Roadmap

Cloud Security Engineer

The specialist who secures cloud infrastructure. Designs IAM policies, remediates misconfigurations, embeds security into IaC pipelines, protects containerized workloads, and ensures cloud environments stay compliant at scale.

OPTIMISTIC 18-24 monthsREALISTIC 2-3 years

Stage 00

Computer & IT Fundamentals

Cloud infrastructure is virtualized hardware. You cannot secure what you do not understand at the physical and OS level.

Computer Hardware

CPU, RAM, storage — roles in a system, virtualization overhead
NIC — network interfaces, how cloud VMs get network connectivity
Physical vs virtual machines — hypervisors abstract hardware in cloud data centers

Number Systems

Binary, hex, decimal — IP addressing, CIDR notation, memory addresses
Data sizes — storage capacity planning in cloud contexts

How Operating Systems Work

Kernel vs user space, processes, memory management
File systems — block storage, object storage, how they differ
Boot process — cloud instance startup, user data scripts, cloud-init
Services and daemons — what runs on a cloud instance at startup

Virtualization & Cloud Fundamentals

Type 1 hypervisors — KVM (AWS Nitro, GCP KVM), Hyper-V (Azure) underpin cloud compute
Containers vs VMs — isolation levels, performance trade-offs
Serverless — functions as a service, no OS to manage but still a security surface
Cloud regions, availability zones, edge locations — architecture for resilience

Resources

CS50 (Harvard, free)
Professor Messer CompTIA A+ (free YouTube)
AWS Cloud Practitioner Essentials (free on AWS Skill Builder)

Stage 01

Linux & Systems Administration

Most cloud workloads run Linux. Cloud security engineers harden, audit, and investigate Linux systems constantly.

Linux Proficiency

Filesystem hierarchy — /etc, /var, /proc, /sys, /tmp, /home, /root
Terminal navigation and file operations — full command fluency
File permissions — rwx, octal, ACLs, setuid/setgid — hardening implications
User and group management — /etc/passwd, /etc/shadow, /etc/sudoers
Process management — ps, systemctl, kill, cron — persistence and privilege audit
Package management — apt, yum/dnf — patch management relevance
Network tools — ss, ip, curl, wget, dig, nmap — cloud instance investigation
Log locations — /var/log/auth.log, /var/log/syslog, /var/log/cloud-init.log
SSH — key-based auth, authorized_keys, config hardening (no root login, key-only auth)
Bash scripting — automation scripts for security checks and remediation

Linux Security Hardening

CIS Benchmarks for Linux — the standard for OS hardening
Disabling unnecessary services — attack surface reduction
SSH hardening — PermitRootLogin no, PasswordAuthentication no, AllowUsers
Firewall — iptables, ufw, firewalld — host-based filtering on cloud instances
auditd — syscall auditing, key-based rules, log forwarding
AppArmor / SELinux — mandatory access control frameworks
Fail2ban — brute force protection
SUID/SGID binary audit — find /usr/bin -perm /4000
World-writable directory audit — find / -perm -0002 -type d
Unattended upgrades / automatic patching configuration

Windows in Cloud

Windows Server on AWS/Azure — EC2, Azure VMs
RDP hardening — non-standard port, NLA enforcement, MFA requirement
Windows Server hardening — CIS Benchmarks for Windows Server
Event Log forwarding to cloud SIEM

Resources

TryHackMe Linux Fundamentals 1/2/3 (free)
OverTheWire Bandit (free)
CIS Benchmarks (free download, registration required)
Linux Foundation Introduction to Linux (free)

Stage 02

Networking Fundamentals

Cloud networking is the same as on-premises networking with different vocabulary. VPCs are subnets. Security groups are firewalls. Understanding the underlying protocols is required to secure them correctly.

