Cloud Certification Mastery Labs - Module 10

Cloud Certification Labs - Module 10

Master cloud technologies with labs aligned to industry-leading certifications

CompTIA Cloud+

CV0-004

CompTIA CloudNetX

CNX-001

CCSP

(ISC)² Cloud Security

Lab 28: Container Orchestration with AWS EKS & Kubernetes

Cloud+ / Expert

Scenario: Microservices Containerization for E-Commerce Platform

ShopStream Inc. is modernizing their monolithic e-commerce application into containerized microservices. Deploy and manage a production Kubernetes cluster using AWS EKS (Elastic Kubernetes Service). Configure container networking, implement service mesh with Istio, set up Horizontal Pod Autoscaler (HPA), configure persistent storage with EBS CSI driver, implement secrets management with AWS Secrets Manager, and establish container image scanning with ECR. Target: 99.9% service availability, < 5 second pod startup, auto-scale from 3 to 50 pods.

Cloud+ Exam Objectives (CV0-004):

1.1 Cloud Service Models: Container-as-a-Service (CaaS), container runtimes
1.3 Container Orchestration: Kubernetes, pods, services, deployments
2.2 Networking: Container networking, service mesh, ingress controllers
3.2 Scaling: Horizontal Pod Autoscaler, cluster autoscaling
4.2 Secrets Management: ConfigMaps, secrets, external secret stores
4.5 Image Security: Container scanning, signed images, admission control

Container Orchestration Step-by-Step Instructions

Create EKS Cluster with Managed Node Groups

Amazon EKS provides a managed Kubernetes control plane. Managed node groups automate node provisioning, updates, and scaling. You configure the cluster, AWS handles the infrastructure.

In EKS Console (right panel):
1. Click the "Cluster" tab at the top
2. In "Cluster name" field Type: shopstream-prod
3. In "Kubernetes version" dropdown Select "1.29 (Latest)"
4. In "Cluster endpoint access" Select "Public and private"
5. Under "VPC Configuration":
    Select subnets in at least 2 AZs
    Enable "Configure security groups"
6. Under "Node Group":
    Instance type: "m5.large" (2 vCPU, 8GB RAM)
    Desired size: 3, Min: 2, Max: 10
7. Check "Enable cluster autoscaler"
8. Click "Create Cluster" button

Cloud+ Concept: EKS abstracts control plane management. You pay $0.10/hour per cluster plus EC2 costs for worker nodes. Fargate profile eliminates node management entirely.
Configure Container Registry (ECR) with Image Scanning

Amazon ECR stores Docker container images. Enable image scanning to automatically detect vulnerabilities (CVEs) before deployment. Immutable tags prevent image overwrites.

ECR Configuration:
1. Click "Registry" tab
2. In "Repository name" field Type: shopstream/api-service
3. Check "Enable scan on push"
4. Check "Enable image tag immutability"
5. Under "Encryption":
    Select "KMS encryption"
    Choose customer-managed key
6. Create additional repositories:
    shopstream/web-frontend
    shopstream/cart-service
    shopstream/payment-service
7. Click "Create Repositories"

Security: Block deployments with CRITICAL/HIGH vulnerabilities. Configure lifecycle policies to delete untagged images after 14 days to reduce costs.
Deploy Microservices with Kubernetes Deployments

Kubernetes Deployments manage pod replicas, rolling updates, and rollbacks. Define desired state in YAML, Kubernetes maintains it automatically. ReplicaSets ensure pod count matches specification.

Deployment Configuration:
1. Click "Workloads" tab
2. For "API Service" deployment:
    Name: api-service
    Replicas: 3
    Container image: ECR URI from step 2
    Container port: 8080
    CPU request: 250m, limit: 500m
    Memory request: 256Mi, limit: 512Mi
3. Configure liveness probe: HTTP GET /health on port 8080
4. Configure readiness probe: HTTP GET /ready on port 8080
5. Set rolling update strategy: maxSurge=1, maxUnavailable=0
6. Click "Deploy"

Resource Requests vs Limits: Requests guarantee resources. Limits cap usage. Set requests = typical usage, limits = peak usage. Prevents noisy neighbors.
Configure Kubernetes Services & Ingress

Services provide stable network endpoints for pods. ClusterIP for internal, LoadBalancer for external traffic. Ingress manages external HTTP/HTTPS routing with path-based rules.

