This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Unit 4 of Cloud
Data protection mechanisms for cloud services: encryption at rest and in transit, data redaction, tokenisation, obfuscation, PKI and key management in cloud environments, assuring data deletion, and enforcing access control for cloud infrastructure services.
Learning outcomes
Symmetric/asymmetric encryption, AES modes, envelope encryption, data states, and post-quantum standards.
Certificate trust hierarchy, PKI operations, cloud-native PKI services, key lifecycle, and KMS vs HSM.
Redaction patterns, tokenization mechanics, obfuscation techniques, and cryptographic erasure.
The IAM subject/action/resource/condition model, RBAC vs ABAC vs JIT, and the mistakes found in every cloud audit.
20 multiple-choice questions on data protection in the cloud.
Architecture and tooling for managing database passwords, API keys, and certificates in cloud — AWS Secrets Manager, SSM Parameter Store, HashiCorp Vault, and Kubernetes External Secrets Operator.
Why standing privilege is dangerous, JIT access patterns using STS AssumeRole and IAM Identity Center, session recording, break-glass procedures, and PAM metrics.
DLP architecture for cloud — Macie for S3, CASB for SaaS, dynamic data masking for databases, and the DPDP Act 2023 breach notification trigger.
RTO and RPO as security design parameters, the 3-2-1-1-0 backup rule, S3 Object Lock for immutable backups, AWS DR patterns, and CERT-In compliant log retention.