure DDoS Protection Standard: per-VNet protection, adaptive tuning, attack analytics, SLA guarantee.

Cloud Monitoring Services:

AWS GuardDuty: threat detection from VPC Flow Logs, CloudTrail, DNS logs. ML-based. Detects: crypto mining, C2 beaconing, port scanning, compromised instance behavior, credential exfiltration.
Amazon Macie: ML-based PII detection in S3. Discovers: SSNs, credit card numbers, AWS credentials, personal information.
AWS Config: compliance rules for resource configurations. SNS alerts when rule violated. Required for CIS Benchmark compliance monitoring.
Azure Sentinel: cloud-native SIEM/SOAR. Connects to Microsoft 365, Azure, AWS, GCP logs.

Object Storage Security (S3):

S3 Block Public Access: account-level setting. Enable on all accounts. Overrides bucket policies that attempt to grant public access.
Bucket policies: JSON resource-based policies. Deny: "Principal": "*" unless condition met. Use aws:SourceVpc condition to restrict to VPC endpoints only.
Server-Side Encryption: SSE-S3 (AWS manages keys, free), SSE-KMS (customer controls CMK, additional cost, audit in CloudTrail), SSE-C (customer manages keys outside AWS).
Versioning + MFA Delete: protect against ransomware attacks on S3 objects.

Exam Readiness Checklist

Track your Domain 5 preparation progress.

Progress 0 / 16

✓

ExamKnow the shared responsibility model for IaaS, PaaS, SaaS — who patches the OS in each model

✓

ConceptUnderstand hypervisor Type 1 vs Type 2 — security implications, management isolation, VM escape risks

✓

ExamKnow VPC subnet design: public (load balancers), private (apps), isolated (databases) tiers

✓

ExamDistinguish Security Groups (stateful, per-instance) vs NACLs (stateless, per-subnet, numbered rules)

✓

ConceptUnderstand container attack surface: base image CVEs, running as root, secrets in images

✓

ExamKnow Kubernetes NetworkPolicy — default deny all traffic, explicitly allow required pod-to-pod paths

✓

ConceptUnderstand CSPM tools — what misconfigurations they detect, CIS Benchmark compliance scoring

✓

ExamKnow IAM roles vs long-term access keys — why roles (STS temporary creds) are preferred

✓

ConceptUnderstand cloud egress filtering — prevent C2 callbacks and data exfiltration via outbound restrictions

✓

ExamKnow VPC Flow Logs — cloud equivalent of NetFlow, enables forensics and anomaly detection

✓

ConceptUnderstand multi-stage Docker builds — compile in full image, run in minimal image

✓

ExamKnow CloudTrail — logs all API calls; high-priority alerts (root login, CloudTrail disabled, IAM changes)

✓

PracticeLab: Deploy VPC with three-tier subnets, configure Security Groups, enable VPC Flow Logs

✓

PracticeLab: Scan a Docker image with Trivy, identify and remediate high-severity CVEs

✓

ExamKnow Service Control Policies (AWS) / Azure Policy — enforce guardrails across all accounts

✓

ConceptUnderstand VPC endpoints (PrivateLink) — service access without internet routing, prevents exfiltration path

Quick Reference

Tables and code snippets for rapid Domain 5 review.

Security Groups vs NACLs — Full Comparison

Attribute	Security Groups	Network ACLs (NACLs)
Scope	Per instance (ENI)	Per subnet
Statefulness	Stateful — return traffic auto-allowed	Stateless — must define inbound AND outbound
Rule type	Allow only (no explicit deny)	Allow and Deny rules available
Rule evaluation	All rules evaluated, most permissive applies	Rules evaluated in number order, first match wins
Default behavior	Default: deny all inbound, allow all outbound	Default: allow all (number 100 allow * / 32766 allow *)
Use case	Primary instance-level firewall	Subnet-level secondary control, IP blacklisting
Multiple allowed	Yes — up to 5 SGs per ENI	One NACL per subnet

