ROADMAP CLOUD SECURITY ENGINEER TOÀN DIỆN

1. FOUNDATIONS - NỀN TẢNG CƠ BẢN

1.1 Networking Fundamentals

TCP/IP model deep dive
OSI model
IP addressing (IPv4, IPv6)
Subnetting và CIDR
DNS deep dive
DHCP
NAT/PAT
VPN (Site-to-Site, Remote Access)
Load balancing concepts
CDN (Content Delivery Network)
Routing protocols basics
Network security fundamentals
Firewalls và ACLs
VLANs
Software-defined networking (SDN)

1.2 Linux Fundamentals

Linux distributions (Ubuntu, CentOS, Amazon Linux, RHEL)
Command line mastery
File system hierarchy
User và permission management
Process management
Package management (apt, yum, dnf)
Systemd và service management
Log management và analysis
Bash scripting
SSH và remote access
Cron jobs
Text processing (grep, sed, awk)
Networking commands (netstat, ss, ip, tcpdump)

1.3 Security Fundamentals

CIA Triad
Authentication vs Authorization
Encryption (symmetric, asymmetric)
Hashing
Digital signatures
PKI (Public Key Infrastructure)
SSL/TLS
Security frameworks (NIST, ISO 27001, CIS)
Risk management
Compliance basics (GDPR, HIPAA, PCI DSS, SOC 2)
Least privilege principle
Defense in depth
Zero trust principles
Security controls (preventive, detective, corrective)

1.4 Programming & Scripting

Python (CRITICAL)
- Boto3 (AWS SDK)
- Azure SDK
- Google Cloud Client Library
- Requests library
- JSON/YAML parsing
- API interaction
- Automation scripts
- Security tools development
Bash/Shell Scripting
- System automation
- Security checks automation
- Log parsing
- Deployment scripts
PowerShell
- Azure automation
- Windows server management
- Active Directory
Go (Optional but valuable)
- Cloud-native tools
- Performance-critical applications
- Kubernetes operators
JavaScript/TypeScript
- Infrastructure as Code (CDK)
- Serverless functions
- Cloud automation

1.5 Version Control

Git fundamentals
GitHub/GitLab/Bitbucket
Branching strategies
Pull requests
Code review
Git workflows
GitOps principles

2. CLOUD PLATFORMS DEEP DIVE

2.1 Amazon Web Services (AWS) - CRITICAL

Core Services

Compute:
- EC2 (instances, AMIs, security groups)
- Lambda (serverless functions)
- ECS/EKS (containers)
- Elastic Beanstalk
- Lightsail
- Fargate
Storage:
- S3 (buckets, policies, encryption, versioning)
- EBS (volumes, snapshots, encryption)
- EFS (file storage)
- FSx
- Glacier (archival)
- Storage Gateway
Database:
- RDS (relational databases)
- DynamoDB (NoSQL)
- Aurora
- ElastiCache
- Neptune
- DocumentDB
- Redshift
Networking:
- VPC (Virtual Private Cloud)
- Subnets (public, private)
- Internet Gateway
- NAT Gateway
- Route Tables
- Security Groups
- NACLs (Network ACLs)
- VPC Peering
- Transit Gateway
- Direct Connect
- Route 53 (DNS)
- CloudFront (CDN)
- Global Accelerator
- VPN
- PrivateLink
Security Services:
- IAM (Identity and Access Management)
- Organizations
- SSO (Single Sign-On)
- Secrets Manager
- KMS (Key Management Service)
- CloudHSM
- Certificate Manager
- WAF (Web Application Firewall)
- Shield (DDoS protection)
- GuardDuty (threat detection)
- Security Hub
- Inspector (vulnerability scanning)
- Macie (data discovery)
- Detective
- Access Analyzer
- Firewall Manager
- Network Firewall
- Artifact (compliance reports)
Monitoring & Logging:
- CloudWatch (metrics, logs, alarms)
- CloudTrail (API logging)
- Config (configuration tracking)
- EventBridge
- X-Ray (tracing)
- Systems Manager
Other Important Services:
- SNS (notifications)
- SQS (queuing)
- Step Functions
- API Gateway
- Cognito (user authentication)
- STS (Security Token Service)

AWS Security Best Practices

IAM best practices
- MFA enforcement
- Least privilege
- Role-based access
- Service Control Policies (SCPs)
- Permission boundaries
- Access keys rotation
- No root account usage
Network security
- VPC design patterns
- Security group strategies
- NACL configurations
- VPC Flow Logs
- Private subnets
- Bastion hosts
- VPN/Direct Connect
Data protection
- Encryption at rest (S3, EBS, RDS)
- Encryption in transit (SSL/TLS)
- KMS key management
- Secrets rotation
- S3 bucket policies
- S3 Block Public Access
- Versioning và MFA delete
Logging và monitoring
- CloudTrail organization trail
- Config rules
- GuardDuty findings
- Security Hub standards
- CloudWatch alarms
- Log centralization
Compliance
- AWS Artifact
- Compliance frameworks
- Config conformance packs
- Audit Manager

AWS Security Tools

Prowler (security assessment)
ScoutSuite (multi-cloud security audit)
CloudMapper (visualization)
PMapper (IAM analysis)
Parliament (IAM policy linting)
Pacu (penetration testing)
CloudSploit (security scanning)
Steampipe (SQL for cloud)

2.2 Microsoft Azure - CRITICAL

Core Services

Compute:
- Virtual Machines
- App Service
- Functions (serverless)
- Container Instances
- AKS (Kubernetes)
- Batch
Storage:
- Blob Storage
- File Storage
- Queue Storage
- Table Storage
- Disk Storage
- Data Lake Storage
Database:
- SQL Database
- Cosmos DB
- Database for MySQL/PostgreSQL
- Synapse Analytics
- Cache for Redis
Networking:
- Virtual Network (VNet)
- Subnets
- Network Security Groups (NSGs)
- Application Security Groups
- Azure Firewall
- VPN Gateway
- ExpressRoute
- Load Balancer
- Application Gateway
- Front Door
- Traffic Manager
- Private Link
- Bastion
Security Services:
- Azure AD (Active Directory)
- Azure AD B2C
- Azure AD B2B
- Conditional Access
- Identity Protection
- Privileged Identity Management (PIM)
- Key Vault
- Managed HSM
- Security Center (Defender for Cloud)
- Sentinel (SIEM)
- DDoS Protection
- Web Application Firewall
- Information Protection
- Purview (compliance)
- Policy
- Blueprints
Monitoring & Logging:
- Monitor
- Log Analytics
- Application Insights
- Activity Log
- Diagnostics settings
- Network Watcher
Other Services:
- Logic Apps
- Event Grid
- Service Bus
- API Management
- Cognitive Services

