Cloud Security Core Track
Secure modern infrastructure. Master AWS, Azure, GCP, Kubernetes security, and Infrastructure as Code.
Duration
3 Months · 12 Weeks
Weeks
12
Modules
84
Access
Curriculum
Cloud Platforms and Security Architecture
4w · 28 modules
AWS Security Deep Dive
IAM · VPC · CloudTrail · S3 security
AWS Security Architecture — The Complete Security Model
Shared responsibility in depth, AWS security services overview, how the major services interconnect from a security view.
IAM Mastery — Users, Roles, Policies, Permission Boundaries, SCPs
Writing least-privilege IAM policies, understanding trust relationships, SCPs for multi-account governance.
VPC Security — Security Groups, NACLs, Flow Logs, PrivateLink
Network segmentation in AWS, designing secure VPC architectures, analysing VPC flow logs for threats.
S3 Security — Bucket Policies, Encryption, Access Logs, and Replication Security
Preventing public buckets, enforcing encryption, detecting unauthorised access, S3 access log analysis.
CloudTrail, Config, and GuardDuty — AWS Native Detection Services
Enabling and tuning AWS detection services, understanding GuardDuty findings, Config rules for compliance.
AWS Security Hub — Centralising and Prioritising Security Findings
Aggregating findings from GuardDuty, Inspector, Macie, Config — building a unified security view.
Week 1 Lab — Secure a Misconfigured AWS Environment Using AWS Security Best Practices
Students audit and remediate a deliberately misconfigured AWS account. Full before/after security posture report.
Azure and Microsoft Security Stack
Entra ID · Defender for Cloud · Sentinel
Azure Security Architecture — Resource Groups, Management Groups, and Policy
Azure governance model, Azure Policy for compliance, Blueprints, landing zone security architecture.
Entra ID (Azure AD) Security — Conditional Access, PIM, and Identity Protection
Designing Conditional Access policies, Privileged Identity Management, risky user and sign-in detection.
Microsoft Defender for Cloud — CSPM and Workload Protection
Secure Score, regulatory compliance, defender plans for VMs, containers, databases, and storage.
Microsoft Sentinel — SIEM and SOAR in Azure
Workspace setup, data connectors, analytics rules, playbooks — building a full SIEM on Azure from scratch.
Azure Network Security — NSGs, Azure Firewall, DDoS Protection, WAF
Layered network security in Azure, designing hub-and-spoke architectures, WAF rules for application protection.
Microsoft 365 Security — Defender for M365, DLP, Information Protection
Securing the M365 estate: email protection, DLP policies, sensitivity labels, insider risk management.
Week 2 Lab — Build and Secure an Azure Environment From Scratch
Students build a small Azure environment and apply all security controls — Entra ID, Defender, Sentinel, network security.
GCP Security and Multi-Cloud Posture Management
GCP IAM · Chronicle · CSPM tools
Google Cloud Security Architecture — Projects, Organisations, and Folders
GCP resource hierarchy, IAM in GCP vs AWS vs Azure, organisation policies, VPC Service Controls.
GCP Security Services — SCC, Cloud Armor, Binary Authorization
Security Command Center, Cloud Armor WAF and DDoS, Binary Authorization for container supply chain security.
Cloud Security Posture Management — Wiz, Orca, Prisma Cloud, and Open Source Tools
How CSPM tools work, what they find, open-source alternatives (ScoutSuite, Prowler), interpreting CSPM findings.
Multi-Cloud Security Strategy — Consistent Controls Across AWS, Azure, and GCP
Designing controls that work across clouds, CNAPP concepts, cloud-agnostic security architecture principles.
Cloud Infrastructure Entitlement Management — CIEM and IAM Governance at Scale
Identifying over-permissioned identities across thousands of cloud resources, right-sizing access at scale.
Cloud Compliance Frameworks — SOC 2, ISO 27001, PCI DSS, and India DPDP Act
How major compliance frameworks apply to cloud environments. India's DPDP Act implications for cloud-hosted data.
Month 1 Capstone — Multi-Cloud Security Assessment and Remediation Plan
Students assess security posture across AWS and Azure environments and produce a prioritised remediation report.
