Who is this cybersecurity cloud security course for?

Security engineers stepping sideways into cloud-focused security work, DevOps practitioners taking on the security side of platform engineering, on-prem network security engineers pivoting to cloud, cybersecurity professionals preparing for CCSP / AWS Security Specialty / Microsoft SC-100, and cloud architects whose scope now includes platform-level security review.

What primary sources does this cybersecurity cloud security course cite?

NIST SP 800-145 (cloud definition), NIST SP 500-292 (reference architecture), NIST SP 800-210 (cloud access control), NIST SP 800-207 (zero trust), NIST SP 800-190 (container security), NIST SP 800-204 series (microservices and service mesh), CSA Cloud Controls Matrix v4, CSA Top Threats 2024, MITRE ATT&CK Cloud matrix, BLS OES May 2024, ISC2 Cybersecurity Workforce Study 2024, CIS Benchmarks for AWS and Kubernetes, and AWS/Azure/Google Cloud official documentation. Every claim is anchored to a primary or peer-reviewed source.

Will this cybersecurity course prepare me for CCSP, AWS Security Specialty, or SC-100?

It is a conceptual primer rather than a cert prep course. The course covers the foundational standards (NIST cloud, zero trust, container security) that all three certs assume you know, and the cross-cloud patterns those certs test against. Pair the course with the official cert provider's training resource and practice exam for full coverage.

Do I need a paid cloud subscription to take the course?

No. AWS, Azure, and Google Cloud all offer free-tier accounts that cover the hands-on labs in the course. The course recommends starting with a free-tier account on the provider closest to your job target.

How long does the cybersecurity cloud security course take to complete?

Roughly 16 hours of focused study across 6 modules. Most learners complete it in 8 to 10 weeks at 2 to 4 hours per week. Self-paced; no live sessions.

Primary-source-grounded cybersecurity course

Cloud Security Fundamentals

A primary-source-grounded six-module path into cloud security engineer and architect roles: shared responsibility, IAM, network segmentation, container security, cloud-native detection, and the career ladder.

6 modules16 hours$197 one-timeNIST + CSA + cloud-provider sourced

What this cybersecurity course is

Cloud Security Fundamentals is a 6-module cybersecurity course for security engineers, IT generalists, and DevOps practitioners targeting a cloud security engineer or cloud security architect role across AWS, Azure, and Google Cloud. Every module is grounded in NIST Special Publications and the official Well-Architected security pillars rather than vendor marketing. Topics include the shared responsibility model from NIST SP 800-145 (Mell & Grance 2011), IAM design for cloud-scale blast radii using NIST SP 800-210 (Chandramouli & Iorga 2020), microservices and service-mesh security per NIST SP 800-204 (Chandramouli 2019) and 800-204B (2022), container hardening per NIST SP 800-190 (Souppaya, Morello & Scarfone 2017), and zero-trust architecture per NIST SP 800-207 (Rose et al. 2020). The course is for adults committing 8 to 10 weeks of focused study before sitting CCSP, AWS Security Specialty, or Microsoft SC-100. Designed by Julian Calvo, Ed.D. in Applied Learning Sciences (University of Miami, 2026).

The course sequences six modules around the cloud-security operational stack as defined in the NIST cloud-computing reference architecture (Liu et al. 2011, NIST SP 500-292). Each module pairs a primary-source standard with a hands-on prompt: read the standard, apply it to a real cloud configuration, document the security review the way an audit team would expect to see it. The pedagogical structure follows Kolb's experiential learning cycle (1984) and the Dreyfus skill acquisition model (1980): concrete cloud configurations, structured reflection against the standard, abstract conceptualization through the controls catalog, then active experimentation in a free-tier sandbox. Every claim is cited to NIST, CSA, the cloud provider's official documentation, BLS, ISC2, or peer-reviewed research. No vendor white papers without primary-source backing.