OSI Model and TCP/IP

All 7 layers and attack surface at each
TCP/IP — handshake, flags, UDP, ICMP
IP addressing — subnetting, CIDR, private ranges, IPv6
DNS — resolution, record types, DNS over HTTPS — cloud DNS (Route 53, Azure DNS, Cloud DNS)

Protocols Relevant to Cloud Security

HTTP/HTTPS/TLS — web traffic, certificate management in cloud (ACM, Key Vault, Certificate Manager)
SSH — bastion hosts, jump servers, AWS Systems Manager Session Manager alternative
SMB — legacy protocol, should not traverse cloud boundaries
LDAP/LDAPS — Active Directory integration with cloud, Azure AD Connect
OAuth 2.0 / OIDC — the authentication protocols underlying cloud IAM federation
SAML 2.0 — enterprise SSO integration with cloud providers
gRPC — microservice communication, relevant for API security

Cloud Networking Constructs

VPC (Virtual Private Cloud) / VNet (Azure) — isolated network environment
Security groups — stateful virtual firewalls at the instance/ENI level
Network Access Control Lists (NACLs) — stateless subnet-level filtering
DNS in cloud — Route 53, Azure Private DNS, GCP Cloud DNS
WAF (Web Application Firewall) — AWS WAF, Azure WAF, GCP Cloud Armor
DDoS protection — AWS Shield, Azure DDoS Protection, GCP Cloud Armor
Load balancers — ALB (Application), NLB (Network), GLB (Gateway)
CDN — CloudFront, Azure CDN, Cloud CDN — caching and edge security

Resources

Professor Messer Network+ (free YouTube)
AWS VPC documentation (free)
Azure Virtual Network documentation (free)
TryHackMe Cloud networking rooms (free)

Stage 03

Security Fundamentals

The full security fundamentals base. Everything cloud-specific builds on these concepts.

Security Fundamentals

CIA Triad, AAA, threat/vulnerability/risk, defense in depth, least privilege, zero trust
Authentication — MFA, certificates, tokens, OAuth, SAML, OIDC
Cryptography — symmetric/asymmetric, hashing, PKI, TLS, key management
Malware types and attack patterns — cloud-relevant: cryptomining, data exfiltration, persistence via lambda/functions
OWASP Top 10 — web vulnerabilities relevant to cloud-hosted applications
Shared responsibility model — foundational cloud security concept
Compliance frameworks with cloud relevance — SOC 2, PCI-DSS, HIPAA, GDPR, FedRAMP, ISO 27001, CIS Benchmarks
CVE and CVSS — vulnerability management in cloud context

Resources

Professor Messer Security+ SY0-701 (free YouTube)
AWS Shared Responsibility Model documentation (free)
OWASP Top 10 (free)

Stage 04

Cloud Platform Fundamentals

You cannot secure cloud infrastructure you do not understand. Cloud security engineers must be cloud engineers first.

AWS — Core Services (Priority #1 — 33% market share)

Global infrastructure — regions, availability zones, edge locations
Compute: EC2, Lambda, ECS/EKS, Auto Scaling
Storage: S3, EBS, EFS, Glacier
Networking: VPC, Route 53, CloudFront, API Gateway
Database: RDS, DynamoDB, ElastiCache
Identity & Access Management (IAM) — deep dive in Stage 5
Security Services: GuardDuty, Security Hub, Config, CloudTrail, CloudWatch, Inspector, Macie, KMS, Secrets Manager, WAF, Shield, ACM

Azure — Core Services (Priority #2 — 22% market share)

Entra ID (formerly Azure AD) — cloud identity platform, the foundation of Azure security
Compute — Virtual Machines, Azure Functions, App Service, AKS, Container Instances
Storage — Blob, Files, Queues, Tables — access tiers, lifecycle policies
Networking — VNet, NSG, Azure Firewall, Application Gateway, Azure Front Door
Database — Azure SQL, Cosmos DB, Azure Database for PostgreSQL
Security Services: Microsoft Defender for Cloud, Microsoft Sentinel, Azure Key Vault, Azure Monitor, Microsoft Entra ID Protection, Azure Policy, Microsoft Purview

GCP — Core Services (Awareness Level)

Organization hierarchy — organization, folders, projects
Compute Engine, Cloud Functions, GKE, Cloud Run
Cloud Storage, Cloud SQL, BigQuery
VPC — shared VPC, VPC Service Controls
Security Command Center — findings, assets, compliance
Cloud Audit Logs — Admin Activity, Data Access, System Event
Cloud KMS — key management
Secret Manager — secrets management
Identity-Aware Proxy (IAP) — zero trust access control

Resources

AWS Cloud Practitioner Essentials (free, AWS Skill Builder)
AWS Solutions Architect Associate study guide (A Cloud Guru, Stephane Maarek on Udemy)
Microsoft Azure Fundamentals AZ-900 (free Microsoft Learn)
Google Cloud Fundamentals (free Coursera)

Stage 05

Identity & Access Management (IAM)

Most cloud breaches trace back to IAM misconfigurations. IAM is the most important security domain in cloud.