Container and Kubernetes Security
Docker security · K8s hardening · Supply chain
Container Security Fundamentals — Docker Security Model and Common Mistakes
Image vulnerabilities, privileged containers, exposed Docker sockets, secrets in environment variables.
Container Image Scanning — Trivy, Snyk, and AWS ECR Image Scanning
Scanning images for CVEs, base image hygiene, Dockerfile best practices, distroless and minimal base images.
Kubernetes Security — RBAC, Network Policies, Pod Security Standards
K8s RBAC design, network segmentation between pods, enforcing pod security, secrets management in K8s.
Kubernetes Threat Detection — Falco, Audit Logs, and Runtime Security
Runtime threat detection with Falco, K8s audit log analysis, detecting container escapes and lateral movement.
Supply Chain Security — SBOM, Sigstore, and Software Provenance
Software Bill of Materials, signing container images with Cosign, SLSA framework, dependency vulnerability management.
Service Mesh Security — Istio and mTLS for Zero Trust Within K8s
Mutual TLS between services, Istio security policies, east-west traffic control inside Kubernetes clusters.
Week 4 Lab — Audit and Harden a Kubernetes Cluster
Students audit a misconfigured K8s cluster, identify risks, apply RBAC and network policies, and document findings.
DevSecOps, Detection and Advanced Security Engineering
4w · 28 modules
DevSecOps and Secure CI/CD Pipelines
GitHub Actions · SAST · DAST · Secrets scanning
DevSecOps Philosophy — Shifting Security Left Without Slowing Teams Down
The cultural and technical shift, security champions model, how to embed security into developer workflows.
SAST — Static Application Security Testing in Pipelines
Semgrep, SonarQube, Bandit for Python — integrating SAST into GitHub Actions, triaging SAST findings.
DAST — Dynamic Testing in CI/CD Pipelines
OWASP ZAP in automation mode, integrating DAST into deployment pipelines, baseline vs full scans.
Secrets Detection — Trufflesecurity, GitLeaks, and GitHub Advanced Security
Finding secrets committed to code, pre-commit hooks, secret rotation after exposure, preventing future leaks.
Infrastructure as Code Security — Checkov, tfsec for Terraform and CloudFormation
Scanning IaC templates before deployment, writing secure Terraform modules, policy-as-code with OPA.
Dependency Management and SCA — Snyk, Dependabot, and OSS Risk
Software Composition Analysis, managing open source risk, licence compliance, exploitable dependency alerts.
Week 5 Lab — Build a Fully Secured CI/CD Pipeline With All Security Gates
Students build a GitHub Actions pipeline with SAST, DAST, secrets scanning, image scanning, and IaC scanning integrated.
Cloud Detection and Incident Response
Cloud IR · Log analysis · Threat hunting in cloud
Cloud Incident Response Lifecycle — How Cloud IR Differs From Traditional IR
Volatility in cloud (snapshots vs live), evidence preservation, cloud provider collaboration, IR tooling.
AWS Threat Hunting — Using CloudTrail, Athena, and Security Lake
Querying CloudTrail with Athena, AWS Security Lake for centralised security data, hunting attacker behaviour in AWS logs.
Automated Remediation — Lambda Functions for Security Response
Building Lambda-based automated responses: auto-quarantine compromised instances, auto-revoke leaked keys.
Cloud Security Automation With Python and Terraform
Python boto3 for AWS security automation, Terraform for deploying security controls at scale.
DDoS Protection and WAF Management in Cloud Environments
AWS Shield, Azure DDoS, Cloudflare — DDoS response, WAF rule management, bot protection strategies.
Secrets Management — AWS Secrets Manager, HashiCorp Vault, Azure Key Vault
Centralising secrets, automatic rotation, application integration patterns, auditing secret access.
Week 6 Lab — Detect, Contain, and Remediate a Simulated Cloud Breach
Full cloud IR scenario — students detect an intrusion in AWS, contain the compromised resources, and eradicate access.