Service & Ingress Setup:
1. Click "Networking" tab
2. Create ClusterIP services for internal microservices:
    api-service:8080, cart-service:8080, payment-service:8080
3. Create Ingress resource:
    Host: api.shopstream.com
    Path /api/* api-service:8080
    Path /cart/* cart-service:8080
    Path /payment/* payment-service:8080
4. Enable AWS ALB Ingress Controller
5. Configure TLS with ACM certificate
6. Click "Apply Configuration"

Service Mesh: For advanced traffic management (canary, A/B testing, mTLS), consider AWS App Mesh or Istio. Service mesh adds observability and security.
Configure Horizontal Pod Autoscaler (HPA)

HPA automatically scales pod replicas based on CPU, memory, or custom metrics. Define target utilization, HPA adjusts replicas to maintain it. Essential for handling variable traffic.

HPA Configuration:
1. Click "Autoscaling" tab
2. Select deployment: "api-service"
3. Configure HPA:
    Min replicas: 3
    Max replicas: 50
    Target CPU utilization: 70%
    Target memory utilization: 80%
4. Advanced settings:
    Scale up stabilization: 30 seconds
    Scale down stabilization: 300 seconds
5. Check "Enable custom metrics" (requests per second)
6. Click "Create HPA"
7. Repeat for cart-service and payment-service

Scaling Strategy: Scale down slowly (5 min cooldown) to avoid thrashing. Scale up quickly (30s) to handle traffic spikes. Use KEDA for event-driven scaling.
Set Up Persistent Storage with EBS CSI Driver

Stateful applications need persistent storage. EBS CSI driver provisions AWS EBS volumes as Kubernetes PersistentVolumes. StorageClass defines provisioning parameters.

Storage Configuration:
1. Click "Storage" tab
2. Verify EBS CSI driver is installed (add-on)
3. Create StorageClass:
    Name: ebs-gp3-encrypted
    Provisioner: ebs.csi.aws.com
    Volume type: gp3
    IOPS: 3000, Throughput: 125 MiB/s
    Encryption: enabled (KMS key)
4. Create PersistentVolumeClaim:
    Name: database-pvc
    Size: 100Gi
    Access mode: ReadWriteOnce
5. Mount PVC in StatefulSet for database pods

Important: EBS volumes are AZ-specific. For multi-AZ, use EFS (NFS) or replicated databases. StatefulSets manage stateful workloads with stable identities.
Configure Secrets Management with AWS Secrets Manager

Never store secrets in container images or ConfigMaps. Use AWS Secrets Manager with the secrets-store-csi-driver to inject secrets as files or environment variables at runtime.

Secrets Setup:
1. Click "Secrets" tab
2. Create secrets in AWS Secrets Manager:
    shopstream/prod/database-credentials
    shopstream/prod/api-keys
    shopstream/prod/payment-gateway
3. Install Secrets Store CSI Driver add-on
4. Create SecretProviderClass:
    Provider: aws
    Secret objects: map to Kubernetes secrets
5. Mount secrets in pod spec:
    Volume mount path: /mnt/secrets
    Or: Sync to Kubernetes secret for env vars
6. Configure IAM roles for service accounts (IRSA)

IRSA: IAM Roles for Service Accounts provides fine-grained AWS permissions per pod. No EC2 instance profile sharing. Principle of least privilege.
Implement Container Observability with CloudWatch Container Insights

Container Insights collects metrics, logs, and traces from EKS. Monitor CPU, memory, network at cluster, node, pod, and container levels. Set alarms for anomalies.