IAM Fundamentals

Authentication vs authorization — who are you vs what can you do
Principle of least privilege — grant only what is required, nothing more
Zero trust in IAM — verify every request, assume breach
Identity types in cloud — human users, service accounts, machine identities, federated identities
Credential types — passwords, API keys, access tokens, temporary credentials, certificates

AWS IAM — Deep

IAM principals — users, groups, roles, service principals
IAM policies — JSON structure: Version, Statement, Effect (Allow/Deny), Principal, Action, Resource, Condition
Policy types: identity-based, resource-based, permission boundaries, SCPs, session policies
IAM roles — AssumeRole, trust policies, cross-account roles
Instance profiles — EC2 roles, how applications get credentials automatically
IAM conditions — aws:SourceIp, aws:RequestedRegion, aws:MultiFactorAuthPresent, s3:prefix
IAM Access Analyzer — identifying publicly accessible resources, external access findings
AWS Organizations — management account, SCPs, preventive controls
AWS Control Tower — landing zone, guardrails, account factory
Credential types — long-term (access keys), short-term (STS AssumeRole, instance metadata)
IMDSv2 — token-based metadata service, why IMDSv1 is a SSRF risk
Common IAM misconfigurations: wildcard actions/resources, overpermissive trust policies, unused access keys, no MFA on root, root account usage

Azure IAM

Microsoft Entra ID — tenants, directories, users, groups, service principals, managed identities
Role-Based Access Control (RBAC) — built-in roles (Owner, Contributor, Reader), custom roles
Management groups — hierarchy above subscriptions for policy inheritance
Conditional Access — policies evaluating sign-in risk, device compliance, MFA requirements
Managed Identities — system-assigned vs user-assigned, eliminating credential storage
Service Principals — app registrations, client credentials, federated credentials
Privileged Identity Management (PIM) — just-in-time privileged access, approval workflows
Azure AD Identity Protection — risk-based conditional access, risky sign-ins

GCP IAM

Resource hierarchy — organization → folder → project → resource
IAM roles — primitive (Owner/Editor/Viewer), predefined, custom
Service accounts — key-based vs workload identity federation
Workload Identity Federation — binding Kubernetes service accounts to GCP service accounts
Organization policies — constraints on what resources can be created

OAuth 2.0 and OIDC in Cloud

OAuth 2.0 flows — authorization code, client credentials, device flow
OIDC — identity layer on OAuth, ID tokens, claims
JWT structure — header.payload.signature, claim inspection
Federation — connecting on-premises Active Directory to cloud IAM (Azure AD Connect, AWS IAM Identity Center)
SAML 2.0 — enterprise SSO integration, SP-initiated vs IdP-initiated flows

IAM Attack Patterns

Privilege escalation via IAM — attaching policies to roles, creating users, passing roles
Role chaining — assuming a role that can assume another role with more permissions
SSRF to IMDS — stealing instance role credentials via SSRF to 169.254.169.254
Token theft — stealing short-lived credentials from CI/CD pipelines, logs, or environment variables
Shadow admin — users/roles with indirect paths to admin through resource-based policies
Confused deputy — legitimate service tricked into acting on behalf of attacker

Tools

IAM Access Analyzer — built-in AWS tool, identifies external access paths
Cloudsplaining — generates least-privilege IAM policy reports
PMapper — IAM privilege escalation path analysis
Cartography — infrastructure relationship mapping including IAM
ScoutSuite — multi-cloud security audit including IAM findings
Prowler — AWS security assessment with IAM-specific checks

Resources

AWS IAM documentation (free)
AWS IAM Access Analyzer (free within AWS)
AWS Security Specialty exam guide
Microsoft Entra documentation (free)
AWS re:Inforce IAM talks (YouTube, free)

Stage 06

Infrastructure as Code Security

IaC security is where the field is headed. Catching misconfigurations before deployment is orders of magnitude cheaper than finding them in production.

