🎯 Goal
Learn to secure cloud-native environments by understanding shared responsibility, identity and access management, data protection, container orchestration, and cloud-specific attack vectors. This applies to both defending cloud workloads and testing them as a penetration tester.
🔑 Key Skills to Learn
- Cloud Fundamentals: AWS, Azure, GCP core concepts (compute, storage, networking, IAM).
- Shared Responsibility Model: What the provider secures vs. what the customer must secure.
- Cloud IAM & Entitlements: Users, roles, policies, service accounts, privilege escalation paths (e.g.,
iam:PassRole,iam:CreatePolicyVersion). - Data Security: Encryption at rest and in transit, key management (KMS, HSM), S3 bucket hardening, data classification.
- Network Security in Cloud: Virtual Private Clouds (VPCs), security groups, NACLs, web application firewalls (WAF), DDoS protection.
- Logging & Monitoring: CloudTrail/CloudWatch (AWS), Monitor/Log Analytics (Azure), Cloud Audit Logs/Cloud Monitoring (GCP).
- Container & Kubernetes Security: Docker basics, Kubernetes architecture, pod security, RBAC, network policies, runtime security (Falco).
- Serverless Security: Lambda/Function security, event injection, cold start risks.
- DevSecOps Basics: Infrastructure as Code scanning (tfsec, Checkov), CI/CD pipeline security, secrets management.
- Cloud Pentesting: Enumerate cloud resources (Scout Suite, Prowler), exploit IAM misconfigurations, storage brute-forcing, serverless exploitation, attacking metadata services.
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| Scout Suite | Multi-cloud security auditing tool for configuration assessment. |
| Prowler | AWS-specific security best practices assessment and auditing. |
| CloudSploit | Open-source cloud security scanner (now part of Aqua). |
| Trivy | Vulnerability scanner for containers, filesystems, and IaC (supports AWS/Azure/GCP configurations). |
| kube-bench | Checks Kubernetes deployments against CIS benchmarks. |
| Falco | Cloud-native runtime security for detecting unexpected behavior in containers. |
| Pacu | AWS exploitation framework for testing cloud environments. |
| awscli / gcloud / azure-cli | Native command-line tools for interacting with cloud services. |
| Checkov / tfsec | Static analysis of Infrastructure as Code (Terraform, CloudFormation) for security misconfigurations. |
| Vault (HashiCorp) | Secrets management and encryption as a service. |
📖 Free Learning Resources
- AWS Security Learning – Free AWS “Security Learning Plan” and documentation on Well-Architected Framework Security Pillar. Link
- Microsoft Learn: Azure Security Fundamentals – Free, interactive modules. Link
- Google Cloud Skills Boost: Security & Identity Fundamentals – Free introductory quests. Link
- HackTricks Cloud Security – Collaborative wiki of cloud pentesting techniques. Link
- TryHackMe – Cloud Rooms – “Introduction to Cloud Security”, “AWS Cloud Security”, “Cloud Attacks”. Link
- Pwned Labs (formerly Flaws.cloud) – Free AWS security challenges created by Scott Piper. Link and Flaws2.cloud
- Kubernetes Security Fundamentals (Linux Foundation) – Free introductory course. Link
- CSA (Cloud Security Alliance) Guidance v4 – Comprehensive, vendor-neutral security framework (free download). Link
🔗 Roadmap Placement
- Prerequisites: Networking, Linux, and a security fundamentals understanding. If you already know on-premises security, cloud security extends those concepts into virtualized, API-driven environments.
- Directly Enables: Cloud Security Engineer, Cloud Penetration Tester, DevSecOps Engineer, or roles focused on securing hybrid/multi-cloud architectures.
- Next Steps: Pair with Container & Kubernetes Security specialization or Cloud DFIR for incident response in cloud-native environments.