Observability Setup:
1. Click "Monitoring" tab
2. Enable CloudWatch Container Insights
3. Install CloudWatch agent DaemonSet
4. Install Fluent Bit for log collection
5. Configure metrics to collect:
    Pod CPU/memory utilization
    Container restart count
    Network I/O
    Storage utilization
6. Create CloudWatch alarms:
    Pod pending > 5 minutes
    Container OOMKilled events
    Node NotReady status
7. Enable AWS X-Ray for distributed tracing

Prometheus Alternative: For open-source monitoring, deploy Prometheus + Grafana via Helm. Amazon Managed Prometheus (AMP) provides serverless Prometheus.

AWS EKS - Container Orchestration Console

Amazon EKS

us-east-1 devops@shopstream.com

Cluster

Registry

Workloads

Networking

Autoscaling

Storage

Secrets

Monitoring

Create EKS Cluster

Cluster Configuration

Cluster Name

Kubernetes Version

Cluster Endpoint Access

Node Group

Instance Type

Desired

Min

Max

Enable cluster autoscaler

Amazon ECR - Container Registry

Repository Configuration

Repository Name

Enable scan on push Enable image tag immutability KMS encryption

Kubernetes Deployments

Deployment Configuration

Deployment Name

Replicas

CPU Request

CPU Limit

Configure liveness probe Configure readiness probe

Services & Ingress

Service Configuration

Service Type

Ingress Host

Enable AWS ALB Ingress Controller Configure TLS with ACM

Horizontal Pod Autoscaler

HPA Configuration

Min Replicas

Max Replicas

Target CPU Utilization (%)

Enable memory-based scaling Enable custom metrics (RPS)

Persistent Storage

StorageClass Configuration

StorageClass Name

Volume Type

Enable encryption (KMS)

Secrets Management

AWS Secrets Manager Integration

Secret Name

Install Secrets Store CSI Driver Configure IRSA (IAM Roles for Service Accounts)

Container Insights & Observability

Monitoring Configuration

Enable CloudWatch Container Insights Install Fluent Bit for log collection Enable AWS X-Ray tracing

Alerting

Pod pending > 5 minutes Container OOMKilled events Node NotReady status

Progress: 0/8 tasks completed

Score: 0/100

Lab 28 Complete!

Excellent container orchestration and Kubernetes deployment!

DR Analytics Dashboard

Lab 29: Cloud Operations, Automation & DevOps

Cloud+ / Advanced

Scenario: Automated Cloud Operations at Scale

FinTech Solutions operates 500+ cloud resources across AWS and Azure requiring automated operations, scaling, patching, and lifecycle management. Implement Infrastructure as Code (IaC) using Terraform, configure autoscaling policies, set up automated patch management, implement CI/CD pipelines, configure CloudWatch/Azure Monitor for observability, and establish automated backup/restore procedures. Target: zero manual deployments, < 15 min deployment time, 99.5% patch compliance.

Cloud+ Exam Objectives (CV0-004):

2.4 Infrastructure as Code: IaC, CaC, versioning, drift detection
3.2 Scaling Approaches: Horizontal/vertical scaling, autoscaling
3.4 Resource Lifecycle: Patches, updates, decommissioning
5.2 CI/CD Pipelines: Automation, testing, deployment
3.1 Observability: Monitoring, logging, alerting
3.3 Backup & Recovery: Automated backups, testing

Cloud Operations Step-by-Step Instructions

Configure Terraform Infrastructure as Code (IaC)

Terraform enables declarative infrastructure provisioning. Define your infrastructure in code files that can be versioned, reviewed, and reused across environments.

In Operations Console (right panel):
1. Click the "Infrastructure" tab in the left sidebar
2. Select Terraform Version: "1.6.x (Latest)"
3. Select Backend: "S3 with DynamoDB locking"
4. Check "Enable state file encryption"
5. Check "Enable drift detection"
6. Click "Initialize Terraform" button
7. Review the generated configuration
8. Click "Apply Configuration"

Cloud+ Concept: IaC eliminates manual configuration, enables version control, and ensures consistent infrastructure across dev/staging/prod environments.
Configure CI/CD Pipeline with GitHub Actions

CI/CD pipelines automate build, test, and deployment. Every code commit triggers automated testing and deployment to staging/production.