Terraform — Core

HCL (HashiCorp Configuration Language) — blocks, attributes, expressions, functions
Providers — AWS, Azure, Google, Kubernetes providers
Resources — defining cloud infrastructure as code
Data sources — referencing existing infrastructure
Variables and outputs — parameterization and module interfaces
State — terraform.tfstate, remote state (S3 + DynamoDB, Azure Storage)
Modules — reusable infrastructure components
Workspaces — environment separation
Terraform workflow — init → plan → apply → destroy
Security relevant Terraform patterns: S3 public access block, restrictive security groups, encrypted EBS, RDS no public access, least-privilege IAM, KMS key policies

AWS CloudFormation

Template structure — AWSTemplateFormatVersion, Description, Parameters, Resources, Outputs
Resource types — AWS::S3::Bucket, AWS::IAM::Role, AWS::EC2::Instance
Parameters and conditions — dynamic template behavior
Stack policies — protecting critical resources from updates
CloudFormation StackSets — deploying across multiple accounts/regions

IaC Security Scanning Tools

Checkov — static analysis for Terraform, CloudFormation, Kubernetes manifests, ARM templates
tfsec — Terraform-specific static analysis
Terrascan — multi-IaC scanner, Rego-based policies
KICS (Keeping Infrastructure as Code Secure) — Checkmarx, broad IaC coverage
Snyk IaC — developer-friendly, IDE integration, CI/CD plugin
Semgrep — custom rules for IaC patterns

Integrating IaC Scanning into CI/CD

Pre-commit hooks — catching issues before code is committed
Pull request checks — scanning changed files on PR, blocking merge on critical findings
Pipeline gates — required checks in GitHub Actions, GitLab CI, Jenkins
Drift detection — comparing deployed infrastructure against IaC state
Policy as Code with Open Policy Agent (OPA) — Rego language, Conftest, enforcement policies

Secrets in IaC — What Not to Do and What to Do Instead

Never commit secrets to version control — the most common IaC security failure
git-secrets — pre-commit hook blocking AWS credential patterns
GitGuardian — secrets detection in git history and real-time commits
TruffleHog — git repository secrets scanning
Using AWS Secrets Manager / Azure Key Vault references in Terraform instead of hardcoded values
Environment variable injection for sensitive values in CI/CD

Resources

HashiCorp Learn Terraform (learn.hashicorp.com, free)
Checkov documentation (free)
tfsec documentation (free)
Bridgecrew community (free Checkov platform)
A Cloud Guru Terraform courses

Stage 07

Container & Kubernetes Security

Docker and Kubernetes are standard in modern cloud environments. Container security is listed in the majority of cloud security engineer postings.

Docker Security

Container vs VM — isolation model, shared kernel risk
Docker image structure — layers, base images, Dockerfile instructions
Dockerfile security best practices: minimal base images, run as non-root, multi-stage builds, pin versions, avoid ADD, no secrets in ENV, read-only filesystem
Docker daemon security — TLS for remote access, socket permissions
Docker Bench Security — CIS Docker Benchmark automated check
Image scanning: Trivy, Grype, Snyk Container, AWS ECR image scanning, Harbor
Supply chain security: SBOM (syft/grype), image signing (Cosign/Sigstore), content trust (Docker Notary)

Kubernetes Security — Deep

Architecture security — control plane (API server, etcd, scheduler, controller manager) vs worker nodes (kubelet, kube-proxy, container runtime)
etcd — stores all cluster state including secrets; must be encrypted at rest and access-controlled
API server — authentication and authorization entry point, audit logging

Authentication and Authorization

Authentication mechanisms — X.509 certificates, bearer tokens, OIDC, service account tokens
RBAC (Role-Based Access Control): Roles, ClusterRoles, RoleBindings, ServiceAccounts, least privilege, rbac-police audit

Pod Security

SecurityContext — pod and container level: runAsNonRoot, runAsUser, readOnlyRootFilesystem, allowPrivilegeEscalation, capabilities drop, seccompProfile
Pod Security Admission (PSA) — replaces PSP: Privileged, Baseline, Restricted profiles; Namespace-level enforcement
Network Policies — isolating pod communication: default deny, explicit allow, CNI requirement (Calico, Cilium, Weave)