Container Security Layers

Phase	Security Control	Tool / Implementation
Build	Base image scanning for CVEs	Trivy, Clair, Snyk in CI/CD pipeline
Build	Minimal base image	Alpine, distroless, multi-stage Dockerfile
Build	Non-root user	USER instruction in Dockerfile
Build	No secrets in image	Build args not in final layer; use secrets management
Deploy	Image signature verification	cosign, Notary, Kubernetes admission webhook
Deploy	NetworkPolicy default-deny	Kubernetes NetworkPolicy + Calico/Cilium CNI
Deploy	Pod Security Admission	Restricted profile: no root, no privileged, read-only FS
Runtime	Behavioral detection	Falco — syscall-based anomaly detection
Runtime	Syscall restrictions	seccomp profiles, AppArmor profiles

Top Cloud Misconfigurations (CSPM High-Priority)

#	Misconfiguration	Risk	Fix
1	Public S3 bucket with PII	Data breach — direct public access	Block Public Access, bucket policy, Macie scanning
2	SG: port 22/3389 open to 0.0.0.0/0	Exposed admin interfaces to internet	Restrict to known IPs or use Systems Manager Session Manager
3	Root account without MFA	Root compromise = full account takeover	Enable MFA, create IAM users for all operations
4	CloudTrail disabled	No audit log — blind to API-level attacks	Enable multi-region CloudTrail, S3 log validation
5	Unencrypted RDS/EBS volumes	Data exposure if storage is accessed	Enable encryption at rest; new volumes default to encrypted
6	IAM user with AdministratorAccess	Credential theft = full account compromise	Use roles with least privilege, enforce MFA
7	Access keys in source code	Public repo = instant credential theft	Use IAM roles; git-secrets pre-commit hooks
8	No VPC Flow Logs	No forensic network data for incidents	Enable on all production VPCs

AWS / Azure / GCP Security Service Equivalents

Function	AWS	Azure	GCP
Threat Detection	GuardDuty	Defender for Cloud	Security Command Center
CSPM / Compliance	Security Hub + Config	Defender for Cloud	Security Command Center
Audit Logging	CloudTrail	Activity Log + Diagnostics	Cloud Audit Logs
WAF	AWS WAF	Azure WAF (App GW / Front Door)	Cloud Armor
DDoS Protection	Shield Standard / Advanced	DDoS Protection Standard	Cloud Armor
Secrets Management	Secrets Manager	Key Vault	Secret Manager
Key Management	KMS	Key Vault (keys)	Cloud KMS
PII Detection	Macie	Purview	Cloud DLP
Network Firewall	Network Firewall	Azure Firewall	Cloud Firewall / FW Policies

Kubernetes NetworkPolicy and Dockerfile Security

# Kubernetes NetworkPolicy — Default Deny All
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}     # Matches all pods in namespace
  policyTypes:
  - Ingress
  - Egress
---
# Allow app pods to receive traffic from load balancer only
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-lb-to-app
spec:
  podSelector:
    matchLabels:
      role: app
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: loadbalancer
    ports:
    - port: 8080

# Secure Dockerfile Best Practices
FROM golang:1.21 AS builder          # Full build image
COPY . .
RUN go build -o /app .

FROM gcr.io/distroless/static:nonroot  # Minimal runtime
COPY --from=builder /app /app
USER nonroot:nonroot                  # Non-root user
EXPOSE 8080
ENTRYPOINT ["/app"]

Practice Quiz — Cloud Security Architecture

Test your knowledge with scenario-based questions.

Q1. A customer deploys an application on AWS EC2 (IaaS). Which patching responsibility lies with the customer?

IaaS: AWS owns physical hardware, firmware, hypervisor, and the underlying host OS. The customer is fully responsible for the guest OS running inside the EC2 instance, all applications deployed on it, and the data stored. This is the most-tested shared responsibility concept — the OS in EC2 is always the customer's to patch.