Six modules

Module 01 · 130 min
The Cloud Security Stack: Shared Responsibility and the Reference Architecture
What the shared-responsibility model actually says, where the seams sit between the cloud provider and the customer, and how the NIST reference architecture organizes the controls catalog you will spend the rest of the course inside.
Learning objectives
- Cite the NIST SP 800-145 (Mell & Grance 2011) cloud-deployment models and service models, and explain why they still anchor every cloud-security framework written since
- Map the shared-responsibility seam for IaaS, PaaS, and SaaS workloads against the NIST SP 500-292 reference architecture
- Explain why the customer is responsible for IAM and data security in every cloud service model and what that implies for an auditor's first questions
Module 02 · 150 min
Cloud IAM and the Blast Radius
Why IAM is the most-attacked surface in cloud, what NIST SP 800-210 says about access control specifically for cloud systems, and how to design role and policy structures that limit blast radius without paralyzing operations.
Learning objectives
- Cite NIST SP 800-210 (Chandramouli & Iorga 2020) and identify three cloud-specific access control challenges it documents that on-prem IAM models did not face
- Read an AWS IAM policy and identify the three vectors that most often expand blast radius (wildcard resources, NotAction inversion, AssumeRole chain depth)
- Apply the principle of least privilege to a real cloud service-account or managed-identity configuration and document the residual privilege risk
Module 03 · 130 min
Cloud Network Segmentation and Zero Trust
How to segment a cloud network the way the architecture guides actually intend, what NIST SP 800-207 zero trust changes about the design, and where engineers most often misapply on-prem network thinking.
Learning objectives
- Cite NIST SP 800-207 (Rose et al. 2020) and explain the seven tenets of zero trust as they apply to a cloud environment
- Design a multi-account or multi-subscription cloud network where one compromised tenant cannot lateral-move into another
- Identify three on-prem network-security patterns that misapply to cloud (perimeter trust, north-south firewall, NAT-as-isolation) and explain why
Module 04 · 140 min
Container and Kubernetes Security
What NIST SP 800-190 says about container security, the four-layer model (image, registry, orchestrator, runtime), and what changes when those containers run on a managed Kubernetes service like EKS, AKS, or GKE.
Learning objectives
- Cite NIST SP 800-190 (Souppaya, Morello & Scarfone 2017) four-layer container security model and identify the customer-side controls at each layer
- Read a Kubernetes Pod manifest and identify three security-affecting configuration choices (securityContext, hostNetwork, capabilities)
- Apply the CIS Kubernetes Benchmark to a sample cluster and document a remediation plan for the top three findings
Module 05 · 130 min
Cloud Detection and Response
Where the cloud audit log lives in each major provider, what NIST SP 800-92 says about cloud-scale log management, and how to write a detection rule that catches a real cloud attack pattern.
Learning objectives
- Identify the authoritative audit-log source in AWS (CloudTrail), Azure (Activity Log + Microsoft Entra audit log), and Google Cloud (Cloud Audit Logs); explain what each does and does not capture
- Read a cloud-attack technique on the MITRE ATT&CK Cloud matrix and translate it into a detection query against CloudTrail or Activity Log
- Write a Sigma rule that detects suspicious privilege-escalation patterns in AWS CloudTrail (CreateAccessKey on a privileged user, AssumeRole chain to root)
Module 06 · 100 min
The Cloud Security Career Trajectory
What the cloud security engineer and cloud security architect ladder looks like, the credentials hiring managers actually price into the offer, and the portfolio artifacts that move you up the band.
Learning objectives
- Distinguish cloud security engineer, cloud security architect, and platform security engineer roles by the daily decisions each makes and the credentials each typically holds
- Cite BLS OES 2024 and ISC2 2024 data on cloud-security compensation by metro and tier and use it to anchor offer expectations
- Build a 90-day study plan that combines a target cert (CCSP, AWS Security Specialty, or SC-100) with a portfolio artifact (a cloud-config audit, a Terraform-defined zero-trust reference, or a published Sigma rule for cloud)