In Operations Console:
1. Click the "CI/CD" tab in the sidebar
2. Select Pipeline Type: "GitHub Actions"
3. Configure Build Stage: "Docker multi-stage build"
4. Configure Test Stage: "Unit tests + Integration tests"
5. Configure Deploy Stage: "Blue/Green deployment"
6. Check "Enable automated rollback on failure"
7. Set deployment approval for production
8. Click "Save Pipeline Configuration"

Cloud+ Best Practice: Blue/Green deployment runs two identical environments. Switch traffic instantly with zero downtime. Rollback by switching back.
Configure Auto Scaling Policies

Auto scaling automatically adjusts capacity based on demand. Scale out during peak load, scale in during off-peak to optimize costs.

Auto Scaling Setup:
1. Click "Scaling" tab
2. Target Tracking Policy:
    Metric: "Average CPU Utilization"
    Target Value: "70%"
3. Scaling Bounds:
    Minimum instances: 2 (always running)
    Maximum instances: 20
4. Scale Out: Add 2 instances when CPU > 80% for 3 min
5. Scale In: Remove 1 instance when CPU < 40% for 10 min
6. Cooldown period: 300 seconds
7. Click "Enable Auto Scaling"
Set Up Centralized Logging (ELK Stack)

Aggregate logs from all services into a central location. Enables searching, analysis, and alerting on log patterns.

Logging Configuration:
1. Click "Logging" tab
2. Select Log Destination: "CloudWatch Logs"
3. Configure Log Groups:
    Application logs: /fintech/app/*
    Access logs: /fintech/access/*
    Error logs: /fintech/error/*
4. Set retention: 90 days for compliance
5. Enable CloudWatch Log Insights
6. Configure log shipping to S3 for archival
7. Click "Save Logging Configuration"
Configure CloudWatch Alerting

Proactive alerts notify the team before issues impact users. Configure thresholds based on SLOs.

Alerting Setup:
1. Click "Monitoring" tab
2. Create Alert Rules:
    CPU > 90% for 5 min Critical PagerDuty
    Memory > 85% Warning Email
    Error rate > 1% Critical Slack + PagerDuty
    Response time > 2s Warning Email
3. Configure escalation policy
4. Set up on-call schedule rotation
5. Click "Enable Alerting"
Implement Cost Management & Optimization

Cloud cost management identifies waste and optimizes spending. Set budgets and alerts to prevent bill shock.

Cost Management:
1. Click "Cost Management" tab
2. Set Monthly Budget: $50,000
3. Configure Alerts:
    50% budget Email finance team
    80% budget Email + Slack ops team
    100% budget Critical alert to leadership
4. Enable Cost Anomaly Detection
5. Review Right-sizing Recommendations
6. Schedule Reserved Instance analysis
7. Click "Save Cost Configuration"
Configure Automated Backup & Recovery

Automated backups ensure data protection. Test recovery regularly to validate backup integrity.

Backup Configuration:
1. Click "Backup" tab
2. Configure Backup Schedule:
    Full backup: Weekly (Sunday 2 AM)
    Incremental: Daily (2 AM)
    Transaction logs: Every 15 minutes
3. Retention Policy:
    Daily: 30 days
    Weekly: 12 weeks
    Monthly: 12 months
4. Cross-region replication: Enable (us-west-2)
5. Enable backup verification
6. Schedule monthly recovery drill
7. Click "Save Backup Policy"

Cloud+ Rule: Untested backups are worthless. Schedule regular recovery drills to verify your backups actually work!

Cloud Operations Console

CloudOps Platform

DevOps Dashboardops@fintech.com

Infrastructure

CI/CD

Scaling

Logging

Monitoring

Cost

Backup

Terraform Infrastructure as Code

Terraform Configuration

Terraform Version

State Backend

Enable state file encryption Enable drift detection

CI/CD Pipeline Configuration

Pipeline Settings

Pipeline Type

Build Stage

Deployment Strategy

Enable automated rollback Require production approval

Auto Scaling Configuration

Scaling Policies

Scaling Metric

Target Value (%)

Min Instances

Max Instances

Centralized Logging

Log Configuration

Log Destination

Retention (days)

Enable Log Insights Archive to S3

Alerting & Monitoring

Alert Rules

CPU > 90% (Critical) Memory > 85% (Warning) Error rate > 1% (Critical) Response time > 2s (Warning)

Cost Management

Budget Configuration

Monthly Budget ($)

50% budget alert 80% budget alert Anomaly detection

Backup & Recovery

Backup Schedule

Full Backup

Incremental

Cross-region replication Monthly recovery drill

Progress: 0/8 tasks completed

Score: 0/100

Lab 29 Complete!