Azure Security Best Practices

Azure AD security
- Conditional Access policies
- MFA enforcement
- PIM (Privileged Identity Management)
- Identity Protection
- RBAC (Role-Based Access Control)
- Managed identities
- Service principals security
Network security
- VNet design
- NSG best practices
- Azure Firewall deployment
- Private endpoints
- Service endpoints
- DDoS protection
- Network segmentation
Data protection
- Storage encryption
- TDE (Transparent Data Encryption)
- Key Vault integration
- Customer-managed keys
- Backup strategies
Security monitoring
- Defender for Cloud
- Secure Score
- Azure Sentinel
- Activity log monitoring
- Diagnostic settings
- Alerts và automation
Compliance
- Azure Policy
- Regulatory Compliance dashboard
- Blueprints
- Purview

Azure Security Tools

Azucar (security auditing)
ScoutSuite
Monkey365 (security assessment)
Stormspotter (visualization)
ROADtools (Azure AD enumeration)
PowerZure (PowerShell for Azure)
MicroBurst (security testing)

2.3 Google Cloud Platform (GCP) - IMPORTANT

Core Services

Compute:
- Compute Engine (VMs)
- Cloud Functions
- Cloud Run
- GKE (Kubernetes Engine)
- App Engine
Storage:
- Cloud Storage (buckets)
- Persistent Disk
- Filestore
Database:
- Cloud SQL
- Cloud Spanner
- Firestore
- Bigtable
- Memorystore
Networking:
- VPC
- Subnets
- Firewall Rules
- Cloud NAT
- Cloud VPN
- Cloud Interconnect
- Cloud Load Balancing
- Cloud CDN
- Cloud Armor (DDoS)
- Private Google Access
Security Services:
- IAM (Identity and Access Management)
- Identity Platform
- Cloud Identity
- Secret Manager
- KMS (Key Management)
- Cloud HSM
- Security Command Center
- Web Security Scanner
- Binary Authorization
- VPC Service Controls
- Access Context Manager
- Certificate Authority Service
- Policy Intelligence
Monitoring & Logging:
- Cloud Monitoring (formerly Stackdriver)
- Cloud Logging
- Cloud Trace
- Cloud Profiler
- Error Reporting
- Cloud Audit Logs
Other Services:
- Pub/Sub
- Cloud Tasks
- Cloud Scheduler
- API Gateway
- Apigee

GCP Security Best Practices

IAM best practices
- Least privilege
- Service accounts
- Workload Identity
- Organization policies
- Resource hierarchy
Network security
- VPC design
- Firewall rules
- Cloud Armor
- Private Google Access
- Shared VPC
Data protection
- Encryption at rest
- Customer-managed encryption keys
- Secret Manager
- DLP API
Security monitoring
- Security Command Center
- Cloud Audit Logs
- Access Transparency logs
- Anomaly detection

GCP Security Tools

Forseti Security (deprecated but historical knowledge)
ScoutSuite
GCP-IAM-Privilege-Escalation
GCPBucketBrute
Google Cloud Security Scanner

2.4 Multi-Cloud & Hybrid Cloud

Multi-cloud strategies
Cloud bursting
Disaster recovery across clouds
Unified security posture
Cross-cloud networking
Cloud interconnects
Hybrid identity management
Consistent security policies
Multi-cloud SIEM

3. INFRASTRUCTURE AS CODE (IaC)

3.1 Terraform - CRITICAL

HCL (HashiCorp Configuration Language)
Terraform basics
- Providers
- Resources
- Data sources
- Variables
- Outputs
- Modules
- State management
- Remote state (S3, Azure Blob, GCS)
- State locking
- Workspaces
Terraform best practices
- Module design
- Version control
- CI/CD integration
- Testing (Terratest)
- Security scanning (Checkov, tfsec, Terrascan)
- Secrets management
- Drift detection
Terraform security
- Secure state storage
- Sensitive data handling
- Policy as Code (Sentinel, OPA)
- Pre-commit hooks
- Module security
- Provider authentication

3.2 CloudFormation (AWS)

Template anatomy
Intrinsic functions
Parameters và outputs
Stack management
StackSets
Change sets
Drift detection
Nested stacks
Custom resources
cfn-lint
CloudFormation Guard (policy validation)

3.3 ARM Templates & Bicep (Azure)

ARM template structure
Bicep language
Template deployment
Linked templates
Parameter files
Azure Policy integration
Template validation
Security best practices

3.4 Deployment Manager (GCP)

Configuration files
Templates
Deployment creation
Updates và rollbacks

3.5 Pulumi (Multi-cloud)

Infrastructure as real code
Programming language support
State management
Testing infrastructure code
Security policies

3.6 Ansible (Configuration Management)

Playbooks
Roles
Inventory management
Cloud modules (AWS, Azure, GCP)
Ansible Vault (secrets)
Security hardening playbooks
Compliance automation

3.7 IaC Security Best Practices

Static code analysis
Security scanning tools (Checkov, tfsec, Terrascan, KICS)
Policy as Code (OPA, Sentinel)
Secret detection (git-secrets, truffleHog)
Automated testing
Peer reviews
Version pinning
Module security
State file security
CI/CD pipeline security

