Cloud Security Engineer – Comprehensive Revision
Notes & 100 Q&A
📘 Part 1: Detailed Cloud Security Notes
1. Core Cloud Security Concepts
• Shared Responsibility Model
• AWS: Customer responsible for security in the cloud (apps, data, config); AWS secures of the cloud
(hardware, network, hypervisor).
• Azure: Similar model; customer responsible for securing workloads, Microsoft secures infrastructure.
• Key Security Domains:
• Identity & Access Management (IAM)
• Data Protection & Encryption
• Network Security
• Threat Detection & Monitoring
• Compliance & Governance
2. AWS Security – Detailed Notes
Identity & Access Management (IAM)
• Manage users, groups, and roles.
• Policies written in JSON (Allow/Deny actions on resources).
• Best Practices:
• Use IAM Roles instead of long-term keys.
• Apply least privilege principle.
• Enable MFA for privileged accounts.
Data Protection
• S3 Security
• Block Public Access settings.
• Bucket Policies & IAM Policies.
• Server-Side Encryption (SSE-S3, SSE-KMS, SSE-C).
• Object Lock (WORM compliance).
• KMS (Key Management Service): Centralized key storage & rotation.
Network Security
• VPC Security
• Security Groups (stateful).
1
� • NACLs (stateless).
• VPC Flow Logs for monitoring.
• AWS WAF & Shield
• WAF protects against SQLi/XSS.
• Shield Standard (DDoS protection free) & Shield Advanced.
Threat Detection & Monitoring
• CloudTrail – Logs all API activity.
• CloudWatch – Metrics, logs, alarms.
• GuardDuty – Threat intelligence-based anomaly detection.
• AWS Security Hub – Centralized compliance/security findings.
• Inspector – Automated vulnerability management.
Compliance
• AWS Artifact provides audit/compliance reports (ISO, SOC, HIPAA).
• Security Hub integrates CIS, PCI-DSS benchmarks.
3. Azure Security – Detailed Notes
Identity & Access Management
• Azure Active Directory (AAD)
• Central identity & SSO.
• Conditional Access Policies.
• Privileged Identity Management (PIM) – Just-in-Time (JIT) access.
• RBAC (Role-Based Access Control)
• Assign roles at subscription, resource group, or resource level.
Data Protection
• Azure Storage Security
• Shared Access Signatures (SAS) for temporary secure access.
• Encryption at Rest: Storage Service Encryption (SSE).
• Customer-managed keys with Azure Key Vault.
• Azure Disk Encryption (BitLocker & DM-Crypt integration).
Network Security
• NSGs (Network Security Groups)
• Inbound/Outbound rules (similar to Security Groups).
• Azure Firewall
• Stateful, threat intelligence-based.
• WAF (Web Application Firewall)
• Integrated with Application Gateway.
• DDoS Protection (Basic & Standard).
2
�Threat Detection & Monitoring
• Azure Security Center / Defender for Cloud
• Posture management, compliance, and workload protection.
• Azure Sentinel (SIEM/SOAR)
• Cloud-native SIEM.
• Advanced analytics, hunting queries (KQL).
• Microsoft Defender XDR
• Extended detection across endpoints, identities, email, apps.
Compliance
• Azure Compliance Manager provides assessments for ISO, GDPR, HIPAA, etc.
4. Security Tools (Covered in Job Description)
• Nessus – Vulnerability management.
• Burp Suite – Web app security testing, OWASP Top 10 coverage.
• SIEM Tools – Log collection, correlation, detection.
• XDR – Extended detection across multiple domains.
• Web Security Gateway (WSG) – Monitors and controls web traffic.
📘 Part 2: 100 Cloud Security Questions & Answers
Section A: AWS Security
1. Q: What is AWS IAM?
A: AWS Identity and Access Management is a service to securely control access to AWS resources
using policies, users, groups, and roles.
2. Q: Difference between Security Groups and NACLs in AWS?
A: Security Groups are stateful (return traffic automatically allowed), applied to instances. NACLs are
stateless, applied at subnet level.
3. Q: What is AWS GuardDuty used for?
A: A threat detection service that uses ML and threat intel to identify suspicious activity in AWS
accounts.
4. Q: How does AWS KMS secure data?
A: It provides centralized key management with automatic rotation, encryption APIs, and integration
with AWS services.
5. Q: Explain S3 Block Public Access.
A: A feature to prevent accidental public exposure of data stored in S3 buckets.
3
� 6. Q: What is AWS Inspector?
A: An automated vulnerability management service that scans EC2 instances and containers for
CVEs.
7. Q: What’s the difference between AWS Shield Standard and Advanced?
A: Standard offers free DDoS protection. Advanced provides enhanced detection, response, and SLA-
backed support.
8. Q: How does AWS CloudTrail differ from CloudWatch?
A: CloudTrail logs API activity, CloudWatch monitors performance metrics and system logs.
9. Q: How can you secure EC2 instance access?
A: Use key pairs, IAM roles, restrict SSH/RDP via Security Groups, enable SSM Session Manager.
10. Q: What is AWS Security Hub?
A: A unified dashboard that aggregates security findings from multiple AWS services and partner
tools.
Section B: Azure Security
1. Q: What is Azure Active Directory?
A: Cloud-based identity and access management service for authentication, authorization, and SSO.
2. Q: What is Privileged Identity Management (PIM)?
A: Service for just-in-time admin access and reducing standing privileges in Azure AD.
3. Q: What are Azure NSGs?
A: Network Security Groups are rule sets controlling inbound and outbound traffic for VMs/subnets.
4. Q: Difference between Azure Firewall and NSG?
A: NSG controls traffic at subnet/VM level. Azure Firewall is a fully managed stateful firewall with
advanced filtering.
5. Q: What is Azure Sentinel?
A: A cloud-native SIEM and SOAR for centralized log collection, analysis, and threat detection.
6. Q: What is Azure Key Vault used for?
A: Secure storage and management of keys, secrets, and certificates.
7. Q: How does Azure DDoS protection work?
A: Provides real-time traffic monitoring and automatic mitigation against volumetric, protocol, and
application layer DDoS attacks.
4
� 8. Q: What’s the difference between SAS tokens and RBAC in Azure Storage?
A: SAS tokens provide time-bound delegated access. RBAC assigns roles to users for broader access
control.
9. Q: What is Azure Security Center (Defender for Cloud)?
A: A service for security posture management, compliance reporting, and workload protection.
10. Q: How can Conditional Access improve security?
A: By enforcing policies like MFA, location restrictions, or device compliance before granting access.
Section C: General Cloud Security
1. Q: What is the Shared Responsibility Model?
A: A model defining which security tasks are handled by the cloud provider vs. the customer.
2. Q: What are OWASP Top 10 vulnerabilities?
A: The 10 most critical web app security risks (SQLi, XSS, CSRF, etc.).
3. Q: What is a SIEM tool used for?
A: Collects, normalizes, and analyzes logs to detect security incidents.
4. Q: What is XDR?
A: Extended Detection and Response, providing detection across endpoints, cloud, email, and
network.
5. Q: How does vulnerability scanning differ from penetration testing?
A: Scanning identifies potential flaws, penetration testing actively exploits them.
(Full list continues up to 100 questions in final PDF – includes deep dives into IAM, Encryption, WAF, SIEM, XDR,
Nessus, Burp Suite, and Compliance)
