Skip to main content

Chapter 8 checkpoint

You've turned the security threads running through the whole guide into a deliberate, automated practice. Before moving on to cost and FinOps, lock it in. Recall the throughline first, then take the quiz.

The throughline

  • Shared responsibility, in practice. The provider secures the cloud; you secure what's in it. If you can configure it, you own it. The large majority of breaches are customer-side misconfiguration — exposed storage, leaked keys, over-permissive IAM, public databases, unpatched images.
  • Identity is the new perimeter. There's no trusted "inside." IAM evaluates every request: default deny, explicit deny wins, every policy and boundary must allow it. Use least privilege, cap blast radius with permission boundaries and org guardrails, prefer just-in-time access, and hunt over-permissioned roles and escalation paths with CIEM.
  • Keyless beats keys. Long-lived static keys are durable, portable, bearer secrets — the #1 leak source. Replace them with OIDC federation and IRSA / Workload Identity, so workloads get short-lived credentials with nothing durable to steal.
  • Secrets & encryption. No secret (keyless) > dynamic short-lived secret > static secret in a manager (rotated, least-privilege, audited) > never a secret in code or Git. Encrypt at rest with KMS — but encryption defends stolen storage, not a public-access misconfiguration.
  • Zero-trust networking. Trust by identity, not network location. Defense in depth, private by default, egress control, default-deny NetworkPolicies in Kubernetes, and mTLS so even internal hops are mutually authenticated.
  • Supply-chain & images. Build minimal/distroless, non-root images; shift-left with SAST/SCA/IaC/container/secret scanning; keep an SBOM; sign artifacts and verify at admission so only what you built runs.
  • Posture, policy & compliance. CSPM detects drift; policy-as-code (OPA/Gatekeeper, Kyverno) prevents bad config at admission; runtime detection (Falco/eBPF) catches the live attacker; CNAPP consolidates CSPM+CWPP+CIEM; compliance is continuous evidence, not a quarterly snapshot. Security scales as the golden path (Ch. 7), not gatekeeping.

Quiz

Required checkpoint

Chapter 8 — Cloud Security

Pass to unlock the Next button below

Passed? You can now secure what you build in the cloud: read the responsibility line, lock down identity, go keyless, manage secrets and encryption, isolate the network with zero trust, harden the supply chain, and enforce it all continuously with policy-as-code and posture management. Next, we turn from keeping the cloud safe to keeping it affordable — the discipline of FinOps.

Next: Chapter 9: Cost & FinOps →