4. CONTAINER & KUBERNETES SECURITY

4.1 Docker Security

Docker architecture
Container runtime security
Image security
- Base image selection
- Image scanning (Trivy, Clair, Anchore)
- Multi-stage builds
- Minimal images (distroless, Alpine)
- Image signing (Docker Content Trust)
- Private registries
- Vulnerability management
Container runtime security
- Least privilege containers
- Read-only filesystems
- No root containers
- Resource limits
- Seccomp profiles
- AppArmor/SELinux
- Capabilities dropping
- Network policies
Docker daemon security
- TLS authentication
- Socket protection
- Daemon configuration
- Registry security
Docker Compose security
Docker Bench Security

4.2 Kubernetes Security - CRITICAL

Kubernetes Architecture

Control plane components
Worker nodes
etcd security
API server security
Network architecture
Service mesh (Istio, Linkerd)

Kubernetes Security Domains

Authentication & Authorization:
- Service accounts
- RBAC (Role-Based Access Control)
- Cluster roles và role bindings
- Admission controllers
- OIDC integration
- Certificate management
- kubeconfig security
Pod Security:
- Pod Security Standards (Restricted, Baseline, Privileged)
- Pod Security Admission
- Security Contexts
- RunAsNonRoot
- Read-only root filesystem
- Privilege escalation prevention
- Capabilities management
Network Security:
- Network Policies (Calico, Cilium, Weave)
- Ingress security
- Egress filtering
- Service mesh security
- mTLS (mutual TLS)
- Network segmentation
Secrets Management:
- Kubernetes Secrets
- External secrets (Vault, AWS Secrets Manager)
- Sealed Secrets
- SOPS
- Secret encryption at rest
Image Security:
- Image pull policies
- Private registries
- Image scanning in CI/CD
- Admission webhooks (OPA Gatekeeper, Kyverno)
- Image signing và verification
Runtime Security:
- Falco (runtime threat detection)
- Sysdig
- Aqua Security
- Twistlock/Prisma Cloud
- StackRox (now Red Hat ACS)
Monitoring & Logging:
- Audit logging
- kubectl audit
- Prometheus monitoring
- Grafana dashboards
- Log aggregation
- SIEM integration
Compliance & Hardening:
- CIS Kubernetes Benchmark
- kube-bench
- kube-hunter
- Polaris
- Kubescape
- NSA/CISA Kubernetes Hardening Guide

Managed Kubernetes Security

EKS Security (AWS):
- IAM roles for service accounts (IRSA)
- EKS security groups
- Private clusters
- Secrets encryption
- Pod Security Policy
- GuardDuty for EKS
AKS Security (Azure):
- Azure AD integration
- Azure Policy for Kubernetes
- Private clusters
- Azure Network Policies
- Defender for Containers
GKE Security (GCP):
- Workload Identity
- Binary Authorization
- GKE Autopilot security
- Private clusters
- Shielded GKE nodes
- Security Command Center integration

4.3 Container Security Tools

Trivy (vulnerability scanning)
Clair
Anchore
Snyk Container
Aqua Security
Twistlock/Prisma Cloud
Falco (runtime security)
Sysdig
OPA Gatekeeper (policy enforcement)
Kyverno (Kubernetes native policy)
Notary (image signing)
Cosign (container signing)

5. CI/CD SECURITY (DevSecOps)

5.1 CI/CD Platforms

Jenkins
GitLab CI/CD
GitHub Actions
Azure DevOps
CircleCI
Travis CI
AWS CodePipeline
Google Cloud Build
Tekton
Argo CD
Spinnaker

5.2 Pipeline Security

Source Code Security

Git security
Branch protection
Code signing
Commit verification
Secret scanning (git-secrets, truffleHog, GitGuardian)
Dependency scanning
License compliance

Build Security

Build environment security
Build artifact signing
Supply chain security
SBOM (Software Bill of Materials)
Build provenance
Reproducible builds
Isolated build environments

Testing Security

SAST (Static Application Security Testing)
- SonarQube
- Checkmarx
- Veracode
- Semgrep
- Bandit (Python)
- Brakeman (Ruby)
- ESLint (JavaScript)
DAST (Dynamic Application Security Testing)
- OWASP ZAP
- Burp Suite
- Acunetix
- Netsparker
SCA (Software Composition Analysis)
- Snyk
- WhiteSource/Mend
- Black Duck
- Dependabot
- Renovate
Container scanning
IaC scanning (Checkov, tfsec, Terrascan)
Secret detection
License scanning

Deployment Security

Deployment approvals
Environment separation
Blue/green deployments
Canary deployments
Rollback mechanisms
Immutable infrastructure
Configuration management
Secrets injection
Runtime security

5.3 CI/CD Security Best Practices

Least privilege for CI/CD
Credential management
Pipeline as Code
Audit logging
Access control
Artifact signing
Supply chain security
Zero trust pipelines
Security gates
Compliance checks
Automated rollback
Incident response integration

5.4 Supply Chain Security

SBOM generation và management
Dependency verification
Package signature verification
Private package repositories
Mirror management
Vulnerability tracking
Update policies
Third-party risk management
SLSA (Supply-chain Levels for Software Artifacts)
Sigstore (signing, verification, transparency)
In-toto (supply chain security framework)

6. IDENTITY & ACCESS MANAGEMENT (IAM)

6.1 Cloud IAM Mastery

AWS IAM Deep Dive

Users, Groups, Roles
Policies (managed, inline, customer-managed)
Policy evaluation logic
Policy conditions
Resource-based policies vs Identity-based policies
Permission boundaries
Service Control Policies (SCPs)
Organizations và account strategy
IAM Access Analyzer
Credential reports
Access Advisor
Cross-account access
Assume role patterns
External ID
Session policies
IAM best practices
- Least privilege
- MFA everywhere
- Roles over users
- Temporary credentials
- Regular audits
- Password policies
- Access key rotation

Azure AD & IAM

Users và groups
Service principals
Managed identities (system-assigned, user-assigned)
RBAC (built-in roles, custom roles)
Azure AD roles vs Azure roles
Privileged Identity Management (PIM)
Conditional Access
Identity Protection
Access reviews
Entitlement management
Azure AD B2B
Azure AD B2C
Application registration
API permissions
Consent framework
Hybrid identity (AD Connect)