Zero Trust Architecture and Month 2 Capstone
Zero Trust · Threat modelling · Architecture design
Zero Trust Architecture — NIST 800-207 and BeyondCorp Model
Core ZTA principles, identity-centric security, micro-segmentation, continuous verification — implementing ZTA with cloud-native tools.
Zero Trust Network Access — ZTNA vs VPN, Implementing ZTA for Remote Workforces
ZTNA vendors, Cloudflare Access, Zscaler Private Access — replacing legacy VPN with identity-aware access in cloud environments.
Cloud Security Architecture Review — Threat Modelling with STRIDE and PASTA
Formal threat modelling frameworks applied to cloud architectures. DFD creation, threat enumeration, risk prioritisation.
Well-Architected Framework Security Pillar — AWS, Azure, and GCP Versions
Applying cloud provider Well-Architected principles to security design. Running Well-Architected reviews and producing improvement plans.
Data Security in Cloud — Encryption at Rest, in Transit, Key Management
AWS KMS, Azure Key Vault, GCP Cloud KMS — envelope encryption, customer managed keys, data loss prevention.
Month 2 Assessment — Advanced Cloud Security Practice Exam
Comprehensive knowledge test covering DevSecOps, Cloud IR, and Zero Trust concepts to prepare for the capstone challenge.
Month 2 Capstone — Enterprise Secure Cloud Design and Deployment Challenge
Students receive a complex infrastructure brief, write a secure Terraform blueprint, deploy it to a staging sandbox, and defend it.
Advanced Cloud Defense and Infrastructure Hardening
Immutable infra · Cloud compliance · Service mesh
Immutable Infrastructure and Golden Image Pipelines
Building hardened base images with Packer, automating compliance testing with InSpec, managing image lifecycles at scale.
Advanced Network Security — Transit Gateways and Private Cloud Interconnects
Designing secure multi-region networks, deep inspection via centralized firewall firewalls, AWS Transit Gateway architectures.
Cloud-Scale Logging Architecture — Centralized Security Accounts
Designing cross-account log aggregation paths, enforcing write-once storage rules (S3 Object Lock), log lifecycle management.
Serverless Security Deep Dive — Lambda and Container Security
Hardening serverless applications, evaluating function runtime permissions, locking API gateways down using authentication filters.
Policy as Code Enforcement with Open Policy Agent (OPA)
Writing admission control policies for Kubernetes, preventing non-compliant IaC commits, Rego language fundamentals.
Continuous Compliance Monitoring and Automated Remediation Pipelines
Configuring AWS Config rules, Azure Policies, and GCP Security Health Analytics to auto-remediate configuration drift.
Week 8 Lab — Deploy an Advanced Multi-Account Secure Infrastructure Blueprint
Students build and launch an audited, compliant landing zone across a simulated multi-account corporate framework.
Real-World Multi-Cloud Deployments, Certifications and Industry Readiness
4w · 28 modules
Enterprise Cloud Migration and Hybrid Architectures
Cloud migration paths · Hybrid setups · Legacy integration
Secure Cloud Migration Strategies — Rehost, Replatform, Refactor
Analyzing security implications of moving enterprise systems from bare-metal to public cloud infrastructure models.
Hybrid Cloud Connectivity Security — IPSec VPN vs Direct Connect
Designing encrypted, high-availability data tunnels between physical enterprise data centers and public VPC fabrics.
Legacy Identity Integration — Active Directory to Entra ID / AWS IAM
Configuring secure hybrid directory syncing, identity federation, SAML, and single sign-on flows safely.
Database Security and Data Masking in the Cloud
Hardening RDS and NoSQL systems, configuring dynamic data masking, and setting up automated database access token rotation.
Cloud Cost Optimization and Security Intersection
Using cost anomaly detection dashboards to discover rogue cryptomining activities and unallocated orphan resources.
Architecting for Disaster Recovery and High Availability Security
Designing secure multi-region backup failovers, validating cryptographic checksums on snapshots, and managing cross-region keys.
Week 9 Lab — Execute a Secure Database and Application Migration to AWS
Students safely lift-and-shift a vulnerable on-premises application system to an audited, firewalled cloud landing architecture.
