Cloud Security
AWS/Azure/GCP security controls, IAM policies, CSPM, container security, shared responsibility model.
What is Cloud Security?
Cloud security is the discipline of protecting data, applications, and infrastructure hosted in cloud environments — whether public (AWS, Azure, GCP), private, or hybrid. As organizations migrate critical workloads to the cloud, the attack surface shifts from on-premises networks to cloud control planes, identity systems, storage buckets, and API endpoints. Misconfigurations — not sophisticated exploits — remain the leading cause of cloud breaches.
The shared responsibility model is the foundational concept: cloud providers secure the infrastructure (physical data centers, hypervisors, network fabric), while customers are responsible for securing their configurations, data, identity, and applications. This boundary varies by service model — IaaS customers manage more than PaaS or SaaS customers — and misunderstanding the boundary is a primary source of security failures.
Cloud Security Posture Management (CSPM) tools continuously scan cloud environments for misconfigurations and compliance violations. Cloud Workload Protection Platforms (CWPP) secure containers, serverless functions, and virtual machines. Cloud Infrastructure Entitlement Management (CIEM) addresses the identity explosion in cloud environments where overprivileged service accounts and roles create massive lateral movement opportunities. Kubernetes security, infrastructure as code scanning, and cloud-native application protection platforms (CNAPP) represent the cutting edge of the field.
Why it matters
The cloud is now the default deployment target for most organizations. A single misconfigured S3 bucket or overprivileged IAM role can expose millions of records. Cloud security skills are no longer optional for any security professional.
Cloud security extends every traditional security domain — network, identity, application, and data security — into cloud-native architectures. It requires understanding both the provider's controls and the customer's responsibilities.
Build, Connect & Operate
Build and run the systems — apps, cloud, data, networks, OT, AI infra, supply chain, quantum engineering.
Other domains in this layer
Key topics
People shaping this field
Researchers and practitioners worth following in this space.
Cloud security architect, AWS security open-source contributor
Cloud security researcher, creator of flaws.cloud
Cloud security practitioner and writer on pragmatic security
Curated resources
Authoritative sources we ground Cloud Security questions in — frameworks, research, guides, and tools.
CSA Cloud Controls Matrix (CCM) v4
197 control objectives across 17 domains. Maps to major standards (ISO 27001, NIST, PCI DSS). The primary cloud security control framework.
CSA Top Threats to Cloud Computing (Pandemic Eleven)
Peer-ranked cloud threats. The shift from infra issues to identity/access/misconfiguration reflects cloud maturity. Good for questions testing threat prioritization understanding.
NSA/CISA Top 10 Cybersecurity Misconfigurations
Based on real red/blue team assessments. Includes default configurations, improper privilege separation, lack of network segmentation. Excellent for practical scenario questions.
Cloud Security Alliance — Cloud Controls Matrix (CCM)
Cloud-specific control framework with 197 controls across 17 domains. Mapped to NIST 800-53, ISO 27001, PCI DSS, GDPR. The reference for cloud-architecture control questions.
AWS Well-Architected Framework — Security Pillar
AWS best practices for designing and operating secure workloads in the cloud. Covers IAM, detection, infrastructure protection, and incident response.
CIS Benchmarks
Consensus-based security configuration guides for 100+ technologies. The industry standard for hardening systems.
Cloud Security Alliance (CSA) Guidance
Comprehensive guidance for cloud security best practices. Covers architecture, governance, compliance, and operations.
Roles where this matters
Career paths where this domain shows up as core or recommended.
Ethically hack systems to find vulnerabilities before attackers do. Offensive security requires deep technical knowledge.
Design, build, and maintain security infrastructure. The architects of an organization's defensive posture.
Secure cloud infrastructure across AWS, Azure, and GCP. Specialize in the shared responsibility model and cloud-native controls.
Embed security into the software development lifecycle. Shift left to catch vulnerabilities before they reach production.
Lead security strategy, communicate risk to the board, and build security programs. Executive-level cybersecurity leadership.