GCP IAM

Members và principals
Roles (primitive, predefined, custom)
Policy hierarchy
Resource hierarchy (org, folders, projects)
Service accounts
Workload Identity Federation
Organization policies
IAM recommender
Policy Intelligence
Policy Analyzer
VPC Service Controls
Access Context Manager

6.2 Identity Federation

SAML 2.0
OAuth 2.0
OpenID Connect (OIDC)
Identity providers (Okta, Auth0, Ping Identity)
Federation patterns
Single Sign-On (SSO)
Identity synchronization
Multi-cloud identity
Workforce identity vs Workload identity

6.3 Privileged Access Management

Just-In-Time (JIT) access
Temporary elevated access
Break-glass procedures
Session recording
Privilege escalation detection
Admin account monitoring
Bastion hosts/Jump boxes
Privileged Access Workstations (PAWs)
CyberArk, BeyondTrust (PAM solutions)

6.4 Secrets Management

HashiCorp Vault:
- Dynamic secrets
- Secret engines
- Authentication methods
- Policies
- Audit logging
- High availability
- Auto-unseal
- Transit secrets engine (encryption as a service)
Cloud-native secrets:
- AWS Secrets Manager
- Azure Key Vault
- GCP Secret Manager
- Parameter Store (AWS)
Kubernetes secrets:
- External Secrets Operator
- Sealed Secrets
- SOPS
- CSI Secret Store Driver
Secret rotation:
- Automated rotation
- Zero-downtime rotation
- Rotation validation
Secret security:
- Encryption at rest
- Access logging
- Least privilege
- Secret scanning
- No hardcoded secrets
- Environment variable injection
- Gitignore patterns

6.5 Authentication & Authorization Patterns

Certificate-based authentication
Token-based authentication
API keys management
OAuth flows
JWT (JSON Web Tokens)
mTLS (mutual TLS)
Attribute-Based Access Control (ABAC)
Policy-Based Access Control (PBAC)
Zero Trust authentication
Continuous verification

7. NETWORK SECURITY IN CLOUD

7.1 Cloud Network Architecture

VPC/VNet Design:
- CIDR planning
- Subnet strategies (public, private, data)
- Multi-tier architecture
- Hub-and-spoke topology
- Transit VPC/VNet
- Network segmentation
- Microsegmentation
Hybrid connectivity:
- VPN (Site-to-Site)
- Direct Connect (AWS)
- ExpressRoute (Azure)
- Cloud Interconnect (GCP)
- SD-WAN integration
Inter-cloud connectivity:
- VPC Peering
- VNet Peering
- Transit Gateway (AWS)
- Virtual WAN (Azure)
- Network Connectivity Center (GCP)

7.2 Network Security Controls

Firewall solutions:
- Security Groups (AWS)
- Network Security Groups (Azure)
- Firewall Rules (GCP)
- Network ACLs
- AWS Network Firewall
- Azure Firewall
- Cloud Armor (GCP)
- Third-party firewalls (Palo Alto, Fortinet, Check Point)
Web Application Firewalls:
- AWS WAF
- Azure WAF
- Cloud Armor
- Imperva
- Cloudflare WAF
- WAF rules và rulesets
- OWASP Core Rule Set
- Rate limiting
- Bot management
- Geo-blocking
DDoS Protection:
- AWS Shield (Standard, Advanced)
- Azure DDoS Protection
- Cloud Armor
- Cloudflare
- Akamai
- DDoS mitigation strategies
Intrusion Detection/Prevention:
- IDS/IPS in cloud
- GuardDuty (AWS)
- Azure Defender for Network
- Network-based threat detection
- Anomaly detection

7.3 Network Monitoring & Visibility

Flow logs:
- VPC Flow Logs (AWS)
- NSG Flow Logs (Azure)
- VPC Flow Logs (GCP)
- Flow log analysis
- Traffic analytics
Packet capture:
- Traffic mirroring
- VPC Traffic Mirroring (AWS)
- Network Watcher (Azure)
- Packet Mirroring (GCP)
Network monitoring tools:
- CloudWatch (AWS)
- Azure Monitor
- Cloud Monitoring (GCP)
- Third-party (Datadog, New Relic, Splunk)
- NetFlow/sFlow analysis
DNS security:
- Route 53 Resolver DNS Firewall (AWS)
- Azure DNS
- Cloud DNS (GCP)
- DNS logging
- DNS over HTTPS (DoH)
- DNS over TLS (DoT)
- DNSSEC

7.4 Service Mesh Security

Istio security
- mTLS
- Authorization policies
- Request authentication
- Peer authentication
Linkerd security
Consul Connect
Service-to-service authentication
Traffic encryption
Policy enforcement

7.5 Zero Trust Networking

Zero Trust principles
Identity-based access
Microsegmentation
BeyondCorp (Google’s Zero Trust model)
AWS Zero Trust
Azure Zero Trust
Continuous verification
Least privilege network access
Software-defined perimeter (SDP)

8. DATA SECURITY & ENCRYPTION

8.1 Encryption at Rest

Block storage encryption:
- EBS encryption (AWS)
- Managed Disk encryption (Azure)
- Persistent Disk encryption (GCP)
- Volume encryption keys
Object storage encryption:
- S3 encryption (SSE-S3, SSE-KMS, SSE-C)
- Azure Blob encryption
- GCS encryption
- Client-side encryption
Database encryption:
- RDS encryption (AWS)
- TDE (Transparent Data Encryption)
- SQL Database encryption (Azure)
- Cloud SQL encryption (GCP)
- Application-level encryption
- Column-level encryption
- Field-level encryption
File system encryption:
- EFS encryption (AWS)
- Azure Files encryption
- Filestore encryption (GCP)

8.2 Encryption in Transit

TLS/SSL everywhere
Certificate management
- AWS Certificate Manager
- Azure Key Vault Certificates
- Google-managed certificates
- Let’s Encrypt automation
- Certificate rotation
- Certificate pinning
VPN encryption
Private connectivity (PrivateLink, Private Endpoint)
End-to-end encryption
Application-level encryption