Excellent cloud automation implementation!

Lab 30: Hybrid Cloud Network Architecture & Security

CloudNetX / Expert

Scenario: Enterprise Hybrid Cloud Network Design

GlobalBank operates a hybrid infrastructure with on-premises data centers (10 Gbps fiber) and AWS/Azure cloud environments serving 50K+ users globally. Design and implement secure hybrid network architecture: configure VPN/Direct Connect connectivity, implement Zero Trust network access (ZTNA), set up SD-WAN for intelligent routing, configure microsegmentation with security groups, deploy load balancers with health checks, and establish comprehensive network monitoring. Requirements: < 10ms latency, 99.99% uptime, pass PCI DSS network segmentation audit.

CloudNetX Exam Objectives (CNX-001):

1.1 Core Networking: IP addressing, subnetting, CIDR, VLANs, routing protocols
1.3 Hybrid Connectivity: VPN, Direct Connect, ExpressRoute, SD-WAN
2.4 Zero Trust Architecture: ZTNA, microsegmentation, identity-based access
2.2 Network Security: Firewalls, IDS/IPS, DDoS protection, WAF
1.4 High Availability: Load balancing, autoscaling, redundancy
3.2 Monitoring & Performance: Traffic analysis, latency, throughput

CloudNetX Network Architecture Instructions

Design VPC/VNet Architecture with CIDR Planning

Proper network design starts with CIDR planning. Ensure non-overlapping IP ranges across on-prem and cloud for hybrid connectivity.

In Network Console (right panel):
1. Click the "VPC Configuration" tab
2. Enter VPC Name: "globalbank-prod-vpc"
3. Enter VPC CIDR: "10.100.0.0/16" (65,536 IPs)
4. Enable DNS hostnames and DNS resolution
5. Create Internet Gateway for public subnets
6. Tenancy: Default (shared hardware)
7. Click "Create VPC"

CloudNetX CIDR Planning: Reserve 10.0.0.0/8 for on-prem, 10.100.0.0/16 for AWS, 10.200.0.0/16 for Azure. Never overlap CIDRs!
Configure Subnet Architecture (Public/Private/Data)

Design multi-tier subnet architecture with proper isolation. Public subnet for load balancers, private for apps, data subnet for databases.

Subnet Configuration:
1. Click "Subnets" tab
2. Create Public Subnet (AZ-a):
    CIDR: 10.100.1.0/24 (256 IPs)
    Enable auto-assign public IP
3. Create Private Subnet (AZ-a):
    CIDR: 10.100.10.0/24
    No public IP assignment
4. Create Data Subnet (AZ-a):
    CIDR: 10.100.20.0/24
    Database tier isolation
5. Repeat for AZ-b (10.100.2.0/24, 10.100.11.0/24, 10.100.21.0/24)
6. Click "Save Subnets"
Configure VPN Site-to-Site Connectivity

Establish encrypted tunnel between on-premises data center and cloud VPC. Use dual tunnels for redundancy.

VPN Setup:
1. Click "VPN" tab
2. Create Virtual Private Gateway (VGW)
3. Customer Gateway IP: Enter on-prem firewall IP
4. Create VPN Connection:
    Type: Site-to-Site VPN
    Routing: BGP (dynamic)
    ASN: 65000 (cloud) / 65001 (on-prem)
5. Download VPN configuration for on-prem device
6. Enable acceleration (Global Accelerator)
7. Click "Create VPN Connection"

CloudNetX Redundancy: Always create 2 VPN tunnels to different AZs. If one fails, traffic fails over automatically via BGP.
Configure Direct Connect / ExpressRoute

For production workloads requiring low latency (<10ms) and high throughput, use dedicated private connectivity.

