Cloud Platforms
Cloud platforms are where the majority of modern infrastructure runs. DevSecOps engineers need to understand not just how to deploy services, but how to secure them, observe them, and keep costs predictable.
Platforms covered
Section titled “Platforms covered”This section covers AWS and GCP — the two platforms most commonly encountered in enterprise environments.
| Topic | AWS | GCP |
|---|---|---|
| Compute | EC2, ECS, EKS, Lambda | Compute Engine, GKE, Cloud Run |
| Storage | S3, EBS, EFS | Cloud Storage, Persistent Disk |
| Networking | VPC, Security Groups, ALB | VPC, Firewall Rules, Cloud Load Balancing |
| IAM | IAM Roles, Policies, STS | IAM, Service Accounts, Workload Identity |
| Secrets | Secrets Manager, Parameter Store | Secret Manager |
| Observability | CloudWatch, X-Ray | Cloud Logging, Cloud Monitoring, Cloud Trace |
| Security | GuardDuty, Security Hub, Config | Security Command Center, Chronicle |
IAM fundamentals
Section titled “IAM fundamentals”Shared across both platforms: least privilege is everything.
AWS IAM
Section titled “AWS IAM”{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::my-app-bucket/*" } ]}Key practices:
- Never use root account credentials
- Rotate access keys on a 90-day schedule (or eliminate keys, use roles instead)
- Enable MFA on all IAM users
- Use IAM roles for EC2/Lambda — no credentials in code
GCP IAM
Section titled “GCP IAM”GCP uses predefined roles and custom roles. Prefer predefined roles where possible:
# Grant Storage Object Viewer to a service accountgcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:app@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/storage.objectViewer"Workload Identity Federation eliminates service account key files — the preferred approach for GKE workloads.
Security posture baselines
Section titled “Security posture baselines”| Control | AWS | GCP |
|---|---|---|
| Enable root MFA | ✅ IAM → Security credentials | ✅ Organisation policy |
| Block public S3/GCS | ✅ S3 Block Public Access | ✅ Public access prevention |
| Enable cloud trail/audit logs | ✅ CloudTrail | ✅ Cloud Audit Logs |
| Enable threat detection | ✅ GuardDuty | ✅ Security Command Center |
| Centralise logging | ✅ CloudWatch Logs + S3 | ✅ Log sink → Cloud Storage |
Content status
Section titled “Content status”Detailed pages per service and certification prep guides are actively being written. Subscribe to updates to be notified.