Secure the cloud you run on, hands-on with AWS (concepts map to Azure and GCP): the shared responsibility model and cloud posture, least-privilege IAM, protecting data with KMS encryption, securing the network perimeter, finding misconfigurations with CSPM tooling, and detecting risky changes with audit logging and org-wide guardrails.
Before you start
Basic cloud familiarity helps — the AWS course covers the services (IAM, VPC, S3, KMS) this course then secures. Examples use the AWS CLI; the concepts are identical on Azure and GCP.
Shared Responsibility & Posture
The cloud provider secures the cloud; you secure what you put in it — and almost every cloud breach is a customer-side misconfiguration. Learn where your responsibility starts and what "cloud posture" means.
Least-Privilege Cloud IAM
Identity is the real perimeter in the cloud. Write least-privilege IAM policies, prefer short-lived roles over long-lived keys, and hunt down the wildcard permissions that turn one leak into a full compromise.
Protect Data with Encryption & KMS
Encrypt everything at rest and in transit, manage the keys properly with a KMS, and make sure no data store is ever public. Understand envelope encryption and why key access is the real control.
Secure the Cloud Network
Segment your network, expose the minimum, and defend the metadata endpoint. Private subnets, least-privilege security groups, no 0.0.0.0/0 on admin ports, and the SSRF-to-credentials attack you must block.
Find Misconfigurations at Scale
You cannot click through every account and region. Scan your whole cloud against CIS Benchmarks with Prowler, shift the same checks into CI against your Terraform, and prioritize what to fix first.
Logging, Detection & Guardrails
Turn on the audit trail everywhere, detect risky changes and threats, and set organization-wide guardrails that make whole classes of mistake impossible. The last line: know what happened and prevent the worst by policy.