Q2. An S3 bucket containing customer PII is publicly accessible. Which control should have prevented this misconfiguration?

CSPM continuously monitors cloud configurations against security benchmarks. Public S3 buckets are one of the top CSPM detection use cases. AWS Security Hub with AWS Config CIS Benchmark rule "S3.2: S3 buckets should prohibit public read access" would have flagged this immediately. CloudTrail logs the access after the fact but doesn't prevent misconfiguration. The IAM policy controls bucket creation but not the public ACL setting applied after creation.

Q3. A container runs as root and has read-write access to the host filesystem. What is the primary security risk?

Root in the container + write access to host filesystem = catastrophic container escape risk. If a vulnerability in the container runtime, kernel, or application allows container escape, the attacker already has root privileges on the container and filesystem access to the host — giving them full host compromise. Non-root containers limit blast radius: a container escape still requires privilege escalation on the host.

Q4. An application in a private subnet needs to access an S3 bucket without traffic traversing the public internet. What is the correct architecture?

VPC Gateway Endpoints for S3 route traffic between your VPC and S3 entirely within the AWS network — no internet gateway, no NAT gateway, no public IP required. The route table in the private subnet points S3 traffic to the VPC endpoint. This prevents S3 traffic from traversing the public internet, reduces data transfer costs, and improves security by keeping all data flow private. Attaching an internet gateway to a private subnet makes it public — not a private subnet anymore.

Q5. A DevOps engineer accidentally commits an AWS access key to a public GitHub repository. What is the immediate highest-priority action?

Deactivation (not just rotation) is first priority — stops any ongoing unauthorized access immediately. Rotation creates a new key but the old one may remain active during the transition window. After deactivating, review CloudTrail logs to determine if unauthorized API calls were made during the exposure window. Deleting the repo doesn't help — the key was already public and may have been scraped (attackers scan GitHub for exposed keys continuously, often within minutes). Root password change is irrelevant if an access key was exposed.

Q6. Kubernetes pods in the same namespace can communicate freely by default. Which control restricts pod-to-pod traffic to only explicitly allowed paths?

Kubernetes NetworkPolicy is the network firewall for pods. By default, all pods in a cluster can communicate with each other — NetworkPolicy changes this. A default-deny-all NetworkPolicy (podSelector: {} with no ingress/egress rules) blocks all pod-to-pod traffic. Then explicit allow policies permit only required communication paths. Requires a CNI that supports NetworkPolicy (Calico, Cilium, Weave). RBAC controls API server access (who can deploy/delete pods), not pod-to-pod network traffic.

10-Day Study Plan — Domain 5

Focused plan covering all cloud security architecture topics with hands-on labs.

Phase 1 — Cloud Fundamentals and Network Design

Days 1–3

Cloud fundamentals — review shared responsibility model documentation for AWS/Azure/GCP, build VPC with three-tier subnet design in AWS free tier, configure Security Groups with least-privilege rules, enable VPC Flow Logs, compare Security Groups vs NACLs with test traffic

Days 4–5

Container security — build a purposely insecure Docker image, scan with Trivy (trivy image name:tag), identify high-severity CVEs, remediate by switching to Alpine base and upgrading packages, configure non-root user, deploy to local Kubernetes (minikube) with NetworkPolicy default-deny

Phase 2 — IAM, CSPM, and Advanced Cloud Controls

Days 6–7

Cloud IAM — explore AWS IAM policy simulator, create least-privilege policies for a sample application, configure IAM role for EC2 (vs access keys), review AWS CloudTrail in console, set up SNS alert for root account login

Days 8–10

Advanced cloud security — enable AWS Security Hub, review CIS Benchmark compliance score and top findings, configure AWS Config rules for common misconfigurations, review GuardDuty findings, study cloud WAF rule configuration, complete 40+ practice questions from GDSA resources

Common Exam Mistakes

Cloud security misconceptions that frequently appear on GDSA exam questions.