Design and operate the identity fabric that every other control inherits. Federated identity, MFA/passkeys, PAM, identity governance, and the policy glue between them.
A hybrid role growing out of the realisation that SOCs need engineers who understand cloud-native telemetry, IAM-first threat models, and how to instrument AWS/Azure/GCP for detection.
Senior design role — defines how pillar A components fit together across identity, crypto, network, cloud, and data — and, increasingly, how pillar C bolts into it.
Owns the end-to-end find → prioritize → fix → verify loop at scale, now increasingly AI-driven.
Secures the platform that trains, stores, and serves ML models — multi-tenant GPU isolation, pipeline integrity, feature-store hygiene, secrets management in ML workflows.
External-first role: inventories what an attacker can see, tracks what's new, and drives closure through the org. The outside-in counterpart to vuln management.
Embedded in a product team — owns threat modelling, secure design, libraries, dependency risk, and increasingly the AI-specific hardening of LLM features the product ships.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
Amazon Web Services Certified Cloud Practitioner
Amazon Web Services Certified Cloud Practitioner
Amazon Web Services Certified Security - Specialty
The AWS Security Specialty is AWS's most demanding security certification and requires solid practical experience with AWS workloads. It covers a broad spectrum: from IAM and data encryption to incident response, logging, and compliance. The practical relevance is high; pure textbook candidates typically fail. The certification has high market value potential, as it is regarded as proof of quality for security architects in cloud environments. Important: Version SCS-C02 was superseded in December 2025; SCS-C03 is now current.
Amazon Web Services Certified Solutions Architect - Associate
Amazon Web Services Certified Solutions Architect - Associate
Amazon Web Services Certified Solutions Architect - Professional
Amazon Web Services Certified Solutions Architect - Professional
AWS Certified Security — Specialty (SCS-C02)
Deep AWS security: IAM, data protection, detection, incident response within AWS primitives.
Microsoft Azure Administrator Associate
Microsoft Azure Administrator Associate
Microsoft Azure Solutions Architect Expert
Microsoft Azure Solutions Architect Expert
Microsoft Certified: Azure Security Engineer Associate
Azure-native security engineering: Entra ID, network controls, Defender, Sentinel.
Mile2 Certified Cloud Security Officer
Mile2 Certified Cloud Security Officer
CompTIA Advanced Security Practitioner+
CompTIA's SecurityX (formerly CASP+, current exam code CAS-005) is one of the few vendor-neutral advanced certifications for technical security experts without management focus. It deliberately positions itself as a technical alternative to CISSP and is recognized by DoD and US government agencies as an 8570-compliant credential, which is a real advantage in government environments. In the private sector, market perception is mixed: CISSP clearly dominates job postings, but SecurityX provides a credible signal for technically deep skills. The pass/fail format without score disclosure is unusual and criticized by some as lacking transparency. Performance-based questions increase the practical rigor.
The SecurityOps Group Certified Cloud Pentesting eXpert-AWS
The SecurityOps Group Certified Cloud Pentesting eXpert-AWS
Certified Cloud Security Professional
Cloud security architecture: shared responsibility, identity, data protection, crypto, and cloud-native detection.
CISSP Information Systems Security Architecture Professional
Architecture concentration on top of CISSP — trust boundaries, identity / crypto / network composition, defense-in-depth design.
Cloud Native Computing Foundation Certified Kubernetes Administrator
Cloud Native Computing Foundation Certified Kubernetes Administrator
Cloud Native Computing Foundation Certified Kubernetes Application Developer
Cloud Native Computing Foundation Certified Kubernetes Application Developer
Cloud Native Computing Foundation Certified Kubernetes Security Specialist
Cloud Native Computing Foundation Certified Kubernetes Security Specialist
Cloud Security Alliance Certificate of Cloud Security Knowledge
The CCSK from the Cloud Security Alliance is one of the most widespread vendor-neutral cloud security certifications worldwide. It is based on three core sources: the CSA Security Guidance v4, the ENISA Cloud Computing Risk Assessment, and the CSA Cloud Controls Matrix (CCM). The exam is fully online and open-book — this lowers the entry barrier but also means less practical proof than e.g. CCSP. No professional experience required, no expiration date. Good as an entry point into cloud security and as preparation for the CCSP, but not a strong career building block on its own.