Admission Controllers

What admission controllers do — intercepting API server requests before persistence
OPA Gatekeeper — policy enforcement via Rego, ConstraintTemplates
Kyverno — Kubernetes-native policy engine, YAML-based policies
ImagePolicyWebhook — validating image signatures before admission

Runtime Security

Falco — cloud-native runtime security: rule syntax, built-in rules, output targets (syslog, JSON, gRPC, Falcosidekick)
eBPF-based security — Cilium, Tetragon — kernel-level visibility without agent overhead
Seccomp profiles — restricting system calls available to containers
AppArmor profiles — mandatory access control for containers

Managed Kubernetes Security

EKS (AWS): IRSA, cluster endpoint access, control plane logging, GuardDuty EKS protection
AKS (Azure): Azure AD workload identity, private cluster, Microsoft Defender for Containers
GKE (GCP): Workload Identity, Binary Authorization, GKE Autopilot

Resources

Kubernetes documentation (kubernetes.io, free)
TryHackMe Kubernetes rooms (free)
KodeKloud Kubernetes security course
Falco documentation (free)
Aqua Security Kubernetes Security Guide (free whitepaper)
CIS Kubernetes Benchmark (free download)

Stage 08

Cloud Security Posture Management (CSPM)

CSPM tools are the daily workbench of cloud security engineers. Proficiency with at least one is listed in most job postings.

CSPM Concepts

What CSPM does — continuous scanning of cloud configuration against security best practices
Coverage areas — IAM, storage exposure, network exposure, encryption, logging, compliance
Finding severity — critical (public exposure), high (encryption missing), medium (logging disabled)
Remediation workflow — triage → ticket → fix → verify → close
False positive management — accepted risks, suppressions, exceptions with justification

AWS Native Tools

AWS Security Hub: Security standards, aggregating findings, cross-region/cross-account aggregation, custom actions
AWS Config: Configuration recorder, Config rules, conformance packs, remediation actions

Prowler — Open Source

Multi-cloud AWS/Azure/GCP security assessment tool
Running — prowler aws, prowler azure, prowler gcp
Checks — organized by compliance framework (CIS, SOC2, HIPAA, PCI, ISO27001)
Output formats — HTML, JSON, CSV for integration
CI/CD integration — automated scanning on schedule or on IaC changes

Commercial CSPM Platforms

Wiz — agentless CSPM, attack path analysis, cloud security graph, toxic combinations
Prisma Cloud (Palo Alto) — CSPM + CWPP + CNAPP combined platform
Orca Security — agentless cloud security, SideScanning technology
Lacework — behavioral analytics, anomaly detection, compliance
Microsoft Defender for Cloud — Azure-native CSPM with multi-cloud (AWS, GCP) support

ScoutSuite — Multi-Cloud Audit

Open source, supports AWS, Azure, GCP, Alibaba, Oracle
scout suite --provider aws
HTML report — organized by service with findings
Good for point-in-time assessments and compliance audits

CloudMapper — AWS Visualization

Network diagram of AWS environment
Identifying publicly exposed resources visually
Account auditing

Remediation Automation

Lambda-based auto-remediation — triggered by Config rules or Security Hub findings
AWS Systems Manager Automation — runbooks for common remediations
Terraform drift correction — detecting and correcting configuration drift
Example automatic remediations: S3 public access block reapply, SSH 0.0.0.0/0 revoke, IAM MFA enforcement

Resources

AWS Security Hub documentation (free)
Prowler GitHub (free)
ScoutSuite GitHub (free)
Wiz free tier assessment
Prisma Cloud free trial
CSPM vendor documentation

Stage 09

Cloud Incident Response & Threat Detection

Cloud incidents require different investigation skills than on-premises IR. The evidence is in logs, not on a hard drive.

