Cloud Security Learning Path

Prerequisites (skip if you have them)

You'll have a much easier time if you're already comfortable with:

• Networking basics. TCP/IP, DNS, HTTP/HTTPS, what a firewall does. If "subnet" means nothing to you, fix that first — Professor Messer's free Network+ videos are the standard starter.
• Linux command line. ssh, basic shell, file permissions, reading logs. Bandit on OverTheWire is the canonical free intro.
• One scripting language. Python is the default for security work. Don't aim for proficient — aim for "can read and modify other people's scripts."
• Security fundamentals. CIA triad, common attack categories, how authentication and authorization differ. CompTIA Security+ material is fine background; you don't need the cert.

If you're missing one of these, do that first. If you have all four, jump to Stage 1.

Stage 1: Beginner (Months 0–3)

Goal: Understand what cloud security is, get hands-on with one cloud, and pass a foundational cert.

1. Read the foundations

• CSOH: What is Cloud Security? — start here for the lay of the land.
• CSA Security Guidance v5 — free PDF from Cloud Security Alliance. The single best cloud-security primer.
• Your chosen provider's "Well-Architected Framework" security pillar (AWS, Azure, or GCP all have one).

2. Pick one cloud and create a free account

AWS, Azure, or GCP — all three have free tiers. Pick the one your current employer uses, the one most jobs in your area use, or AWS by default. Don't try to learn three at once.

3. Walk through the official training

• AWS: Skill Builder — Cloud Practitioner Essentials and the AWS Security Learning Plan.
• Azure: Microsoft Learn — AZ-900 Fundamentals path, then SC-900.
• GCP: Google Cloud Skills Boost — Cloud Digital Leader path, then Security in Google Cloud.

4. Get hands-on with the basics

• Spin up a VM. Lock down its security group. Read the access logs.
• Create a least-privilege IAM role. Use it. Try to break it.
• Turn on your provider's audit logging (CloudTrail, Activity Log, or Audit Logs) and look at what shows up.
• Make a public bucket on purpose. Then fix it. Now you've seen a misconfiguration up close.

5. Earn a foundational cert

• CCSK (vendor-neutral, ~$395) — most recommended.
• Or your provider's fundamentals cert: AWS Cloud Practitioner (~$100), AZ-900 (~$99), or Cloud Digital Leader (~$99).

See the cloud security certifications guide for details.

Stage 1 milestone: You can explain what IAM is, what the shared responsibility model means, and you've configured at least one service end-to-end on your chosen cloud.

Stage 2: Intermediate (Months 3–9)

Goal: Move from "I know the concepts" to "I can find and exploit cloud misconfigurations and explain how to fix them."

1. Run intentionally vulnerable environments

Pick three or four from our cloud security CTF directory and work through them. Recommended starting set:

• flAWS & flAWS2 — browser-based AWS challenges, no account required.
• CloudGoat — full vulnerable AWS environments you deploy yourself. Walk every scenario.
• EntraGoat — Azure/Entra-focused identity attack scenarios.
• CNAPPGoat — multi-cloud misconfigurations.
• PwnedLabs — guided cloud attack labs with both free and paid tiers.

2. Read real breach post-mortems

Walk through the CSOH breach kill chains. Each one is mapped to MITRE ATT&CK Cloud techniques. For each breach, identify: which IAM controls would have stopped it, which detection rule would have caught it, what the post-incident response looked like.

3. Get familiar with the tooling

• Open source: Prowler, ScoutSuite, Steampipe (multi-cloud posture). Pacu (AWS exploitation framework). ROADtools (Azure/Entra recon).
• Provider-native: AWS GuardDuty, IAM Access Analyzer, Security Hub. Microsoft Defender for Cloud, Sentinel. GCP Security Command Center.
• Concept of CNAPP: read about how Wiz, Orca, Lacework, and similar platforms bundle CSPM/CWPP/CIEM. You don't need to use them — just understand the category.