8.3 Key Management

KMS (Key Management Service):
- AWS KMS
  - Customer Master Keys (CMKs)
  - Key policies
  - Grants
  - Key rotation
  - Multi-region keys
  - CloudHSM integration
- Azure Key Vault
  - Keys, secrets, certificates
  - Soft delete và purge protection
  - RBAC vs access policies
  - Managed HSM
  - Key rotation
- Cloud KMS (GCP)
  - Key rings
  - Keys và versions
  - IAM integration
  - Key rotation
  - Cloud HSM
Key management best practices:
- Key hierarchy
- Separation of duties
- Key rotation policies
- Key lifecycle management
- Auditing key usage
- Envelope encryption
- Bring Your Own Key (BYOK)
- Hold Your Own Key (HYOK)
- Customer-managed keys vs Platform-managed keys

8.4 Data Loss Prevention (DLP)

Cloud DLP services:
- Amazon Macie
- Azure Information Protection
- Cloud DLP API (GCP)
Data classification:
- Sensitive data identification
- PII detection
- PHI/PCI data
- Intellectual property
- Data tagging
DLP policies:
- Data discovery
- Data monitoring
- Policy enforcement
- Incident response
- User education
Data governance:
- Data catalog
- Data lineage
- Metadata management
- Access controls
- Retention policies
- Data sovereignty

8.5 Backup & Disaster Recovery

Backup strategies:
- Automated backups
- Backup retention
- Point-in-time recovery
- Cross-region backups
- Backup encryption
- Backup testing
- Immutable backups (ransomware protection)
Disaster Recovery:
- RTO/RPO planning
- DR strategies (Backup & Restore, Pilot Light, Warm Standby, Multi-Site)
- Multi-region architecture
- Failover testing
- DR runbooks
- Business continuity planning
Cloud backup services:
- AWS Backup
- Azure Backup
- Cloud Storage Transfer Service (GCP)
- Third-party (Veeam, Commvault, Rubrik)

9. CLOUD SECURITY POSTURE MANAGEMENT (CSPM)

9.1 CSPM Concepts

Configuration management
Compliance monitoring
Misconfiguration detection
Drift detection
Security benchmarks (CIS, NIST)
Risk scoring
Remediation workflows
Continuous monitoring

9.2 Native CSPM Tools

AWS:
- Security Hub
- Config
- Trusted Advisor
- Well-Architected Tool
- GuardDuty (threat detection)
Azure:
- Defender for Cloud (formerly Security Center)
- Secure Score
- Azure Policy
- Compliance Manager
GCP:
- Security Command Center
- Security Health Analytics
- Policy Intelligence
- Recommender

9.3 Third-Party CSPM Tools

Prisma Cloud (Palo Alto)
Dome9/CloudGuard (Check Point)
Aqua CSPM
Orca Security
Wiz
Lacework
Datadog Cloud Security
Fugue
CloudHealth (VMware)
Spot Security (NetApp)

9.4 CSPM Implementation

Multi-cloud visibility
Policy enforcement
Automated remediation
Alert management
Reporting và dashboards
Integration với SIEM
Compliance reporting
Asset inventory
Security baseline

9.5 Cloud Workload Protection (CWPP)

Runtime protection
Vulnerability management
Anti-malware
File integrity monitoring
Behavioral monitoring
Container security
Serverless security
VM security
Tools: Aqua, Prisma Cloud, Trend Micro Cloud One

10. SERVERLESS SECURITY

10.1 Serverless Architecture Security

AWS Lambda Security:
- Execution role (IAM)
- Resource policies
- VPC integration
- Environment variables encryption
- Layers security
- Runtime security
- Cold start security
- Lambda@Edge security
Azure Functions Security:
- Managed identity
- App Service authentication
- Key Vault integration
- Virtual network integration
- Durable Functions security
Google Cloud Functions Security:
- Service account
- VPC connector
- Secret Manager integration
- Identity Platform

10.2 API Gateway Security

AWS API Gateway:
- IAM authorization
- Lambda authorizers
- Cognito authorizers
- API keys
- Usage plans
- WAF integration
- Request/response validation
- Throttling
Azure API Management:
- OAuth 2.0
- JWT validation
- Certificate authentication
- IP filtering
- Rate limiting
- Policies
Google Cloud API Gateway:
- API key validation
- Service account authentication
- JWT authentication

10.3 Serverless Security Best Practices

Least privilege functions
Function isolation
Input validation
Dependency management
Secrets management
Logging và monitoring
Cold start mitigation
Resource limits
Timeout configuration
Dead letter queues
Error handling
Version control
Deployment automation

10.4 Serverless Security Tools

PureSec (acquired by Palo Alto)
Snyk for serverless
Serverless Framework security plugins
OWASP Serverless Top 10
Lambda security scanner
Function Shield
Protego (acquired by Palo Alto)

11. COMPLIANCE & GOVERNANCE

11.1 Compliance Frameworks

Regulatory:
- GDPR (General Data Protection Regulation)
- HIPAA (Health Insurance Portability and Accountability Act)
- PCI DSS (Payment Card Industry Data Security Standard)
- SOX (Sarbanes-Oxley Act)
- FISMA (Federal Information Security Management Act)
- FedRAMP (Federal Risk and Authorization Management Program)
- ISO 27001/27017/27018
- SOC 2 Type I/II
- CCPA (California Consumer Privacy Act)
- NIST frameworks
Industry-specific:
- FINRA (Financial)
- GLBA (Financial)
- FERPA (Education)
- COPPA (Children’s privacy)
- ITAR (Defense)

11.2 Cloud Compliance Tools

AWS:
- Artifact (compliance reports)
- Audit Manager
- Config Conformance Packs
- Security Hub compliance standards
Azure:
- Compliance Manager
- Blueprints
- Policy initiatives
- Compliance offerings
GCP:
- Compliance resource center
- Assured Workloads
- Compliance Reports Manager
Third-party:
- Vanta
- Drata
- Secureframe
- TrustCloud
- Tugboat Logic