Cloud Threat Detection Services

AWS GuardDuty: data sources, finding types, severity levels, suppression rules, integrations
Microsoft Defender for Cloud: security alerts, Defender plans (Servers, Containers, Storage, Key Vault, DNS, Resource Manager)
GCP Security Command Center: Event Threat Detection, Container Threat Detection, findings

Cloud Log Investigation

AWS CloudTrail: management events, data events, CloudTrail Insights, key attacker actions to detect, CloudTrail Lake, Athena queries
Azure Activity Log and Entra ID Sign-in Logs: key events, risky sign-ins, Sentinel KQL queries
VPC Flow Logs (AWS) / NSG Flow Logs (Azure): record structure, lateral movement, data exfiltration, port scanning detection

Cloud Incident Response Process

Evidence collection — AWS: preserve CloudTrail logs, VPC Flow Logs, CloudWatch Logs, GuardDuty findings, EC2 instance memory (if needed)
EC2 isolation — security group to deny all traffic while preserving for investigation
IAM containment — attach deny-all policy to compromised user/role, rotate credentials
S3 bucket isolation — block public access, remove bucket policy, enable versioning
Lambda function isolation — throttle to zero concurrency
Snapshot compromised EBS volumes for forensic analysis
Cloud forensics tools: CloudTrail Lake, Athena, CloudWatch Logs Insights, AWS CLI/Console

Common Cloud Incident Types

Exposed S3 bucket — public access, check bucket policy and ACL, identify accessed objects
Compromised EC2 instance — GuardDuty finding, isolate, acquire memory/snapshot, investigate CloudTrail for API calls from instance role
IAM credential theft — access key used from unusual IP/region, rotate immediately, check what was accessed
Cryptomining — compute spike, GuardDuty CryptoCurrency finding, identify affected instances
Data exfiltration — large S3 GetObject volume, Lambda pulling data, unusual outbound traffic
Privilege escalation — IAM privilege escalation path exploited, review all actions taken by escalated identity

Resources

AWS incident response documentation (free)
AWS Security Blog (free)
Intezer cloud IR guide (free)
SANS cloud forensics resources (free)
Mandiant cloud IR resources (free)
CloudTrail Lake documentation (free)

Stage 10

Scripting & Automation for Cloud Security

Cloud security at scale requires automation. Manual CSPM triage does not scale past a few accounts.

Python for Cloud Security

boto3 — AWS SDK for Python: session management, IAM, S3, CloudTrail, GuardDuty, EC2 operations
azure-mgmt-* libraries — Azure SDK for Python
google-cloud-* libraries — GCP SDK for Python
Practical scripts: IAM audit, public S3 audit, security group audit, CloudTrail gap detector, unused credential reporter, CSPM finding exporter

Bash / CLI Automation

AWS CLI — aws iam, aws s3, aws ec2, aws cloudtrail, aws guardduty, aws securityhub
Azure CLI — az ad, az storage, az network, az monitor
gcloud CLI — gcloud iam, gcloud compute, gcloud storage
jq — JSON processing for CLI output parsing
Practical one-liners: public S3 buckets, IAM users without MFA, EC2 with public IPs, public RDS

Policy as Code

Open Policy Agent (OPA) + Rego: package and rule structure, allow/deny decisions, opa test, Conftest, OPA Gatekeeper
Kyverno policies — Kubernetes-native, YAML-based
AWS Config custom rules — Lambda-based compliance checks
Azure Policy — built-in and custom policy definitions, initiative assignments

Security Automation Frameworks

Cloud Custodian — rules engine for cloud resource governance and automated remediation
Steampipe — SQL-based cloud infrastructure querying and compliance
Prowler — automated assessment with extensive check library

Resources

boto3 documentation (free)
AWS CLI documentation (free)
HashiCorp Terraform documentation (free)
OPA documentation (openpolicyagent.org, free)
Steampipe Hub (free)

Stage 11

Compliance & Governance

Cloud security engineers own compliance in cloud environments through automated checks, evidence collection, and control mapping.