Target audience

Security engineers stepping sideways into cloud-focused security roles
DevOps practitioners taking on the security side of the SRE or platform-engineering job
On-prem network security engineers pivoting to cloud network security
Cybersecurity professionals preparing for CCSP, AWS Security Specialty, or Microsoft SC-100
Cloud architects whose scope now includes the security review of new platform decisions

Prerequisites

Working familiarity with at least one cloud provider console (AWS, Azure, or Google Cloud)
Basic understanding of TCP/IP networking, DNS, TLS, and HTTP
Comfort with the command line on Linux, including SSH, curl, and basic shell scripting
Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study
Free-tier account on at least one cloud provider for hands-on lab work

Sources

NIST SP 800-145: The NIST Definition of Cloud Computing — Mell & Grance (2011). Public-domain US Government work.
NIST SP 500-292: Cloud Computing Reference Architecture — Liu et al. (2011). Public-domain US Government work.
NIST SP 800-210: General Access Control Guidance for Cloud Systems — Chandramouli & Iorga (2020). Public-domain US Government work.
NIST SP 800-207: Zero Trust Architecture — Rose, Borchert, Mitchell, & Connelly (2020). Public-domain.
NIST SP 800-190: Application Container Security Guide — Souppaya, Morello, & Scarfone (2017). Public-domain.
CSA Cloud Controls Matrix v4 — Cloud Security Alliance, free with registration.
CSA Top Threats to Cloud Computing 2024 — Cloud Security Alliance, free public report.
MITRE ATT&CK Cloud Matrix — MITRE Corporation. Free for public use.
CIS AWS Foundations Benchmark v3.0 — Center for Internet Security, free download.
CIS Kubernetes Benchmark v1.9 — Center for Internet Security, free download.
BLS OES May 2024: Information Security Analysts (15-1212) — U.S. Bureau of Labor Statistics median wages, percentile bands, metro detail.
ISC2 Cybersecurity Workforce Study 2024 — Workforce gap and compensation by tier and region.

Disclaimer

This course is for educational purposes only. It does not guarantee employment, certification pass rates, or salary outcomes. Cloud-platform pricing, services, and feature availability change rapidly; always verify current configuration against the cloud provider's authoritative documentation before applying course content to production systems. NIST and CSA materials cited here are public works; readers should consult primary sources for currency. AWS, Microsoft Azure, and Google Cloud are trademarks of their respective owners; DecipherU is not affiliated with any cloud provider. CCSP and AWS Security Specialty are trademarks of ISC2 and Amazon respectively. DecipherU is not responsible for career, financial, or operational decisions made based on this content.

What this cybersecurity course is

Six modules

Module 01 · 130 min

The Cloud Security Stack: Shared Responsibility and the Reference Architecture

What the shared-responsibility model actually says, where the seams sit between the cloud provider and the customer, and how the NIST reference architecture organizes the controls catalog you will spend the rest of the course inside.

Learning objectives

Cite the NIST SP 800-145 (Mell & Grance 2011) cloud-deployment models and service models, and explain why they still anchor every cloud-security framework written since
Map the shared-responsibility seam for IaaS, PaaS, and SaaS workloads against the NIST SP 500-292 reference architecture
Explain why the customer is responsible for IAM and data security in every cloud service model and what that implies for an auditor's first questions

Module 02 · 150 min

Cloud IAM and the Blast Radius

Why IAM is the most-attacked surface in cloud, what NIST SP 800-210 says about access control specifically for cloud systems, and how to design role and policy structures that limit blast radius without paralyzing operations.

Learning objectives

Cite NIST SP 800-210 (Chandramouli & Iorga 2020) and identify three cloud-specific access control challenges it documents that on-prem IAM models did not face
Read an AWS IAM policy and identify the three vectors that most often expand blast radius (wildcard resources, NotAction inversion, AssumeRole chain depth)
Apply the principle of least privilege to a real cloud service-account or managed-identity configuration and document the residual privilege risk

Module 03 · 130 min

Cloud Network Segmentation and Zero Trust

How to segment a cloud network the way the architecture guides actually intend, what NIST SP 800-207 zero trust changes about the design, and where engineers most often misapply on-prem network thinking.