11.3 Policy as Code

OPA (Open Policy Agent):
- Rego language
- Policy bundles
- Policy testing
- OPA Gatekeeper (Kubernetes)
- Conftest (IaC testing)
HashiCorp Sentinel:
- Terraform integration
- Policy enforcement
- Compliance automation
Cloud-native:
- AWS Config Rules
- Azure Policy
- GCP Organization Policies
- Service Control Policies (AWS)
IaC policy tools:
- Checkov
- Terrascan
- tfsec
- KICS

11.4 Governance Framework

Cloud governance:
- Landing zones
- Account/subscription strategy
- Tagging strategy
- Naming conventions
- Resource organization
- Cost governance
- Multi-account/subscription management
Governance tools:
- AWS Control Tower
- AWS Organizations
- Azure Management Groups
- GCP Resource Manager
- Cloud custodian
Compliance automation:
- Continuous compliance
- Automated remediation
- Compliance reporting
- Audit trails
- Evidence collection

11.5 Data Residency & Sovereignty

Regional compliance
Data localization
Cross-border data transfer
Privacy Shield
Standard Contractual Clauses
Binding Corporate Rules
Encryption for sovereignty
Regional service deployment

12. THREAT DETECTION & INCIDENT RESPONSE

12.1 Cloud-Native Threat Detection

AWS:
- GuardDuty (threat detection)
- Macie (sensitive data)
- Detective (investigation)
- Inspector (vulnerability assessment)
- Security Hub (aggregation)
Azure:
- Defender for Cloud
- Sentinel (SIEM/SOAR)
- Defender for Endpoint
- Defender for Identity
- Defender for Office 365
GCP:
- Security Command Center
- Event Threat Detection
- Container Threat Detection
- Chronicle (SIEM)

12.2 SIEM in Cloud

Cloud SIEM solutions:
- Azure Sentinel
- Google Chronicle
- Splunk Cloud
- Sumo Logic
- Datadog Security Monitoring
- Elastic Security
SIEM integration:
- Log aggregation (CloudTrail, Activity Log, Audit Logs)
- Normalized logging
- Correlation rules
- Alerting
- Dashboards
- Threat intelligence feeds
- Automated response

12.3 Security Monitoring

Logging strategy:
- Centralized logging
- Log retention
- Log encryption
- Log integrity
- Immutable logs
What to monitor:
- API calls (CloudTrail, Activity Log)
- Configuration changes (Config, Policy)
- Network traffic (Flow Logs)
- Authentication events
- Resource access
- Anomalies
- Threats
- Compliance drift
Monitoring tools:
- CloudWatch (AWS)
- Azure Monitor
- Cloud Monitoring (GCP)
- Prometheus
- Grafana
- ELK Stack
- Third-party APM tools

12.4 Incident Response in Cloud

IR framework:
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Post-incident review
Cloud IR considerations:
- Shared responsibility model
- Evidence collection
- Forensics in cloud
- Snapshot preservation
- Log analysis
- Memory forensics
- Legal hold
- Chain of custody
IR automation:
- AWS Systems Manager (automation)
- Azure Automation
- Lambda/Functions for response
- SOAR platforms (Splunk SOAR, Palo Alto Cortex XSOAR)
- Playbook automation
Forensics tools:
- Cloud forensics frameworks
- Disk imaging
- Memory analysis
- Log analysis tools
- Timeline analysis
- Artifact collection

12.5 Threat Intelligence

Threat feeds integration
IOC (Indicators of Compromise)
STIX/TAXII
Threat hunting
Attack attribution
TTPs (Tactics, Techniques, Procedures)
MITRE ATT&CK for Cloud

13. PENETRATION TESTING & RED TEAMING

13.1 Cloud Penetration Testing

Permission requirements:
- AWS customer agreement (most services allowed)
- Azure notification (some services)
- GCP terms of service
- Third-party authorization
Scope definition:
- In-scope services
- Out-of-scope resources
- Testing windows
- Impact assessment
- Rules of engagement

13.2 Cloud Attack Vectors

IAM attacks:
- Credential compromise
- Privilege escalation
- Role assumption abuse
- Permission enumeration
- Policy exploitation
Storage attacks:
- Public bucket enumeration
- Misconfigured permissions
- Data exfiltration
- Bucket takeover
Network attacks:
- SSRF (Server-Side Request Forgery)
- Metadata service abuse
- VPC pivoting
- Security group bypass
Compute attacks:
- Instance metadata access
- IMDSv1 vs IMDSv2
- User data secrets
- Snapshot hijacking
- VM escape (rare)
Serverless attacks:
- Function invocation abuse
- Environment variable exposure
- Dependency confusion
- Cold start attacks

13.3 Cloud Pentesting Tools

Multi-cloud:
- ScoutSuite
- Prowler
- CloudSploit
- CS Suite
- Pacu (AWS)
- CloudFox
AWS-specific:
- Pacu
- WeirdAAL
- CloudMapper
- PMapper
- Principal Mapper
- Endgame
Azure-specific:
- MicroBurst
- PowerZure
- ROADtools
- Stormspotter
- AzureHound
GCP-specific:
- GCP-IAM-Privilege-Escalation
- GCPBucketBrute
- Hayat

13.4 Red Team Operations

Cloud red team methodology
Assumed breach scenarios
Lateral movement in cloud
Persistence mechanisms
Data exfiltration
Detection evasion
C2 in cloud
Living off the land (cloud edition)

13.5 Bug Bounty & Responsible Disclosure

Cloud-specific bug bounties
Responsible disclosure to cloud providers
Common cloud vulnerabilities
SSRF to metadata
IAM misconfigurations
Public resource exposure

14. SECURITY AUTOMATION & ORCHESTRATION

14.1 Security Automation Frameworks

Infrastructure automation:
- Terraform automation
- CloudFormation automation
- Ansible automation
- CI/CD security gates
Security orchestration:
- AWS Step Functions
- Azure Logic Apps
- Cloud Workflows (GCP)
- Apache Airflow
Event-driven automation:
- EventBridge (AWS)
- Event Grid (Azure)
- Pub/Sub (GCP)
- Webhooks

