Track 05 — Cloud & Container Security¶
Attack and defend cloud-native environments, and express security as code — because in the cloud the infrastructure is code. AWS/GCP/Azure plus containers and Kubernetes.
What you'll be able to do¶
- Reason about shared responsibility, cloud identity, network controls, and trust.
- Find and explain privilege-escalation paths through IAM and serverless execution roles.
- Audit posture and infrastructure-as-code for misconfigurations, gated in CI.
- Secure containers and Kubernetes, and detect and respond to cloud attacks using both open tools and native cloud services (GuardDuty, Defender for Cloud, GCP SCC).
Modules¶
| # | Module | What you'll learn | OSS / free tools |
|---|---|---|---|
| 01 | Cloud Fundamentals & Shared Responsibility | The model, accounts, and CLIs | cloud CLIs |
| 02 | Cloud Identity & IAM | Policies, roles, trust, and federation | cloudfox |
| 03 | IAM Attack Paths | Finding privilege-escalation chains | pmapper, cloudfox |
| 04 | Cloud Network Security | VPCs, Security Groups, PrivateLink, WAF, and flow logs | cloudmapper, cloud CLIs |
| 05 | Posture & Misconfiguration Auditing | Benchmarking accounts against known issues | prowler, scoutsuite |
| 06 | Infrastructure-as-Code Security | Scanning Terraform before it deploys | checkov, tfsec, trivy |
| 07 | Secrets Management & Detection | Storing and finding leaked credentials | vault, trufflehog |
| 08 | CI/CD Pipeline Security | Securing the path from commit to deploy | trivy, gitleaks |
| 09 | Serverless Security | Function execution roles, event-injection, and confused deputy | cloudfox, pacu, aws-sam-cli |
| 10 | Container & Image Security | Image hygiene and supply-chain scanning | trivy, grype |
| 11 | Container Escape & Runtime | Breakouts and runtime visibility | falco |
| 12 | Kubernetes — RBAC & Network Policy | Least privilege and segmentation as code | kube-bench |
| 13 | Kubernetes — Admission & Runtime | Policy enforcement and runtime detection | kyverno, falco |
| 14 | Cloud Attack Techniques | Exploiting misconfig; simulating safely | pacu, stratus-red-team |
| 15 | Cloud Logging & Detection | Native detectors vs. open tools; tuning signal | falco, sigma; GuardDuty / Defender for Cloud / GCP SCC |
| 16 | Cloud Incident Response | Investigating and containing in the cloud | cloudtrail, hayabusa |
| 17 | Data Protection & KMS | Envelope encryption; key policies & separation of duties | aws-kms, openssl |
Phases & projects¶
The sixteen modules run in three phases; each ends in a project that integrates its modules (a phase is the substantial, standalone unit — a single module is a few hours).
- Phase 1 · Identity, posture & the pipeline (01–08) — Project: audit a deliberately
vulnerable account (CloudGoat/flaws.cloud) with
prowler/pmapperto map an IAM privilege-escalation path, then close it as Terraform gated bycheckov/trivyin CI, with secrets pulled out of code and into a broker. - Phase 2 · Containers & Kubernetes (09–13) — Project: harden a workload end to end — scan the image, lock down a serverless execution role, demonstrate a container breakout caught by Falco, and enforce RBAC, NetworkPolicy, and an admission policy as code on a kind cluster.
- Phase 3 · Attack, detect & respond (14–16) — Project: the track capstone — simulate a cloud
attack with
stratus-red-team/pacu, detect it from cloud logs (native detector and a Sigma rule), and investigate-and-contain it — delivering the attack path, the fix-as-code, and the detection.
Prerequisites¶
Complete Track 00 — Foundations first.
Labs use your own free-tier accounts or intentionally vulnerable environments (CloudGoat, flaws.cloud). Never test accounts or tenants you don't own, and tear down billable resources when done.
Capstone¶
The capstone is the Phase 3 project — it integrates all three phases. Run the full cloud-attack loop
against a deliberately vulnerable account: simulate a real attack (stratus-red-team / Pacu),
detect it from cloud logs (a native detection and a Sigma rule), then investigate and
contain it — and close the underlying path as Terraform gated by a scanner in CI (the IAM-and-posture
work from Phases 1–2). Deliverable: the attack path, the fix-as-code, and the detection.
The starter scaffold and acceptance checks live in
plaintext-labs/cloud/capstone/.
Capstone rubric¶
The loop is attack → fix-as-code → detect, and the fix must be gated, not just written. Proficient is the bar to ship.
| Dimension | Developing | Proficient | Exemplary |
|---|---|---|---|
| Attack path | A single misconfig noted, no chain | An IAM/serverless privesc path walked end to end and explained | Multi-step chain mapped to ATT&CK for Cloud, with the trust relationship that enabled each hop |
| Fix as code | Fixed in the console (click-ops) | The fix expressed as Terraform/IaC that closes the path | Least-privilege fix, parameterised and reusable, with the diff that proves the path is gone |
| CI gate | No scanner, or scanner not enforced | A scanner (Checkov/tfsec/Trivy) runs in CI and fails the bad config | The gate is tuned (no noise), blocks merge on the specific finding, and passes on the fix |
| Detection | No detection, or fires on nothing | A detection from cloud logs (CloudTrail/equivalent) that catches the attack | Detection validated against benign activity for false positives, mapped to the technique |
| Cost & teardown | Left billable resources running | Resources torn down; no secrets in code | Whole thing rebuilds from terraform apply and tears down cleanly; budget-safe by design |
AI & automation¶
In the cloud the infrastructure is code, and increasingly that code is AI-written —
exactly where misconfigurations hide (over-broad IAM, 0.0.0.0/0, privileged containers).
The posture this track drills: AI authors → you review → scanners gate → you own it.
Standards & further reading¶
- CIS Benchmarks for AWS/GCP/Azure and Kubernetes
- MITRE ATT&CK for Cloud and Containers
- Cloud provider Well-Architected / security best-practice guidance
- OWASP Kubernetes and Cloud-Native security guidance
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).