OBJECTIVE 04 — CLOUD SECURITY CONTROLS AND COUNTERMEASURES
CLOUD SECURITY RESPONSIBILITY MODEL (ABSOLUTELY CRITICAL)
SHARED RESPONSIBILITY MODEL
| Cloud Provider Responsible For | Customer Responsible For |
|---|---|
| Physical data centers | Data |
| Hardware | IAM configuration |
| Network infrastructure | OS and applications |
| Hypervisor | Encryption |
| Physical security | Patch management |
MEMORY HOOK:
Provider secures the cloud, customer secures what’s in the cloud
EXAM TRAP:
Customers ARE responsible for data breaches caused by misconfiguration.
IDENTITY AND ACCESS MANAGEMENT (IAM) CONTROLS
IAM SECURITY CONTROLS
| Control | Purpose |
|---|---|
| Least privilege | Restrict permissions |
| Role-based access | Eliminate shared credentials |
| MFA | Prevent credential abuse |
| Key rotation | Reduce credential lifetime |
| Conditional access | Context-based restrictions |
MEMORY HOOK:
IAM is the first line of defense
IAM BEST PRACTICES
| Practice |
|---|
| Avoid root account usage |
| Enforce MFA |
| Use roles instead of keys |
| Regular permission audits |
CLOUD NETWORK SECURITY CONTROLS
VIRTUAL NETWORK SECURITY
| Control | Explanation |
|---|---|
| Security Groups | Stateful firewall |
| Network ACLs | Stateless filtering |
| Private subnets | Reduce exposure |
| Bastion hosts | Secure admin access |
MEMORY HOOK:
Security Groups = instance firewall
EXAM TRAP:
Security groups are STATEFUL; NACLs are STATELESS.
CLOUD DATA SECURITY CONTROLS
DATA PROTECTION MECHANISMS
| Mechanism | Purpose |
|---|---|
| Encryption at rest | Protect stored data |
| Encryption in transit | Secure data transfer |
| Key management services | Centralized key control |
| Tokenization | Reduce sensitive data exposure |
KEY MANAGEMENT
| Control |
|---|
| Customer-managed keys |
| Automatic key rotation |
| Hardware Security Modules (HSMs) |
MEMORY HOOK:
Keys protect encrypted data
CLOUD STORAGE SECURITY CONTROLS
STORAGE HARDENING
| Control |
|---|
| Disable public access |
| Bucket policies |
| Access logging |
| Object versioning |
EXAM TRAP:
Public storage exposure is the most common cloud breach cause.
CLOUD COMPUTE SECURITY CONTROLS
VM HARDENING
| Control |
|---|
| OS patching |
| Minimal services |
| Host-based firewall |
| Endpoint protection |
CONTAINER SECURITY
| Control |
|---|
| Trusted images |
| Image scanning |
| Runtime monitoring |
| Least privilege containers |
MEMORY HOOK:
Containers share the kernel
CLOUD MONITORING AND LOGGING
LOGGING SERVICES
| Service | Purpose |
|---|---|
| CloudTrail | API activity |
| CloudWatch | Resource monitoring |
| Azure Monitor | Logs and metrics |
| GCP Cloud Logging | Central logging |
LOGGING BEST PRACTICES
| Practice |
|---|
| Enable logs by default |
| Centralize logs |
| Protect log integrity |
| Monitor anomalies |
EXAM TRAP:
Attackers delete logs to cover tracks.
CLOUD INCIDENT RESPONSE
INCIDENT RESPONSE STEPS
-
Detect incident
-
Contain affected resources
-
Analyze root cause
-
Eradicate threat
-
Recover services
-
Perform post-incident review
MEMORY HOOK:
Detect → Contain → Recover
CLOUD BACKUP AND DISASTER RECOVERY
BACKUP CONTROLS
| Control |
|---|
| Automated backups |
| Snapshot integrity |
| Cross-region replication |
| Immutable backups |
DISASTER RECOVERY MODELS
| Model |
|---|
| Backup and restore |
| Pilot light |
| Warm standby |
| Multi-site |
MEMORY HOOK:
Higher availability = higher cost
CLOUD COMPLIANCE AND GOVERNANCE
GOVERNANCE CONTROLS
| Control |
|---|
| Security policies |
| Compliance monitoring |
| Resource tagging |
| Configuration baselines |
COMPLIANCE STANDARDS (EXAM LIST)
| Standard |
|---|
| ISO 27001 |
| GDPR |
| HIPAA |
| PCI DSS |
CLOUD SECURITY TOOLS (DEFENSIVE)
CLOUD NATIVE SECURITY TOOLS
| Platform | Tool |
|---|---|
| AWS | GuardDuty |
| Azure | Defender for Cloud |
| GCP | Security Command Center |
THIRD-PARTY TOOLS
| Tool | Purpose |
|---|---|
| Prisma Cloud | CSPM |
| Wiz | Cloud risk analysis |
| Lacework | Behavior monitoring |
CLOUD COUNTERMEASURE SUMMARY FLOW
-
Harden IAM
-
Secure network
-
Encrypt data
-
Monitor continuously
-
Respond quickly
MEMORY HOOK:
IAM → Network → Data → Monitor
OBJECTIVE 04 — EXAM MEMORY BLOCK
Cloud security relies on shared responsibility.
IAM misconfiguration causes most breaches.
Logging and monitoring detect attacks.
Encryption protects data, but keys must be secured.
EXAM TRAPS (FINAL)
| Trap | Reality |
|---|---|
| Provider handles all security | False |
| Encryption prevents breaches | False |
| Logs are optional | False |
| Cloud is inherently secure | False |
MODULE 19 STATUS
| Section | Status |
|---|---|
| Attacks | COMPLETE |
| Tools | COMPLETE |
| Countermeasures | COMPLETE |
| Exam readiness | VERY HIGH |
If you want, next we can:
-
Do FULL MODULE 19 EXAM CHEAT SHEET
-
Or move to Module 20 review / mock exam logic
-
Or start rapid-fire exam Q&A drilling