أهداف التعلم:

1. Compare provider-specific shared-responsibility matrices for IaaS, PaaS, and SaaS, delineating customer versus provider control ownership for at least three control families.

2. Perform threat modeling on a given cloud workload using STRIDE, identifying assets, trust boundaries, threats, and mitigations with explicit assumptions.

3. Map identified threats to relevant MITRE ATT&CK for Cloud techniques and propose specific detections and preventive controls for each technique.

4. Prioritize risk treatments using a quantitative or semi-quantitative scoring method and align proposed controls to NIST SP 800-53 and CIS Benchmarks.

5. Document risk acceptance, transfer, and mitigation decisions with rationale, residual risk, and required monitoring artifacts.

الوحدات النمطية

أهداف التعلم:

1. Create role- and attribute-based access policies in IAM services enforcing least privilege; validate with AWS IAM Access Analyzer/Policy Simulator, Azure PIM/Access Reviews, or GCP Policy Analyzer.

2. Configure SSO federation between an identity provider (e.g., Entra ID) and AWS/GCP using OIDC/SAML; verify role assumption and scoped session duration with audit logs.

3. Enforce MFA and conditional access for privileged roles; test break-glass accounts and document recovery procedures.

4. Rotate and manage credentials and secrets using AWS Secrets Manager or Azure Key Vault or HashiCorp Vault; implement audit trails and alert on anomalous secret access.

أهداف التعلم:

1. Segment networks with subnets and route tables; implement egress controls (NAT, egress gateways, firewall rules) and verify flow with VPC flow logs/NSG flow logs.

2. Implement least-privilege network ACLs/security groups/NSGs and validate external exposure using CSP-native scanners and network probing (e.g., nmap).

3. Deploy and tune WAF and DDoS protections (AWS WAF/Shield, Azure WAF, or Cloud Armor); author rules to mitigate OWASP Top 10 and validate with attack simulations.

4. Configure private connectivity (PrivateLink/Private Endpoints, VPC/VNet peering, or Service Endpoints) and enforce no-public-bucket/service policies; test access paths.

5. Apply Kubernetes NetworkPolicies and enable service mesh mTLS (e.g., Istio/Linkerd); confirm pod-to-pod isolation and encrypted east-west traffic.

الوحدات النمطية

أهداف التعلم:

1. Enable server-side encryption for object and block storage (e.g., SSE-KMS/SSE-S3, Azure Storage encryption, GCS with CMEK) and enforce via organization policies.

2. Configure key management (AWS KMS, Azure Key Vault, or GCP Cloud KMS) with rotation, key policies, and separation of duties; test key lifecycle operations and access logs.

3. Implement TLS with modern ciphers and HSTS for application endpoints; validate with SSL Labs/OpenSSL and remediate weak configurations.

4. Classify data and apply DLP rules to detect PII/PCI/PHI; implement tokenization or field-level encryption for sensitive attributes and verify via test datasets.

5. Define and test backup/DR strategies (RPO/RTO) including cross-region replication and encrypted backups; conduct periodic restore drills and document results.

الوحدات النمطية

أهداف التعلم:

1. Harden VM images with CIS Benchmarks using configuration management (e.g., Ansible) and validate compliance with CIS-CAT or OpenSCAP scans.

2. Build minimal container images; enable image signing (Cosign) and scan with Trivy/Clair; fail builds on critical vulnerabilities and document exceptions.

3. Enforce Kubernetes Pod Security Standards and RBAC; block privileged containers with admission policies (OPA/Gatekeeper or Kyverno) and verify via policy tests.

4. Secure serverless functions with least-privilege IAM, environment variable protection, and VPC integration; monitor with provider-native tooling and alerts.

5. Enable CSPM and workload protection (AWS Config/GuardDuty/Security Hub, Azure Defender for Cloud, GCP Security Command Center) and remediate prioritized findings.

الوحدات النمطية

أهداف التعلم:

1. Provision infrastructure with Terraform and enforce policy-as-code (OPA/Conftest or Sentinel); run Checkov/tfsec in CI and block noncompliant changes.

2. Integrate SAST/DAST and dependency scanning in CI/CD (GitHub Actions/GitLab CI) using Semgrep, OWASP ZAP, and Dependency-Check; enforce quality gates with issue tracking.

3. Prevent secret leakage with pre-commit hooks and scanners (git-secrets or truffleHog); rotate exposed credentials and add detection to pipelines.

4. Generate SBOMs (Syft) and sign container/images (Cosign); verify signatures in admission controllers and block unsigned or tampered artifacts.

5. Implement progressive delivery (canary/blue-green) with automated rollback on failed security checks; capture release evidence for audits.

الوحدات النمطية

أهداف التعلم:

1. Enable organization-wide audit and service logs (AWS CloudTrail/Config, Azure Activity/Monitor, GCP Audit Logs) with retention, integrity controls, and least-privilege access.

2. Create and tune detections using GuardDuty/Security Hub, Microsoft Sentinel, or Google Chronicle mapped to ATT&CK; validate with attack simulations (Atomic Red Team or Stratus Red Team).

3. Configure alert routing and SOAR playbooks to automate containment (isolate instances, revoke keys, rotate credentials); measure and report MTTA/MTTR.

4. Develop and run incident response runbooks and tabletop exercises for key scenarios (public bucket exposure, credential compromise, ransomware); record timelines and lessons learned.

5. Map implemented controls to ISO 27001, SOC 2, or PCI DSS requirements; generate automated evidence and dashboards demonstrating continuous control monitoring.

الوحدات النمطية