Advanced cloud security
01Multi-account & org identity architectureLanding-zone identity, cross-account roles, and blast radius by design.35 min02Workload identity federation without static keysOIDC to AWS/GCP/Azure and killing long-lived cloud keys.35 min03Policy evaluation, boundaries & escalation pathsDeny/allow order, permission boundaries, and access analyzers.35 min
01Segmentation & private connectivityVPC design, PrivateLink/Private Service Connect, no public paths.30 min02Egress control, DNS & firewallsNAT, egress proxies, DNS filtering, and exfiltration defense.35 min03Encryption in transit & service-mesh mTLSTLS everywhere, mesh identity, and short-lived cert rotation.30 min
01Centralized audit logging & immutable trailsOrg trails, a separate logging account, and tamper-evidence.30 min02Threat detection: GuardDuty, SCC & DefenderManaged detection, findings pipelines, and alert quality.35 min03Cloud incident response & forensicsIsolation, snapshots, credential compromise, and runbooks.35 min
01CSPM & continuous complianceConfig rules, CIS benchmarks, and drift as a security signal.30 min02Container & serverless workload securityLeast-privilege roles, runtime controls, and image provenance.35 min03Guardrails as code & landing zonesSCPs/Org Policy, Control Tower, and secure-by-default accounts.30 min
Final exam
Test yourself on everything
60 questions drawn from all 5 sections — every answer explained as you pick.