☁

Learning Track · 20 modules

Attacker Mindset — Cloud

Shared responsibility reality, IAM sprawl, metadata endpoints, K8s + serverless + supply chain, data exposure, cloud-specific detection.

Why this track

Shared responsibility reality, IAM sprawl, metadata endpoints, K8s + serverless + supply chain, data exposure, cloud-specific detection. This track walks you from fundamentals through advanced techniques across 20 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.

Modules

16.3 h

Total time

Free modules

∞

Quiz retries

Difficulty mix

Beginner · 1 Intermediate · 13 Advanced · 5 Expert · 1

Module sequence

The Shared Responsibility Illusion

Cloud providers secure infrastructure; customers secure configuration. Every breach happens on customer side.

Beginner 60 min →

Cloud IAM — Where Most Breaches Live

Wildcard permissions, iam:PassRole privesc, cross-account trust, Pacu, PMapper. IAM is the hardest part of cloud security.

Intermediate 75 min →

Metadata Endpoints — Still the Killer Chain

169.254.169.254, Capital One, IMDSv1 vs v2, container metadata, K8s service accounts. SSRF → cloud takeover.

Intermediate 75 min →

Cross-Account Trust Attacks

Overly broad Principal, confused deputy, External ID, Azure Lighthouse. MSSP compromise cascades.

Advanced 90 min →

Kubernetes — The Platform That Multiplies Attack Surface

Pod → node → cluster, service account tokens, RBAC paths, exposed kubelet/etcd. kube-hunter, peirates.

Advanced 90 min →

Serverless — New Surface, Not Smaller Surface

Lambda role credential theft, event source injection, dep vulns, supply chain. Serverless shifts attack surface.

Advanced 90 min →

Cloud Supply Chain — CI to Production

Codecov, CircleCI, SolarWinds patterns in cloud. OIDC federation, least-priv deploy roles, pinned artifacts.

Advanced 90 min →

Public Data Stores — The Classic

Public S3, open GCS, anonymous Azure Blob. Continues in 2026 despite a decade of awareness.

Intermediate 75 min →

Cloud Detection — Different Telemetry, Different Rules

CloudTrail, Activity Log, Audit Log. Identity-first detection. GuardDuty/Defender/SCC. Maturity model.

Advanced 90 min →

M10

Multi-Cloud — The Complexity Tax

Per-cloud skill, divergent defaults, N × CSPM. Multi-cloud without investment = weaker overall security.

Expert 90 min →

M11

The Shared-Responsibility Asymmetry

AWS shared-responsibility model: AWS handles “security of the cloud.” You handle “security in the cloud.” Clear chart. What’s missing: the gap. You assume AWS handles X. AWS assumes you handle X. X is unhandled. Examples: instance metadata visible to anyone on the VM. AWS made it work; you must restrict it. The mindset: read both […]

Intermediate 15 →

M12

Every Cloud Service Has an IAM Trap

AWS has 300+ services. Each has actions. Combinations create privilege escalation. iam:PassRole + ec2:RunInstances + the right role = root access. “Innocent” permissions combine into catastrophic ones. Tools like Cloudsplaining map them. The mindset: never grant broad permissions. Grant specific actions on specific resources. Audit combinations periodically.

Intermediate 15 →

M13

Region Isolation Is a Trust Decision

AWS regions are physically separate data centres. But your IAM is global. A user with ec2:* permission has it in every region. Attackers spin up instances in regions you don’t monitor. Crypto mining in ap-east-1 while you watch us-east-1. The mindset: enabled regions = monitored regions. Org policy: SCP that denies actions in unused regions.

Intermediate 15 →

M14

Console vs API Visibility Gap

AWS console shows curated views. Some resources only visible via API. Some metadata not in console. Attackers operate via API. They see what console hides. Defender visibility gap. The mindset: audit via Config Rules / Cloud Asset Inventory, not console clicks. The console is for humans; the API is for completeness.

Intermediate 15 →

M15

Account Boundaries Are Negotiable

“Account boundaries protect us.” They do — until you create cross-account roles. Or federate identity. Or assume a role for a SaaS vendor. Each is a hole in the boundary. Each requires explicit authorisation. Most enterprises grant; few audit. The mindset: account boundary = sum of cross-account access. Inventory + audit quarterly.

Intermediate 15 →

M16

IAM Policies Are Contracts

An IAM policy is a contract. Effect: Allow on Action: * is a blank-cheque clause. Resource: * with NotAction negation is a “everything except” clause. Attackers read policies as contracts. Find the over-broad clauses. Exploit. The mindset: review IAM policies like legal contracts. What’s allowed? What’s explicitly denied? What’s implicitly allowed?

Intermediate 15 →

M17

Cloud Logs Have Detection Gaps

CloudTrail records management plane by default. Data plane (S3 reads) requires explicit data events. Most teams skip it for cost. Result: attacker reads sensitive S3 buckets; no log entry. Defender has no evidence post-breach. The mindset: enabling all logs is expensive. Enabling none is more expensive. Tier by sensitivity.

Intermediate 15 →

M18

The Tenant-of-One Assumption

Multi-tenant cloud: same physical hardware, different tenants. Side channels exist. Cross-tenant attacks researched (Spectre/Meltdown class). Most are theoretical or patched. Some succeed. The assumption “I’m the only tenant on this VM” is wrong; the assumption “tenant boundary is impervious” is sometimes wrong. The mindset: high-stakes workloads → confidential computing or single-tenant variants where available.

Intermediate 15 →

M19

Cloud Audit Trail Forensics

Cloud audit logs are richer than on-prem. Every API call. Identity, source, resource, action. With CloudTrail Lake or BigQuery, queryable for years. Forensic discipline: log to a separate logging account. Object Lock on the bucket. Cross-region replication. Otherwise: attacker disables logging early in attack. The mindset: cloud audit logs deserve their own account, their own […]

Intermediate 15 →

M20

Cost as Security Signal

Cost anomaly: 10x normal compute spend overnight. Could be: new feature launched. Could be: crypto mining instance spun up by attacker. The cost-anomaly alert is a security signal in disguise. AWS Cost Anomaly Detection, Azure Cost Anomaly, GCP recommendations all available. The mindset: integrate billing alerts with security ops. Unusual cost = investigate, don’t just […]

Intermediate 15 →

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map