14.2 Automated Response

Auto-remediation:
- Config Remediation (AWS)
- Azure Policy remediation
- Security Command Center auto-actions
- Lambda functions for remediation
- Runbooks
Quarantine automation:
- Automated isolation
- Network segmentation
- Access revocation
- Snapshot creation
Notification automation:
- SNS/SQS (AWS)
- Service Bus (Azure)
- Pub/Sub (GCP)
- Slack/Teams integration
- PagerDuty integration

14.3 Security Testing Automation

Automated vulnerability scanning
Continuous compliance checking
Infrastructure testing (kitchen-terraform, terratest)
Security regression testing
Chaos engineering for security
Automated penetration testing

14.4 Orchestration Tools

SOAR platforms:
- Splunk SOAR (Phantom)
- Palo Alto Cortex XSOAR
- IBM Resilient
- Swimlane
Workflow automation:
- n8n
- Apache NiFi
- StackStorm
- Rundeck

15. ADVANCED TOPICS

15.1 Cloud-Native Application Protection (CNAPP)

Unified security platform
CSPM + CWPP + KSPM
Vulnerability management
Compliance management
Runtime protection
Identity security
Data security
Examples: Wiz, Orca, Prisma Cloud

15.2 Service Mesh Security

Istio security features
mTLS implementation
Authorization policies
Certificate management
Traffic encryption
Observability
Policy enforcement
Multi-cluster mesh

15.3 eBPF for Cloud Security

eBPF basics
Runtime security with eBPF
Network monitoring
Falco với eBPF
Cilium security features
Tetragon (runtime enforcement)

15.4 Confidential Computing

Trusted Execution Environments (TEE)
AWS Nitro Enclaves
Azure Confidential Computing
Google Confidential VMs
Intel SGX
AMD SEV
Use cases (sensitive data processing)
Attestation

15.5 Quantum-Safe Cryptography

Post-quantum cryptography
Migration planning
Quantum-resistant algorithms
Crypto agility
Future-proofing cloud security

15.6 AI/ML Security in Cloud

Model security
Training data security
Inference security
Model theft prevention
Adversarial ML
ML pipeline security
SageMaker security (AWS)
Azure ML security
Vertex AI security (GCP)

15.7 Edge Computing Security

CloudFront security (AWS)
Azure Front Door
Cloud CDN (GCP)
Lambda@Edge security
Edge workload protection
IoT edge security

16. SOFT SKILLS & CAREER

16.1 Communication Skills

Technical writing
Documentation
Presenting to executives
Stakeholder management
Cross-team collaboration
Explaining risk
Security awareness training
Incident communication

16.2 Business Skills

Cloud cost optimization
ROI calculation
Risk assessment
Business impact analysis
Vendor management
Budget planning
Security roadmap creation

16.3 Team Collaboration

Working with DevOps
Working with developers
Security champions program
Cross-functional projects
Remote collaboration
Code reviews
Architecture reviews

17. CERTIFICATIONS - CAREER BOOSTERS

17.1 Cloud Platform Certifications

AWS

Associate:
- AWS Certified Solutions Architect – Associate
- AWS Certified SysOps Administrator – Associate
Professional:
- AWS Certified Solutions Architect – Professional
- AWS Certified DevOps Engineer – Professional
Specialty:
- AWS Certified Security – Specialty (MUST HAVE)
- AWS Certified Advanced Networking – Specialty

Azure

Associate:
- Azure Administrator Associate
- Azure Security Engineer Associate (MUST HAVE)
Expert:
- Azure Solutions Architect Expert
- DevOps Engineer Expert

GCP

Associate:
- Associate Cloud Engineer
Professional:
- Professional Cloud Architect
- Professional Cloud Security Engineer (MUST HAVE)
- Professional Cloud DevOps Engineer

17.2 Security Certifications

Entry/Mid:
- CompTIA Security+
- (ISC)² SSCP
- CompTIA Cloud+
Advanced:
- CISSP (Certified Information Systems Security Professional)
- CCSP (Certified Cloud Security Professional) - HIGHLY RECOMMENDED
- CISM (Certified Information Security Manager)
- CISA (Certified Information Systems Auditor)
Technical:
- CEH (Certified Ethical Hacker)
- OSCP (Offensive Security Certified Professional)
- GIAC GCSA (Cloud Security Automation)
- GIAC GPCS (Public Cloud Security)
- GIAC GCPN (Cloud Penetration Tester)

17.3 DevOps/DevSecOps Certifications

Certified Kubernetes Administrator (CKA)
Certified Kubernetes Security Specialist (CKS)
Docker Certified Associate
HashiCorp Certified: Terraform Associate
Jenkins Engineer Certification

17.4 Compliance Certifications

Certified in Risk and Information Systems Control (CRISC)
Certified Information Privacy Professional (CIPP)
ISO 27001 Lead Auditor

18. HANDS-ON LABS & PRACTICE

18.1 Lab Environments

Free tiers:
- AWS Free Tier
- Azure Free Account
- GCP Free Tier
Cloud playgrounds:
- A Cloud Guru
- Linux Academy
- Qwiklabs
- Cloud Academy
- Pluralsight
Capture the Flag:
- flAWS (AWS security)
- flAWS2
- CloudGoat (vulnerable by design AWS)
- AWSGoat
- AzureGoat
- GCPGoat
- TerraGoat
- Kubernetes Goat
- OWASP ServerlessGoat

18.2 Practice Scenarios

Build secure multi-tier architecture
Implement Zero Trust network
Set up SIEM và alerting
Create security automation
Conduct cloud security assessment
Migrate on-prem to cloud securely
Design disaster recovery
Implement compliance controls
Secure CI/CD pipeline
Container security hardening