Direct Connect Setup:
1. Click "Direct Connect" tab
2. Connection Type: Dedicated (10 Gbps)
3. Location: Select colocation nearest to data center
4. Create Virtual Interface (VIF):
    Type: Private VIF
    VLAN: 100
    BGP ASN: 65000
5. Attach to Virtual Private Gateway
6. Enable BGP for route propagation
7. Click "Create Connection"
Deploy Application Load Balancer

Layer 7 load balancing with health checks, SSL termination, and path-based routing.

Load Balancer Configuration:
1. Click "Load Balancing" tab
2. Type: Application Load Balancer
3. Scheme: Internet-facing
4. Subnets: Select public subnets (AZ-a, AZ-b)
5. Security Group: Allow 80/443 from 0.0.0.0/0
6. Target Group:
Protocol: HTTP
Health Check: /health (10s interval)
7. SSL Certificate: ACM managed certificate
8. Click "Create Load Balancer"
Configure Network Firewall & Security Groups

Implement defense in depth with network ACLs, security groups, and AWS Network Firewall for IDS/IPS.

Firewall Configuration:
1. Click "Firewall" tab
2. Create Security Groups:
    ALB-SG: Allow 443 from internet
    App-SG: Allow 8080 from ALB-SG only
    DB-SG: Allow 3306 from App-SG only
3. Network ACLs (stateless):
    Deny known malicious IP ranges
    Allow ephemeral ports 1024-65535
4. Enable AWS Network Firewall
5. Enable VPC Flow Logs
6. Click "Apply Firewall Rules"

CloudNetX Zero Trust: Microsegmentation = each tier only talks to adjacent tiers. Web→App→DB. Never Web→DB directly!
Configure DNS & Traffic Management

Set up Route 53 / Azure DNS with health checks and failover routing for high availability.

DNS Configuration:
1. Click "DNS" tab
2. Create Hosted Zone: globalbank.com
3. Create A record with alias to ALB
4. Enable health checks (HTTPS endpoint)
5. Configure failover routing policy
6. Set TTL: 60 seconds (fast failover)
7. Click "Save DNS Configuration"
Enable Network Monitoring & Flow Logs

Comprehensive network visibility for troubleshooting, security analysis, and compliance.

Monitoring Setup:
1. Click "Monitoring" tab
2. Enable VPC Flow Logs (all traffic)
3. Destination: CloudWatch Logs
4. Configure CloudWatch alarms:
    VPN tunnel down alert
    Network latency > 10ms
    Packet loss > 0.1%
5. Enable AWS Network Manager
6. Create network dashboard
7. Click "Enable Monitoring"

Network Architecture Console

AWS VPC Console

Network Architectnetadmin@globalbank.com

VPC

Subnets

Routes

VPN

DirectConnect

Load Balancer

Firewall

DNS

VPC Configuration

Create VPC

VPC Name

IPv4 CIDR Block

Enable DNS hostnames Enable DNS resolution

Subnet Configuration

Create Subnets

Public Subnet CIDR

Private Subnet CIDR

Data Subnet CIDR

Route Tables

Route Configuration

Enable route propagation from VGW Add NAT Gateway route for private subnets

Site-to-Site VPN

VPN Configuration

Customer Gateway IP

Routing

Enable acceleration

Direct Connect

Dedicated Connection

Port Speed

Location

Application Load Balancer

ALB Configuration

Scheme

Health Check Path

Security Groups & Firewall

Security Rules

ALB-SG: Allow 443 from internet App-SG: Allow 8080 from ALB-SG DB-SG: Allow 3306 from App-SG Enable VPC Flow Logs

Route 53 DNS

DNS Configuration

Hosted Zone

TTL (seconds)

Enable health checks Failover routing

Progress: 0/8 tasks completed

Score: 0/100

Lab 30 Complete!

Excellent CloudNetX network implementation!