Compliance Frameworks in Cloud Context

CIS Benchmarks — CIS AWS Foundations, CIS Azure Foundations, CIS GCP Foundations: Level 1 and Level 2, automated checking
SOC 2 — trust service criteria, common controls, cloud-native evidence (CloudTrail, Config)
PCI-DSS — cardholder data environment: firewall rules, least privilege, audit logging, vulnerability management
HIPAA — protected health information in cloud: AWS HIPAA Eligible Services, BAA, encryption requirements
FedRAMP — US government cloud: authorization baselines, NIST SP 800-53 mapping, GovCloud/Government regions
GDPR — data residency, right to erasure, data processing records in cloud

Governance Tools

AWS Organizations + SCPs — preventive controls at scale
AWS Control Tower — pre-configured landing zone, guardrails
Azure Management Groups + Azure Policy — subscription-level governance
Google Cloud Organization Policy — resource-level constraints
Terraform Sentinel — policy as code for Terraform Enterprise/Cloud

Resources

CIS Benchmarks website (free download)
AWS Compliance Center (free)
Azure Compliance documentation (free)
NIST SP 800-53 (free)

Stage 12

Hands-On Practice & Portfolio

Practice Platforms

A Cloud Guru / Linux Academy — cloud security labs in live AWS/Azure/GCP environments
CloudGoat (Rhino Security Labs) — intentionally vulnerable AWS environment for cloud pen testing and security practice
flaws.cloud — AWS security challenges (free)
flaws2.cloud — attacker and defender perspective challenges (free)
HackTheBox cloud challenges — AWS/Azure/GCP attack scenarios
TryHackMe cloud security rooms (free/paid)
KodeKloud — Kubernetes and DevOps labs

Personal Cloud Account Labs

AWS Free Tier — 12 months free, 750 hours EC2, 5GB S3, core services
Azure Free Account — $200 credit, 12 months free services
GCP Free Tier — $300 credit, always-free tier services
Build and deliberately misconfigure — practice finding your own misconfigs with Prowler and ScoutSuite
Deploy vulnerable applications — DVWA on EC2, WebGoat in EKS
Practice IaC scanning — write Terraform, run Checkov, fix findings
Build a CSPM pipeline — CloudTrail → CloudWatch → Lambda remediation

What to Document on LabList

Cloud security audit projects — documenting a Prowler scan of personal account with findings and remediation
IaC security pipeline — Terraform module with Checkov integration, GitHub Actions workflow
CloudGoat challenge writeups — methodology and key lessons
flaws.cloud challenge solutions — documented investigation process
Custom automation scripts — Python boto3 security checks on GitHub
Cert progression — Security+ → AWS SAA-C03 → AWS Security Specialty or AZ-500

FAQ

Common questions

How long does it take to become a Cloud Security Engineer?

18–24 months optimistic at 20–25 hours/week, 2–3 years realistic part-time. The fastest path is from a cloud engineering background (DevOps, SRE) into security; you already have the platform fluency and just need the security overlay. Coming from generic security without cloud platform depth takes longer because cloud-native security thinking is genuinely different from traditional perimeter security. Multi-cloud is now baseline; AWS-only candidates have narrowing options.

Which cloud security certifications actually matter?

AWS Security Specialty if you're AWS-focused. AZ-500 for Azure. Google Professional Cloud Security Engineer for GCP. CCSP for vendor-neutral cloud security governance. Practical Wiz, Prowler, or Checkov experience matters more than any cert in 2026. Many hiring managers prefer a Terraform-secured infrastructure on GitHub plus a CSPM remediation writeup over a stack of cloud certs. Cloud security is the fastest-growing skill area by job postings.

Do I need a CS degree to get into cloud security?

No. Bootcamps + structured self-study + a Terraform portfolio on GitHub work fine. What you need: working comfort with at least one cloud platform's IAM model (this is where most candidates fail interviews), Infrastructure as Code fluency, container security basics, and CSPM/CNAPP tooling exposure. The role is at the intersection of cloud engineering and security — candidates who only know one half are screened out.

What separates a cloud security engineer who gets hired?

Production-relevant Terraform and IaC remediation work, not toy projects. CSPM tool fluency (Prowler, Wiz, Checkov) with documented remediation patterns. Multi-cloud awareness even if you specialize in one. The strongest portfolio signal: a public IaC repo with intentional vulnerabilities, then commits showing the remediation pattern with explanations. 77% of security leaders express concern about the cloud skills gap — meaning candidates who can demonstrate hands-on cloud security depth get pulled forward in interview pipelines.

Cloud Security Engineer

Common questions

Related roles