Learning objectives

Cite NIST SP 800-207 (Rose et al. 2020) and explain the seven tenets of zero trust as they apply to a cloud environment
Design a multi-account or multi-subscription cloud network where one compromised tenant cannot lateral-move into another
Identify three on-prem network-security patterns that misapply to cloud (perimeter trust, north-south firewall, NAT-as-isolation) and explain why

Module 04 · 140 min

Container and Kubernetes Security

What NIST SP 800-190 says about container security, the four-layer model (image, registry, orchestrator, runtime), and what changes when those containers run on a managed Kubernetes service like EKS, AKS, or GKE.

Learning objectives

Cite NIST SP 800-190 (Souppaya, Morello & Scarfone 2017) four-layer container security model and identify the customer-side controls at each layer
Read a Kubernetes Pod manifest and identify three security-affecting configuration choices (securityContext, hostNetwork, capabilities)
Apply the CIS Kubernetes Benchmark to a sample cluster and document a remediation plan for the top three findings

Module 05 · 130 min

Cloud Detection and Response

Where the cloud audit log lives in each major provider, what NIST SP 800-92 says about cloud-scale log management, and how to write a detection rule that catches a real cloud attack pattern.

Learning objectives

Identify the authoritative audit-log source in AWS (CloudTrail), Azure (Activity Log + Microsoft Entra audit log), and Google Cloud (Cloud Audit Logs); explain what each does and does not capture
Read a cloud-attack technique on the MITRE ATT&CK Cloud matrix and translate it into a detection query against CloudTrail or Activity Log
Write a Sigma rule that detects suspicious privilege-escalation patterns in AWS CloudTrail (CreateAccessKey on a privileged user, AssumeRole chain to root)

Module 06 · 100 min

The Cloud Security Career Trajectory

What the cloud security engineer and cloud security architect ladder looks like, the credentials hiring managers actually price into the offer, and the portfolio artifacts that move you up the band.

Learning objectives

Distinguish cloud security engineer, cloud security architect, and platform security engineer roles by the daily decisions each makes and the credentials each typically holds
Cite BLS OES 2024 and ISC2 2024 data on cloud-security compensation by metro and tier and use it to anchor offer expectations
Build a 90-day study plan that combines a target cert (CCSP, AWS Security Specialty, or SC-100) with a portfolio artifact (a cloud-config audit, a Terraform-defined zero-trust reference, or a published Sigma rule for cloud)

Target audience

Security engineers stepping sideways into cloud-focused security roles

DevOps practitioners taking on the security side of the SRE or platform-engineering job

On-prem network security engineers pivoting to cloud network security

Cybersecurity professionals preparing for CCSP, AWS Security Specialty, or Microsoft SC-100

Cloud architects whose scope now includes the security review of new platform decisions

Prerequisites

Working familiarity with at least one cloud provider console (AWS, Azure, or Google Cloud)

Basic understanding of TCP/IP networking, DNS, TLS, and HTTP

Comfort with the command line on Linux, including SSH, curl, and basic shell scripting

Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study

Free-tier account on at least one cloud provider for hands-on lab work

Disclaimer

Cloud Security Fundamentals

What this cybersecurity course is

Six modules

The Cloud Security Stack: Shared Responsibility and the Reference Architecture

Cloud IAM and the Blast Radius

Cloud Network Segmentation and Zero Trust

Container and Kubernetes Security

Cloud Detection and Response

The Cloud Security Career Trajectory

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer

Cloud Security Fundamentals

What this cybersecurity course is

Six modules

The Cloud Security Stack: Shared Responsibility and the Reference Architecture

Cloud IAM and the Blast Radius

Cloud Network Segmentation and Zero Trust

Container and Kubernetes Security

Cloud Detection and Response

The Cloud Security Career Trajectory

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer