Module 09 · Somebody else's computer

Cloud Security

The cloud is not a new technology — it is a new contract. Compute, storage, identity, and network are rented from a provider, and the security model splits along the rental line. Most cloud breaches are not exotic exploits; they are misread contracts: someone assumed the provider was protecting a layer they were actually responsible for.

5
Phases
11
Reference Pages
3
Hands-On Labs
4
Providers

This module is built in two halves. The first half is knowledge that applies to all cloud providers — example topics in this area are shared responsibility, service models, the cloud-native threat landscape, and identity. These ideas are the same whether you are running on AWS, Azure, GCP, or OCI — only the vocabulary changes. The second half is provider-specific: how each of the four major clouds expresses those ideas, where they diverge, and what the recurring misconfigurations look like in each.

Order matters. The foundations chapters explain why a misconfigured S3 bucket is a category of failure rather than a specific bug. The provider chapters then show you what that category looks like in S3, Blob Storage, Cloud Storage, and Object Storage — and why the fix is the same shape every time.

09.A

Foundations

Tool-agnostic principles that apply to every cloud. Read these first — the provider chapters assume you have.

09.01
The Shared Responsibility Model
The contract that defines every cloud relationship. Where the provider's responsibility ends and yours begins — and how that line slides as you move from IaaS to PaaS to SaaS. Interactive responsibility-line slider with side-by-side comparison.
Live 09.02
Service Models
IaaS, PaaS, SaaS, FaaS — what each actually means and what you give up moving from one to the next. Interactive comparator with cost-model and lock-in trade-offs.
Live 09.03
Deployment Models
Public, private, hybrid, and community deployment models per NIST SP 800-145. Trade-off matrix and scenario picker.
Live 09.04
Cloud-Native Threat Landscape
The recurring failure modes: misconfiguration, IAM sprawl, public storage buckets, SSRF into the instance metadata service, software supply chain. Why these dominate cloud breach reports year after year.
Live 09.05
IAM & Zero Trust in the Cloud
Role-based, attribute-based, and policy-based access control. Least privilege as a discipline, not a slogan. NIST SP 800-207 zero trust principles applied to cloud identity. Role assumption visualizer.
Live 09.MOD
Modern Practices (warm-up)
How cyber-forward teams actually run cloud in 2026 — IaC, CSPM, JIT elevation, SCIM-driven IAM, container-native security. Read this before the provider labs.
Live
09.B

Amazon Web Services

The largest provider and the one most students encounter first. Identity, network, data, then a lab on the breach that keeps happening.

09.06
AWS IAM & Organizational Structure
Users, groups, roles, policies. The IAM policy evaluation algorithm step by step. Service Control Policies, permission boundaries, and AWS Organizations — the layers above per-account IAM.
Live 09.07
AWS Network & Data Security
VPC architecture, security groups vs. network ACLs, S3 Block Public Access, KMS-managed encryption. The defaults that catch most teams the first time.
Live LAB
S3 Misconfiguration Hunt
Ten simulated bucket policies. Which ones leak, which ones don't, and why. Practice reading IAM policy JSON the way an auditor reads it.
Lab
09.C

Microsoft Azure

Dominant in higher education and enterprise. Different vocabulary for the same underlying ideas — especially around identity.

09.08
Azure Identity (Entra ID)
Tenants, conditional access, Privileged Identity Management (PIM), managed identities. How Microsoft 365 federation works and where it fits into the cloud identity story.
Live 09.09
Azure Network & Storage
Network Security Groups, private endpoints, SAS tokens, and Microsoft Defender for Cloud. The Azure-specific way of expressing the same containment patterns AWS uses.
Live
09.D

Google Cloud Platform

The hierarchy-first cloud. Organizations, folders, and projects make GCP's identity model feel different even though the primitives are familiar.

09.10
GCP IAM & Organization Hierarchy
Org → folder → project → resource inheritance. Primitive, predefined, and custom roles. Service accounts as first-class principals and the misuse patterns that follow.
Live 09.11
GCP Network & Workload Identity
VPC Service Controls, workload identity federation, Security Command Center. How Google's approach to perimeter-around-data differs from AWS and Azure.
Live
09.E

Oracle Cloud & Cross-Cloud Patterns

A shorter survey of OCI, then two capstone labs that force you to translate concepts across all four providers.

09.12
Oracle Cloud Infrastructure Essentials
Compartments, IAM policy syntax (the one that reads like English), security zones. What OCI got right and what its users still trip over.
Live LAB
Cross-Cloud IAM Translator
Take an AWS IAM policy. Express the same intent in Azure RBAC. Then again in GCP IAM bindings. See where the providers diverge and where they map cleanly.
Lab LAB
Cloud Attack Path Walker
SSRF in a web app reaches the instance metadata service, steals a role token, assumes a more powerful role, walks the blast radius. Same attack pattern across AWS, Azure, and GCP — with the provider-specific defenses that block it.
Lab
Module complete. All twelve reference pages and three labs are live. Read the Foundations chapters before any provider chapter; the provider sections can be read in any order.