Cloud Security Portfolio and Professional Interview Readiness
Portfolio building · Mock interviews · Indian cloud market context
Crafting the High-Impact Cloud Security Resume
Highlighting architectural milestones, structural tools, and multi-cloud configurations for Indian and global enterprises.
Top 40 Cloud Security Technical Interview Scenarios and Case Breakdowns
Deep-dive preparation for common system architecture design tests, policy validation rounds, and scenario-based technical evaluations.
Building a Public Engineering Portfolio — GitHub Blueprints and Architecture Blogs
Publishing secure, documented reusable Terraform models and documenting advanced lab achievements on open channels.
Cloud Security Professional Certification Landscape
Analyzing and evaluating paths toward AWS Security Specialty, Microsoft AZ-500, CCSP, and native ecosystem badges.
The Cloud Security Engineering Career Matrix
Exploring professional evolution scales from Associate Cloud Engineer up to Cloud Security Architect or Principal DevSecOps Advisor.
Industry Engagement and Cloud Security Communal Ecosystems
Connecting with working groups, local security meetups, global user groups, and enterprise bug bounty platforms.
Week 10 Lab — Live Multi-Cloud Architectural Defense Mock Interview
45-minute live technical review where students must defend their deployed cloud design choices against complex threat variables.
ZCS Certification Prep and Sandbox Simulations
Comprehensive review · Architecture design labs · Mock exams
ZCS Examination Matrix and Performance Standards
Detailed operational overview of the dual-threat exam: 90-minute core knowledge evaluation and a multi-cloud practical security challenge.
Comprehensive Review Block 1 — Multi-Cloud Control Frameworks
Accelerated synthesis of AWS, Azure, and GCP identity governance structures, network borders, and monitoring frameworks.
Comprehensive Review Block 2 — DevSecOps, Containers, and Incident Systems
Review of CI/CD integration, Kubernetes security baselines, and cross-account threat detection pipelines.
ZCS Knowledge Base Assessment Simulation
Full-length proctored mock exam under strict timed parameters with immediate score review and structural answer analysis.
ZCS Practical Lab Prep — Comprehensive Multi-Cloud Sandbox Challenge
Rigorous full-scale technical simulation forcing students to evaluate, harden, and defend an unstable infrastructure landscape.
Targeted Knowledge Recovery and Guided Fix Sessions
Personalized mentor check-ins designed to break down weak technical areas uncovered during the runtime simulation evaluations.
Exam-Day Execution Architecture and Blueprint Strategy
Effective strategies for handling complex architectural challenges, managing validation cycles, and optimizing deployment speeds.
ZCS Certification Exam and Graduation
Exam · Certification · Placement launch
ZCS Theory Exam — 50 Questions, 90 Minutes
Proctored theory examination covering all 3 months. Questions span AWS, Azure, GCP, DevSecOps, containers, Zero Trust, and compliance. Pass mark: 70%.
ZCS Architecture Design Challenge — 2-Hour Secure Cloud Design
Proctored design challenge: students receive a business brief and must produce a complete, secure cloud architecture with written justification.
ZCS Practical Lab — 4-Hour Cloud Security Assessment and Remediation
Proctored practical: students assess a misconfigured multi-cloud environment, remediate critical findings, and submit a full posture report.
ZCS Certificate Issued — Zharnyx Cloud Security Certification
Digital certificate with unique ID and QR verification. Distributed to hiring partners. LinkedIn post template and AWS/Azure community share guide.
Placement Kickoff — Profile Submission to Zharnyx Hiring Partners
Resume reviewed and submitted to cloud security hiring partner network. Interview scheduling begins within 5 working days of certification.
Graduation — Cohort Celebration and Zharnyx Dragons Alumni Badge
Cohort graduation session, alumni Discord access, mentorship continuity for 90 days, Zharnyx Dragons badge for LinkedIn and GitHub profiles.
Continuous Learning Path — From ZCS to AWS Security Specialty, CCSP, and Beyond
AWS Security Specialty exam roadmap, CCSP study guide, GCP Professional Cloud Security Engineer path, advanced cloud red team learning resources.