Skip to main content

Topic 10: Cloud Security Fundamentals Capstone

Demonstrate your cloud security knowledge by implementing a comprehensive security monitoring and incident response system. You'll add enterprise-grade security to the infrastructure you've built throughout this course, securing the Journal API application that has evolved from Phase 2 through Phase 4.

Capstone Steps

Note: If you haven't completed previous phases, you can deploy any simple web application (e.g., a basic Flask/Express app, WordPress, or even a static website) as your target infrastructure to secure.

1. Secure the Infrastructure

Take your existing cloud infrastructure (from Phase 3's deployment or Phase 4's containerized/Kubernetes setup) and add the following security controls:

  • Configure IAM roles following least privilege principle
  • Implement network segmentation with proper security groups/NACLs
  • Enable encryption for all data at rest (databases, object storage)
  • Set up secure secrets management (AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager)
  • Configure secure logging (CloudTrail/Azure Activity Log/GCP Cloud Logging)

2. Implement Security Monitoring

Set up comprehensive security monitoring:

  • Deploy a SIEM solution (AWS Security Hub, Azure Sentinel, or GCP Security Command Center)
  • Configure security alerts for:
    • Failed authentication attempts
    • Unauthorized API calls
    • Security group modifications
    • Public resource exposure
    • Anomalous user behavior
  • Create a security dashboard showing:
    • Current security posture score
    • Active threats/alerts
    • Compliance status
    • Resource inventory

3. Build Automated Incident Response

Create automated responses to common security events:

  • Exposed S3 Bucket/Storage: Automatically make private and notify team
  • Suspicious IAM Activity: Disable user/key and create incident ticket
  • DDoS Detection: Enable rate limiting and scale resources
  • Compromised Instance: Isolate instance, snapshot for forensics, terminate

Example automation structure:

Event Detection → Lambda/Function/Cloud Function → Response Action → Notification

4. Demonstrate and Document

Create a demonstration showing:

  • Trigger each security event intentionally
  • Show automated response in action
  • Display alerts and notifications
  • Generate incident report
  • Document lessons learned and improvements

Include in your documentation:

  • Architecture diagram with security controls
  • Runbook for each incident type
  • Cost analysis of security implementation
  • Recommendations for future improvements

Example Project Structure

/secure-journal-app
  /security             # Security policies and configurations
    /iam               # IAM roles and policies
    /siem              # SIEM configurations and dashboards
    /incident-response # Lambda functions for automated responses
  /monitoring          # Security monitoring configs
    /alerts            # Alert definitions
    /dashboards        # Grafana/CloudWatch dashboards
  /docs                # Documentation
    /runbooks          # Incident response runbooks
    /architecture      # Security architecture diagrams
  /terraform           # IaC for security resources
  README.md

Testing & Validation

  • Intentionally expose an S3 bucket publicly—verify it's automatically secured within minutes
  • Attempt unauthorized API calls—confirm alerts are generated and logged
  • Modify a security group to allow all traffic—verify automated remediation
  • Generate failed login attempts—check SIEM dashboard shows the activity
  • Run a security scan against your infrastructure—verify all controls are in place
  • Review CloudTrail/audit logs to ensure all actions are being logged

Success Criteria

  • All infrastructure follows security best practices
  • Monitoring detects and alerts on security events within 5 minutes
  • Automated responses execute without manual intervention
  • Clear documentation allows others to replicate your setup
  • Total monthly cost stays under $50 (use free tiers where possible)

Skills Checklist

  • IAM configuration with least privilege
  • Network security (security groups, NACLs, segmentation)
  • Encryption at rest and in transit
  • Secrets management implementation
  • Security logging and audit trails
  • SIEM deployment and configuration
  • Security alerting and monitoring
  • Automated incident response workflows
  • Security documentation and runbooks
  • Compliance and security posture assessment

Next Steps

After completing this capstone, you'll have demonstrated comprehensive cloud security skills by implementing enterprise-grade security controls, monitoring, and incident response. This project showcases your ability to secure cloud infrastructure and automate security operations—essential skills for any cloud role and particularly valuable for security-focused positions!