Lab 31: Cloud Security Governance & Compliance

CCSP / Expert

Scenario: Enterprise Cloud Security & Compliance Program

HealthTech Corporation operates multi-cloud infrastructure (AWS, Azure, GCP) storing sensitive healthcare data (PHI/PII) for 2 million patients. Establish comprehensive cloud security governance program: implement data classification and protection controls, configure identity and access management with least privilege, set up security monitoring and incident response, establish vendor risk management for cloud providers, ensure compliance with HIPAA, GDPR, SOC 2, and ISO 27001, conduct security audits, and implement cloud security controls per CCSP domains. Requirements: pass annual compliance audits, zero data breaches, < 1 hour incident detection time.

CCSP Exam Objectives (Domains):

Domain 2: Cloud Data Security: Data classification, encryption, DLP, IRM
Domain 4: Cloud Application Security: SDLC, threat modeling, secure coding
Domain 5: Cloud Security Operations: Incident response, forensics, monitoring
Domain 6: Legal, Risk & Compliance: GDPR, HIPAA, SOC 2, audit management
Domain 1: Cloud Architecture: Shared responsibility, security controls
Domain 3: Cloud Platform Security: IAM, encryption, network security

Step-by-Step Instructions

Implement Data Classification & Protection

Classify data based on sensitivity and apply appropriate controls. CCSP Domain 2 (Cloud Data Security).

Data Classification:
1. In the Security Console (right panel), click "Data Classification" tab
2. Define classification levels: Public, Internal, Confidential, Restricted
3. For healthcare data: PHI = Restricted, PII = Confidential
4. Apply S3 bucket tags for automated policy enforcement
5. Configure AWS Macie for automated PII/PHI discovery
6. Implement encryption: AES-256 for data at rest, TLS 1.3 in transit
7. Enable S3 Object Lock for immutable backups (WORM)
8. Click "Apply Classification Policy"

CCSP Concept: Data classification drives security controls. Higher classification = stronger controls (encryption, access restrictions, audit logging).
Configure IAM with Least Privilege (RBAC/ABAC)

Implement role-based and attribute-based access control. CCSP Domain 3 (IAM in Cloud).

IAM Configuration:
1. Click "Identity & Access" tab
2. Define roles: HealthcareAdmin, ClinicalUser, AuditorReadOnly
3. Implement RBAC with IAM policies (principle of least privilege)
4. Configure ABAC using tags (Department, DataClassification)
5. Enable MFA for all privileged accounts
6. Set up IAM Access Analyzer to detect overpermissive policies
7. Implement JIT (just-in-time) access for break-glass scenarios
8. Click "Save IAM Configuration"

CCSP Best Practice: Least privilege = grant minimum permissions necessary. Review permissions quarterly. Use SCPs for org-wide guardrails.
Implement Data Loss Prevention (DLP) Controls

Prevent unauthorized data exfiltration and sharing. CCSP Domain 2 (Data Security Technologies).

DLP Implementation:
1. Click "Data Protection" tab
2. Deploy AWS Macie for S3 data discovery and classification
3. Configure DLP policies: block uploads of unencrypted PHI
4. Set up CloudWatch Events to detect suspicious data access
5. Enable S3 Block Public Access account-wide
6. Configure VPC endpoints to prevent data from traversing internet
7. Implement data masking for non-production environments
8. Click "Enable DLP Controls"
Configure Security Monitoring & Incident Response

Implement comprehensive security monitoring and IR procedures. CCSP Domain 5 (Security Operations).

Security Monitoring:
1. Click "Security Monitoring" tab
2. Deploy AWS Security Hub for centralized security findings
3. Enable GuardDuty for threat detection (ML-based anomalies)
4. Configure CloudTrail with S3 log file validation
5. Set up SIEM (Security Information & Event Management)
6. Define incident response runbooks (NIST 800-61)
7. Configure automated playbooks for common incidents
8. Click "Save Monitoring Configuration"

CCSP IR Phases: Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity (lessons learned).
Conduct Vulnerability Management Program

Continuously identify and remediate vulnerabilities. CCSP Domain 5 (Vulnerability Management).