4. Earn a provider security specialty

• AWS Certified Security – Specialty (SCS-C02)
• Microsoft AZ-500 (Azure Security Engineer)
• Google Professional Cloud Security Engineer

5. Start writing

Publish CTF write-ups, lab walkthroughs, or breach analyses on a personal blog or LinkedIn. This is the single highest-leverage thing you can do for your career — it builds your reputation, forces you to actually understand what you did, and gives you something to show in interviews.

Stage 2 milestone: You've completed at least 5 CTF scenarios, can use Prowler or an equivalent tool to audit a real account, and have at least one provider security cert.

Stage 3: Advanced (Months 9+)

Goal: Build deep skill in a chosen specialization and start contributing to the community.

1. Detection engineering

Build detection content for your cloud. Translate ATT&CK Cloud techniques into Sigma or vendor-specific rules. Learn how to investigate alerts without false-positive paralysis. Practice with sample data sets like Mordor.

2. Incident response and threat hunting

Read SANS DFIR materials. Practice with cloud forensics scenarios. Learn what evidence you can and can't get from each cloud (CloudTrail completeness, log retention defaults, what GuardDuty does and doesn't catch).

3. IAM at scale

Master IAM policy evaluation, condition keys, and cross-account access patterns. Read every word of the AWS Security Blog on identity. Use IAM Access Analyzer to find unused permissions in real environments. Study privilege-escalation paths via tools like Pacu.

4. Kubernetes security

If your environment uses Kubernetes, get comfortable with cluster hardening, pod security standards, network policies, and runtime security tools (Falco, Tetragon). Pursue CKS as your hands-on credential.

5. AI / LLM security

Increasingly relevant. Read the OWASP Top 10 for LLMs. Practice on AI-focused CTFs in our CTF directory. Study agentic-system risks and prompt injection in production scenarios.

6. Senior credentials

If you're going the architect/consultant route, CCSP from ISC2 once you hit five years of relevant experience. SC-100 if you're heavy in Microsoft.

Stage 3 milestone: You're shipping detection content, presenting at meetups, or leading an aspect of cloud security at your job.

Stage 4: Specialize

By this point, the field has too many depths for any one person to be expert at all of them. Pick what you're drawn to:

• Cloud incident response and forensics — the people who get paged when things go wrong.
• Detection engineering — building the rules that catch the next breach.
• Identity and IAM architecture — increasingly the most important specialty in cloud security.
• Cloud penetration testing / red team — offensive cloud work, often as a consultant.
• Application security in cloud-native environments — IaC scanning, supply-chain, container hardening.
• Compliance and governance at scale — multi-account guardrails, control frameworks, audit automation.
• Cloud SOC / managed detection & response — running a 24x7 monitoring practice.
• AI security — prompt injection, model security, agent risk.

Stay current

Cloud changes faster than most fields. Build a rhythm:

• Weekly: read the CSOH cloud security news feed. Skim AWS, Azure, and GCP security blogs.
• Weekly: attend the Friday Zoom session — 7am PT, free, no marketing.
• Monthly: read one breach post-mortem in depth. Add it to your mental library.
• Quarterly: do a hands-on CTF or new lab.
• Annually: renew or earn a new cert. Re-read the CSA Guidance updates.

Common mistakes

• Trying to learn three clouds at once. Pick one. Get good. Add the others later.
• Stacking certs without hands-on work. Three certs and no lab portfolio is a worse signal than one cert plus public CloudGoat write-ups.
• Studying passively. Watching videos doesn't stick. Building does. After every chapter or video, do something with the material.
• Avoiding the command line. Cloud security is API-first. Get comfortable in a terminal.
• Skipping IAM because it's boring. IAM is where almost every breach happens. Master it.
• Waiting until you "know enough" to write or speak. Publishing a write-up at month 6 will teach you more than three more months of reading.