1

Assuming cloud provider secures the OS in IaaS. AWS, Azure, and GCP own the physical hardware, hypervisor, and their own host OS. The guest OS running inside your VM/instance is 100% your responsibility to patch. Many real-world breaches occur because customers assume the cloud provider patches their EC2 instances. They do not.

2

Using stateless NACLs without allowing return traffic. NACLs are stateless — you must allow BOTH inbound and outbound directions. Common mistake: create inbound allow rule for port 443 but forget the outbound allow for ephemeral ports (1024-65535). Result: requests reach your server but responses are blocked. Security Groups are stateful and don't have this problem.

3

Storing container secrets in environment variables or Docker image layers. Docker image layers are immutable and inspectable (docker inspect, docker history). Secrets in ENV instructions are visible in the image manifest. Environment variables are visible in pod specs and may be logged. Always use dedicated secrets management: Kubernetes Secrets with etcd encryption, Vault, or cloud secrets manager.

4

Treating all cloud accounts as equal without organizational guardrails. AWS Organizations with Service Control Policies, Azure Management Groups with Azure Policy — these are the governance layer that prevents any individual account from doing dangerous things (disabling CloudTrail, bypassing MFA requirements, deploying to unapproved regions). Without SCPs, a single compromised account can create backdoors that affect your entire cloud estate.

5

Ignoring cloud egress filtering. Most cloud security focus is on inbound. But data exfiltration and C2 callbacks are outbound. Without egress controls (Network Firewall, NAT proxy, security group outbound restrictions), a compromised workload can beacon to C2 servers and exfiltrate data over any port. VPC Network Firewall with egress inspection should be standard architecture.

Frequently Asked Questions — Domain 5

Common questions about cloud security architecture concepts.

What is the difference between a Security Group and a Network ACL in AWS?+

Security Groups are instance-level, stateful firewalls attached to ENIs. They only support allow rules. Return traffic is automatically allowed (stateful). Multiple SGs can be applied to one instance (rules are unioned). Default: deny all inbound, allow all outbound. Network ACLs are subnet-level, stateless filters. They support both allow and deny rules. Both inbound and outbound rules must be configured for bidirectional communication (stateless). Rules are evaluated in numbered order — first match wins. One NACL per subnet. NACLs are useful as a second layer for subnet-level IP blacklisting. For most security requirements, Security Groups provide sufficient control. NACLs add defense-in-depth at the subnet boundary.

How does the shared responsibility model change between PaaS and IaaS?+

In IaaS: customer manages everything from OS upward — OS patching, runtime, application code, data, IAM, network configuration (Security Groups, NACLs, routing). In PaaS: provider additionally manages the OS patching and runtime environment. Customer focuses on application code, data, and application-level security configuration. Customer still manages IAM (who can deploy to the platform), network integration (VNet integration, service endpoints), and application secrets. In SaaS: provider manages everything except customer data and the access management configuration (who can log into the SaaS app, what data they can see). Customer responsibility narrows to data governance and identity/access management. The pattern: moving from IaaS → SaaS shifts more security responsibility to the provider, but always retains customer responsibility for data and IAM.

What is a multi-stage Docker build and why does it improve security?+

Multi-stage builds use multiple FROM instructions in a single Dockerfile. Stage 1 (build stage): uses a full image with compiler, build tools, dev dependencies. Stage 2 (runtime stage): starts fresh from a minimal base image (Alpine, distroless). COPY --from=builder copies only the compiled artifact — not the build tools, compiler, dev libraries, or source code. Security benefits: (1) Final image contains only what is needed to run the application — dramatically smaller attack surface. (2) Dev tools (gcc, make, npm) not in production = cannot be used in post-exploitation. (3) Source code not in production image = cannot be read if container is compromised. (4) Smaller images = fewer packages = fewer CVEs for scanners to find. Example: Go application. Build stage: 800MB Go base image, outputs 8MB binary. Runtime stage: 2MB distroless image + 8MB binary = 10MB final image vs 800MB if no multi-stage.