Vulnerability Management:
1. Click "Vulnerability Scanning" tab
2. Deploy AWS Inspector for automated vulnerability scanning
3. Configure weekly scans of all EC2 instances and containers
4. Integrate vulnerability feeds (NVD, CVE databases)
5. Define SLAs: Critical (24hrs), High (7 days), Medium (30 days)
6. Implement automated patching with Systems Manager
7. Conduct annual penetration testing by third party
8. Click "Enable Vulnerability Scanning"
Establish Compliance & Audit Management

Ensure compliance with HIPAA, GDPR, SOC 2, ISO 27001. CCSP Domain 6 (Legal, Risk & Compliance).

Compliance Program:
1. Click "Compliance" tab
2. Document shared responsibility model with AWS
3. Map HIPAA requirements to AWS controls (BAA signed)
4. Implement GDPR requirements (consent, data portability, right to erasure)
5. Configure AWS Config for continuous compliance monitoring
6. Enable AWS Audit Manager for automated audit evidence
7. Schedule annual SOC 2 Type II and ISO 27001 audits
8. Click "Save Compliance Configuration"

CCSP Key Point: Cloud provider (AWS) responsible for security OF the cloud. Customer responsible for security IN the cloud (data, apps, IAM).
Implement Vendor Risk Management (VRM)

Assess and manage risks from cloud service providers. CCSP Domain 6 (Outsourcing & Cloud Contract Design).

Vendor Risk Assessment:
1. Click "Vendor Management" tab
2. Review AWS ISO 27001, SOC 2, FedRAMP certifications
3. Evaluate AWS shared responsibility model understanding
4. Sign Business Associate Agreement (BAA) for HIPAA
5. Review AWS Data Processing Agreement (DPA) for GDPR
6. Assess vendor lock-in risks and portability options
7. Document right-to-audit clauses in contract
8. Click "Complete Vendor Assessment"
Conduct Security Audit & Risk Assessment

Perform comprehensive security audit and document findings. CCSP Domain 6 (Audit Process & Methodologies).

Security Audit:
1. Click "Audit & Reports" tab
2. Conduct gap analysis against CIS AWS Foundations Benchmark
3. Review IAM policies for least privilege violations
4. Validate encryption controls (data at rest/in transit)
5. Test incident response procedures (tabletop exercise)
6. Document audit findings and remediation plans
7. Generate executive risk dashboard for CISO
8. Click "Generate Audit Report"

CCSP Audit Types: SOC 2 (internal controls), ISO 27001 (ISMS), PCI DSS (payment cards), HIPAA (healthcare), FedRAMP (US government).

Security & Compliance Dashboard

AWS Security Hub

Security Postureciso@healthtech.com

Classification

IAM

DLP

Monitoring

Compliance

Audit

Data Classification & Protection

Classification Levels

Public - No restrictions Internal - Employee access only Confidential - Need-to-know basis Restricted - PHI/PII data (encrypted)

Encryption Settings

Encryption at Rest

Encryption in Transit

Identity & Access Management

Role Configuration

Admin Role Name

Require MFA for all privileged accounts Enable JIT (Just-in-Time) access

Data Loss Prevention

DLP Policies

Enable AWS Macie for PHI/PII discovery S3 Block Public Access (account-wide) Use VPC endpoints for S3/DynamoDB

Security Monitoring

Enable Security Services

AWS GuardDuty (Threat Detection) AWS Security Hub (Centralized Findings) CloudTrail (API Audit Logging) AWS Config (Compliance Monitoring)

Compliance Frameworks

Enable Compliance Standards

HIPAA (Healthcare) GDPR (Data Protection) SOC 2 Type II ISO 27001

Audit & Reports

Security Posture Score

Overall Security Posture

Critical

High

Medium

Compliance

Progress: 0/8 tasks completed

Score: 0/100

Lab 31 Complete!

Excellent CCSP security governance implementation!

Congratulations!

All 10 Cloud Lab Modules Completed!

You have successfully completed all 31 hands-on labs covering CompTIA Cloud+ (CV0-004), CompTIA CloudNetX (CNX-001), and (ISC)² CCSP certification objectives. You are now ready for your cloud certification exams!

Tip: Complete Cloud+, CloudNetX, and CCSP practice exams from CertLabs to pass on your first attempt!

Start Practice Exams