18.3 Resources

Books:
- “Practical Cloud Security” by Chris Dotson
- “Cloud Security and Privacy” by Tim Mather
- “Kubernetes Security” by Liz Rice & Michael Hausenblas
- “Security in AWS” by Dylan Shields
Online courses:
- A Cloud Guru Security Paths
- Linux Academy
- Udemy cloud security courses
- Coursera specializations
- SANS SEC540, SEC541, SEC549
Blogs & News:
- AWS Security Blog
- Azure Security Blog
- Google Cloud Security Blog
- tl;dr sec
- CloudSecList
- Hacking the Cloud
Communities:
- Reddit (r/aws, r/AZURE, r/googlecloud, r/netsec)
- Cloud Security Alliance
- OWASP Cloud Security
- Cloud Native Computing Foundation
- Twitter #cloudsecurity

19. CAREER PATH & SALARY

19.1 Entry Level

Cloud Security Analyst
- Security monitoring
- Compliance checks
- Vulnerability scanning
- Incident triage
- Salary: $70k-$90k
Junior Cloud Engineer (Security focus)
- Infrastructure security
- IAM management
- Security automation
- Salary: $75k-$95k

19.2 Mid Level

Cloud Security Engineer
- Security architecture
- Compliance implementation
- Security automation
- Incident response
- Salary: $110k-$150k
DevSecOps Engineer
- CI/CD security
- Container security
- IaC security
- Pipeline automation
- Salary: $120k-$160k

19.3 Senior Level

Senior Cloud Security Engineer
- Security strategy
- Architecture design
- Team mentoring
- Complex implementations
- Salary: $150k-$200k
Cloud Security Architect
- Enterprise architecture
- Multi-cloud strategy
- Zero Trust design
- Security roadmap
- Salary: $160k-$220k

19.4 Expert/Leadership

Principal Cloud Security Engineer
- Technical leadership
- Innovation
- Industry thought leader
- Complex problem solving
- Salary: $180k-$250k+
Cloud Security Manager/Lead
- Team management
- Budget ownership
- Strategy execution
- Stakeholder management
- Salary: $170k-$230k
CISO (Cloud-focused)
- Executive leadership
- Board reporting
- Enterprise strategy
- Risk management
- Salary: $200k-$400k+

19.5 Industries

Cloud service providers (AWS, Azure, GCP, Oracle)
Big Tech (Google, Microsoft, Amazon, Meta, Apple)
Financial services (banks, fintech)
Healthcare
Government/Defense
Consulting (Deloitte, PwC, Accenture, Big 4)
Security vendors (Palo Alto, Check Point, CrowdStrike)
Startups (high equity potential)

19.6 Remote Opportunities

Extremely remote-friendly role
Global opportunities
Digital nomad compatible
Flexible hours common
High demand worldwide

LỘ TRÌNH HỌC ĐỀ XUẤT (18-24 THÁNG)

Tháng 1-3: Foundations

Networking fundamentals
Linux mastery
Security fundamentals
Python programming basics
Choose primary cloud (AWS recommended)

Tháng 4-6: Cloud Platform Deep Dive

AWS/Azure/GCP fundamentals
Core services mastery
Native security services
IAM deep dive
First certification (AWS Solutions Architect Associate or equivalent)

Tháng 7-9: Infrastructure as Code & Containers

Terraform mastery
Docker security
Kubernetes fundamentals
CI/CD basics
Git workflows

Tháng 10-12: Security Specialization

Cloud security services deep dive
CSPM tools
Compliance frameworks
Security automation
AWS Security Specialty or Azure Security Engineer certification

Tháng 13-15: Advanced Topics

Kubernetes security (CKS certification)
DevSecOps practices
Advanced IAM
Threat detection
Incident response

Tháng 16-18: Multi-Cloud & Mastery

Second cloud platform
Multi-cloud security
Advanced certifications (CCSP, CISSP)
Real-world projects
Community contribution

Tháng 19-24: Specialization & Leadership

Choose specialization (containers, serverless, compliance, etc.)
Architecture design
Mentoring others
Conference speaking
Thought leadership

TIPS ĐỂ THÀNH CÔNG

Daily Practice

Work với cloud console hàng ngày
Automate something mỗi tuần
Read security blogs daily
Follow cloud security on Twitter
Hands-on labs continuously

Build Portfolio

GitHub:
- Security automation scripts
- Terraform modules
- Security scanning tools
- IaC examples
- Compliance automation
Blog:
- Write-ups about learnings
- Security findings
- How-to guides
- Best practices
Certifications:
- Display prominently
- Keep updated
- Multiple cloud platforms

Networking

LinkedIn active presence
Twitter cloud security community
Conference attendance (AWS re:Invent, Azure Ignite, Google Next)
Local cloud meetups
Contribute to open source
Join Cloud Security Alliance

Stay Current

Cloud service updates (almost weekly)
Security advisories
New compliance requirements
Emerging threats
Tool updates
Best practices evolution

Cost Optimization

Learn cloud billing
Understand pricing models
Security ≠ expensive
Cost-effective security
Show ROI of security

Business Acumen

Understand business impact
Speak business language
Risk quantification
Show value, not just vulnerabilities
Enable business, not block

Continuous Learning

New services launched constantly
Security landscape evolves
Compliance changes
Technology advances (AI, quantum, edge)
Never stop learning

KẾT LUẬN

Cloud Security Engineer là role CỰC KỲ HOT hiện nay và trong 5-10 năm tới.

Tại sao:

✅ Mọi công ty đang migrate lên cloud
✅ Security là priority #1
✅ Thiếu người có skill nghiêm trọng
✅ Lương CỰC CAO ($150k-$250k+ cho senior)
✅ Remote-friendly nhất
✅ Demand toàn cầu
✅ Future-proof career
✅ Kết hợp nhiều skills (dev + ops + security)
✅ Innovation liên tục
✅ Impact lớn

Challenges:

⚠️ Phải học nhiều cloud platforms
⚠️ Technology thay đổi cực nhanh
⚠️ Cần continuous learning
⚠️ Complexity cao
⚠️ On-call đôi khi (incident response)

Perfect for you if:

💡 Thích coding VÀ security
💡 Enjoy automation
💡 Love learning new tech
💡 Good problem solver
💡 Adaptable
💡 Business-minded
💡 Team player

Đây là con đường VÀNG trong cybersecurity hiện nay! 🚀☁️🔒