⛨ CloudSecOps 90-Day Learning Path

What CloudSecOps means

CloudSecOps merges cloud operations with security engineering to protect cloud-native workloads. It covers the full spectrum from infrastructure provisioning security (IaC scanning) through runtime workload protection (CWPP) and continuous posture assessment (CSPM). Practitioners ensure that cloud accounts, services, and workloads remain compliant and hardened as they scale.

Who should follow this path

• Cloud engineers who want a security specialization
• Security engineers expanding into cloud environments
• DevSecOps engineers focused on cloud-native stacks
• Compliance teams managing cloud regulatory requirements
• Platform engineers operating multi-cloud infrastructure

Prerequisites

• Working knowledge of AWS, Azure, or GCP services
• Experience with Terraform or CloudFormation
• Familiarity with IAM concepts (roles, policies, permissions)
• Basic Kubernetes knowledge
• Understanding of network security (VPCs, security groups)

The 90-day plan

Daily study recommendation: 2-3 hours/day, six days a week. Consistency beats intensity — block the time in your calendar like a meeting.

Days 1–15: Foundation

• Shared responsibility model across AWS/Azure/GCP
• Cloud threat landscape and common attack paths
• Cloud IAM fundamentals: least privilege, RBAC
• Cloud security benchmarks (CIS Foundations)
• Cloud audit logging overview (CloudTrail, Azure Monitor)

Outcome: Articulate the shared responsibility model and identify key cloud security risk areas.

Days 16–30: Core concepts

• CSPM with Prowler and AWS Security Hub
• IaC scanning with Checkov and tfsec
• S3 bucket and storage hardening
• VPC security: NACLs, security groups, VPC Flow Logs
• Cloud IAM audit with IAM Access Analyzer

Outcome: Run automated cloud posture assessments and remediate misconfigurations across core cloud services.

Days 31–45: Tools and workflows

• Container and Kubernetes security in cloud (EKS/GKE/AKS)
• Cloud workload protection platforms (CWPP) overview
• GuardDuty and Defender for Cloud threat detection
• Runtime security with Falco on cloud-hosted Kubernetes
• Cloud secrets management (AWS Secrets Manager, Azure Key Vault)

Outcome: Deploy runtime threat detection and workload protection controls on cloud Kubernetes clusters.

Days 46–60: Hands-on projects

• Multi-cloud security architecture patterns
• Cloud network segmentation and micro-segmentation
• Data security: encryption at rest and in transit
• Cloud DLP fundamentals (Macie, Google DLP)
• Serverless security considerations (Lambda, Cloud Functions)

Outcome: Design secure multi-cloud network architectures with data protection controls.

Days 61–75: Advanced practices

• Compliance automation: CIS, SOC2, PCI-DSS in cloud
• Cloud governance with AWS Config and Azure Policy
• Security automation with EventBridge and Lambda
• Incident response in cloud environments
• Cloud forensics: snapshot analysis and log forensics

Outcome: Automate continuous compliance checking and execute cloud incident response procedures.

Days 76–90: Portfolio, interview & certification prep

• Build a multi-cloud security dashboard project
• Preparing for AWS Security Specialty and CCSP exams
• CloudSecOps interview questions and case studies
• Cloud security metrics and KPI frameworks
• Contributing to cloud security open-source tools

Outcome: Complete a portfolio cloud security project and be ready for CloudSecOps engineer interviews.

Weekly outcomes at a glance

Phase	Outcome
Days 1–15	Articulate the shared responsibility model and identify key cloud security risk areas.
Days 16–30	Run automated cloud posture assessments and remediate misconfigurations across core cloud services.
Days 31–45	Deploy runtime threat detection and workload protection controls on cloud Kubernetes clusters.
Days 46–60	Design secure multi-cloud network architectures with data protection controls.
Days 61–75	Automate continuous compliance checking and execute cloud incident response procedures.
Days 76–90	Complete a portfolio cloud security project and be ready for CloudSecOps engineer interviews.

Tools to learn

• Prowler
• Checkov
• AWS Security Hub
• AWS GuardDuty
• Microsoft Defender for Cloud
• Falco
• tfsec
• AWS IAM Access Analyzer
• HashiCorp Vault
• AWS Macie
• Orca Security
• Wiz

Labs to practice

• Terraform AWS EC2
• Trivy Container Scan
• Kubernetes Deployment with Helm

Mini projects

• Deploy Prowler against an AWS account and produce a CIS benchmark remediation report
• Build an automated IaC security gate using Checkov in a Terraform CI pipeline
• Create a GuardDuty + Lambda auto-remediation workflow for common cloud misconfigurations

Interview questions to prepare

1. What is the difference between CSPM and CWPP?
2. How do you enforce least-privilege IAM policies at scale in AWS?
3. Explain how you would detect and respond to a compromised cloud access key.
4. What security controls would you apply to an S3 bucket storing sensitive data?
5. How does AWS GuardDuty differ from AWS Security Hub?
6. Describe a secure architecture for a multi-cloud Kubernetes deployment.
7. How do you automate compliance checks for CIS benchmarks in a cloud environment?
8. What is the shared responsibility model and how does it change with managed services?

Certification suggestions

• AWS Certified Security Specialty — AWS
• Certified Cloud Security Professional (CCSP) — (ISC)²
• Google Professional Cloud Security Engineer — Google Cloud
• Microsoft Certified: Security Operations Analyst Associate — Microsoft

Browse the full certification registry for exam details and official links.

Free resources

• Prowler AWS Security Tool
• Checkov IaC Scanner Docs
• AWS Security Best Practices
• CIS Benchmarks (free PDFs)
• Cloud Security Alliance Resources

Related roadmaps

• Security Engineer Roadmap
• DevSecOps Engineer Roadmap
• Cloud Engineer Roadmap

Related tool categories

• Cloud Security Posture Management Tools
• Security Tools
• Container Security Tools
• Policy as Code Tools
• Secrets Management Tools
• Infrastructure as Code Tools