What is CloudTrail and what events should generate security alerts?+

AWS CloudTrail records every API call made in your AWS account: who made the call (IAM user/role ARN), what action (service:Action), what resource, from which IP, at what time, and the result (success/failure). All API calls — console, CLI, SDK, automated services. Stored in S3 (optional encryption with KMS). High-priority security alerts: (1) Root account login — root should never be used for routine operations. (2) CloudTrail disabled or stopped — attacker covering tracks. (3) New IAM user or access key created — potential backdoor. (4) IAM policy allowing AdministratorAccess — privilege escalation. (5) Security group opened to 0.0.0.0/0 — exposed management ports. (6) S3 bucket made public — imminent data exposure. (7) Failed console authentication attempts from unusual IPs — credential stuffing. (8) GuardDuty or AWS Config disabled — attacker removing detection. Implement via EventBridge rules → SNS → email/Slack/SIEM.

What is a VM escape vulnerability in the context of hypervisors?+

A VM escape (or VM breakout) is when code running inside a VM exploits a vulnerability in the hypervisor to gain access to the hypervisor layer, host OS, or other VMs on the same host. The hypervisor is supposed to provide strong isolation between VMs — a VM escape breaks this isolation. Historical examples: VENOM (2015) — floppy drive controller vulnerability in QEMU/KVM/Xen allowed VM escape. CVE-2018-3646 (L1TF/Foreshadow) — microarchitectural vulnerability affecting Intel CPUs and VMware. Why it's catastrophic: all VMs on the same physical host could be accessed; multi-tenant cloud environments could expose customer data to other tenants. Mitigations: keep hypervisor software patched immediately when vulnerabilities are disclosed; disable unused hypervisor virtual devices (floppy drives, clipboard sharing, USB); use hardware-based isolation (IOMMU/VT-d for device isolation); limit hypervisor management access. In practice, VM escapes are rare but when they occur are treated as critical incidents.

Why should long-term AWS access keys be avoided in production?+

Long-term access keys (AKID + Secret Access Key) have several security problems: (1) They never expire unless manually rotated — stolen keys can be used indefinitely. (2) Rotation is a manual operational task — often not done regularly, especially for older service accounts. (3) Commonly stored in insecure locations: .aws/credentials files, environment variables, application config files, Docker images, Kubernetes pod specs, S3 objects, source code (accidentally committed to git). (4) Automated scanners find exposed keys on GitHub within minutes. IAM Roles with STS (Secure Token Service) are better: temporary credentials (15 minutes to 12 hours), automatically rotated, no long-term secret to store, associated with the resource (EC2/Lambda/ECS) — no credential to manage. For humans: use AWS SSO/Identity Center for temporary console/CLI access instead of long-term access keys. For CI/CD: use OIDC federation to generate short-lived tokens for GitHub Actions, GitLab CI, Jenkins.

What is the CIS Benchmark for cloud environments and how is it used?+

CIS (Center for Internet Security) Benchmarks provide specific, prescriptive security configuration recommendations. The CIS AWS Foundations Benchmark (currently v2.0) covers: IAM (MFA requirements, access key rotation, password policy), logging (CloudTrail multi-region, S3 bucket logging), monitoring (CloudWatch alarms for critical API events), networking (VPC default SG restrictions, open port detection). Two levels: Level 1 = basic security, minimal operational impact. Level 2 = defense-in-depth for high-security environments. CSPM tools (AWS Security Hub, Defender for Cloud, Prisma Cloud) have built-in CIS Benchmark compliance checks — they automatically assess your environment and generate a compliance score. AWS Security Hub: enable the "CIS AWS Foundations Benchmark" standard to get automated findings with remediation guidance. Use the benchmark score to: measure improvement over time, demonstrate compliance to auditors, prioritize remediation efforts, establish a security baseline.

GIAC GDSA — Cloud Security Architecture