AWS DevSecOps

Course Outline

AWS Security

Module 1: Identity & Access Management Basics

Services Covered:

 

    • IAM, IAM Roles, IAM Policies, STS

 

Lab Task:

 

  • Create IAM users with different permissions
  • Configure IAM roles and trust policies
  • Use STS to assume roles and temporary credentials

Module 2: Securing Access with Federation & SSO

Services Covered:

 

    • IAM Identity Center (SSO), Cognito, STS

 

Lab Task:

 

  • Integrate IAM Identity Center with Google Workspace
  • Set up a Cognito user pool with a hosted UI
  • Use STS for federated access

Module 3: Data Protection at Rest

Services Covered:

 

    • KMS, S3 Encryption, EBS Encryption, Secrets Manager

 

Lab Task:

 

  • Create and manage a KMS key
  • Enable default encryption for an S3 bucket
  • Encrypt an EBS volume
  • Store secrets securely using Secrets Manager

Module 4: Data Protection in Transit

Services Covered:

 

    • ACM, CloudFront, ELB, HTTPS Configuration

 

Lab Task:

 

  • Issue and attach an SSL/TLS cert using ACM
  • Configure HTTPS on an Application Load Balancer
  • Use CloudFront to deliver encrypted content

Module 5: VPC Security Fundamentals

Services Covered:

 

    • VPC, NACLs, Security Groups, VPC Peering

 

Lab Task:

 

  • Launch EC2 with secure SG & NACL rules
  • Configure VPC peering between two VPCs
  • Test traffic flow and restrictions

Module 6: Monitoring and Threat Detection

Services Covered:

 

    • CloudTrail, GuardDuty, CloudWatch, Config

 

Lab Task:

 

  • Enable CloudTrail across all regions
  • Enable GuardDuty and analyze findings
  • Set up CloudWatch alarms for security events
  • Use AWS Config to detect non-compliant resources

Module 7: Logging and Security Analytics

Services Covered:

 

    • CloudTrail, CloudWatch Logs, Athena, S3, Macie

 

Lab Task:

 

  • Send CloudTrail logs to CloudWatch and S3
  • Query logs using Athena
  • Enable Macie and review sensitive data findings

Module 8: Incident Response

Services Covered:

 

    • IAM, CloudTrail, Lambda, SNS

 

Lab Task:

 

  • Simulate access key compromise and detect via CloudTrail
  • Create Lambda function to auto-disable compromised keys
  • Send alerts using SNS

Module 9: Application & Network Layer Security

Services Covered:

 

    • WAF, Shield, API Gateway, Cognito, ALB

 

Lab Task:

 

  • Deploy WAF rules on CloudFront or ALB
  • Protect APIs using API Gateway with Cognito Auth
  • Enable AWS Shield Standard

Module 10: Compliance & Governance

Services Covered:

 

    • Organizations, SCPs, AWS Config, Trusted Advisor

 

Lab Task:

 

  • Create an Organization and apply SCPs
  • Use Config Rules to enforce tagging policy
  • Run Trusted Advisor checks

AWS DevSecOps

Module 1: Introduction to DevSecOps & AWS Fundamentals

Topics:

 

    • What is DevSecOps?
    • DevOps vs DevSecOps
    • AWS Shared Responsibility Model
    • Key AWS Services in DevSecOps

 

Lab Task:

 

  • Create a free-tier AWS account
  • Set up AWS CLI and IAM user with MFA

Module 2: Identity & Access Management (IAM) for DevSecOps

Topics:

 

    • IAM Users, Roles, and Policies
    • IAM Best Practices
    • Permissions Boundaries & Service Control Policies (SCPs)

 

Lab Task:

 

  • Create IAM roles for CI/CD pipelines
  • Implement least privilege with IAM policies

Module 3: DevSecOps CI/CD with CodePipeline

Topics:

 

    • CI/CD Overview in AWS
    • AWS CodeCommit, CodeBuild, CodePipeline
    • Securing the CI/CD pipeline

 

Lab Task:

 

  • Build a CI/CD pipeline using CodeCommit → CodeBuild → CodeDeploy
  • Integrate IAM roles for secure access

Module 4: Infrastructure as Code (IaC) with Security in Mind

Topics:

 

    • Introduction to AWS CloudFormation & Terraform
    • Secure secrets handling with AWS SSM & Secrets Manager
    • Validation & scanning (cfn-lint, tfsec)

 

Lab Task:

 

  • Deploy a secure EC2 instance using Terraform/CloudFormation
  • Store and retrieve secrets securely

Module 5: Container Security with ECS & EKS

Topics:

 

    • ECS vs EKS Overview
    • Container image scanning (Amazon Inspector, ECR scan)
    • IAM roles for service accounts in EKS

 

Lab Task:

 

  • Deploy a Docker app in ECS with secure task roles
  • Scan ECR image for vulnerabilities

Module 6: Security Monitoring and Logging

Topics:

 

    • AWS CloudTrail, CloudWatch, Config
    • Amazon GuardDuty, Security Hub, and Inspector
    • Logging best practices
    • Amazon Detective: For advanced threat investigation

 

Lab Task:

 

  • Enable CloudTrail and GuardDuty
  • Create an alert on suspicious IAM activity via CloudWatch
  • Use Detective to trace an IAM anomaly detected by GuardDuty

Module 7: Secrets, Parameters, and Key Management

Topics:

 

    • AWS Secrets Manager vs SSM Parameter Store
    • Encryption with KMS
    • Auditing and rotation policies
    • Envelope Encryption: KMS concepts like CMK, DEK

 

Lab Task:

 

  • Store secrets in Secrets Manager
  • Use KMS to encrypt an S3 bucket
  • Encrypt/decrypt data manually with KMS CLI

Module 8: DevSecOps Automation & Compliance

Topics:

 

    • AWS Config rules and Conformance Packs
    • Automating security checks with Lambda
    • CIS Benchmarks & AWS Trusted Advisor

 

Lab Task:

 

  • Set up Config rules to enforce tagging compliance
  • Auto-remediate non-compliant resources using Lambda

Module 9: Real-World DevSecOps Project

Topics:

 

    • Combine CI/CD, IaC, and Security Tools
    • End-to-end DevSecOps flow in a real AWS environment

 

Lab Task:

 

  • Build a full pipeline: Secure deployment of a web app using Terraform, CodePipeline, GuardDuty, Secrets Manager, and CloudTrail

Module 10: Final Assessment & Certification Guidance

  • Review key concepts
  • Tips for AWS Security Specialty & DevOps exams
  • Practice questions & project submission