Cloud Security Alliance Cloud Governance & Compliance
Cloud Security Alliance Cloud Governance & Compliance
EXIN Professional Cloud Administrator
EXIN Professional Cloud Administrator
EXIN Professional Cloud Developer
EXIN Professional Cloud Developer
EXIN Professional Cloud Solution Architect
EXIN Professional Cloud Solution Architect
EXIN Professional Cloud Service Manager
EXIN Professional Cloud Service Manager
EXIN Professional Cloud Security Manager
EXIN Professional Cloud Security Manager
Fortinet Certified Professional - Public Cloud Security
Fortinet Certified Professional - Public Cloud Security
Google Cloud Certified — Professional Cloud Security Engineer
GCP-specific security engineering: identity, VPC SC, secrets, logging, compliance.
GIAC Cloud Security Automation
Security-as-code: IaC hardening, CI/CD guardrails, automated cloud response.
Google Associate Cloud Engineer
Google Associate Cloud Engineer
Google Professional Cloud Architect
Google Professional Cloud Architect
Google Professional Cloud Security Engineer
Google Professional Cloud Security Engineer
Cloud Native Computing Foundation Kubernetes and Cloud Native Associate
Cloud Native Computing Foundation Kubernetes and Cloud Native Associate
Microsoft 365 Certified Enterprise Administrator Expert
Microsoft 365 Certified Enterprise Administrator Expert
Microsoft Cybersecurity Architect
The Microsoft Certified: Cybersecurity Architect Expert (SC-100) is Microsoft's highest security certification and targets experienced professionals who design security architectures for hybrid and cloud-native environments based on the Microsoft platform. It requires at least one associate-level security certification (e.g., AZ-500, SC-200, or SC-300) and builds on that knowledge. The certification addresses zero-trust architectures, compliance requirements, identity governance, and infrastructure protection from a strategic perspective. For organizations heavily invested in Microsoft 365 and Azure, SC-100 is valuable proof of expertise; outside the Microsoft ecosystem, its relevance is more limited. The exam will be updated in April 2026.
Microsoft Certified: Security, Compliance, and Identity Fundamentals
Microsoft Certified: Security, Compliance, and Identity Fundamentals
SalesForce Certified Community Cloud Consultant
SalesForce Certified Community Cloud Consultant
SecOps Group Certified Cloud Security Practitioner - AWS
SecOps Group Certified Cloud Security Practitioner - AWS
VMware Certified Design Expert in Datacenter Virtualization
VMware Certified Design Expert in Datacenter Virtualization
Also touched
Certified Information Privacy Technologist
Privacy engineering, privacy-by-design in products and platforms.
Certified Information Systems Security Professional
Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.
Certified Zero Trust (CCZT)
Vendor-neutral Zero Trust architecture and governance — NIST SP 800-207, ZTA pillars, and program implementation.
CyberArk Guardian — PAM
Top-tier CyberArk practitioner — leads complex PAM programs and contributes back to the community.
CyberArk Sentry — PAM
Designs and deploys CyberArk PAM at enterprise scale — vault architecture, HA/DR, and complex onboarding.
Elastic Certified Engineer
Stands up and operates Elastic Stack clusters — search, observability, and security-analytics workloads on a real cluster.
SailPoint Certified Identity Security Engineer
Designs and engineers SailPoint identity solutions across IdentityIQ and Identity Security Cloud (ISC).
Microsoft Certified: Identity and Access Administrator Associate
Entra ID deployment, conditional access, privileged access, identity governance.
CompTIA Security+
Broad entry-level knowledge across threats, ops, IAM, network, and crypto basics.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
More in Cybersecurity
Test what you know about Cloud Security
45 questions available. Beginner to expert questions, scored against the global leaderboard.