Leanpub Header

Skip to main content

Modern Cloud Security Engineering

A Practical Guide to Securing AWS, Azure, and Google Cloud

This book is 100% completeLast updated on 2026-07-11

Cloud security is built, not bought. This practical guide goes beyond checklists and compliance to teach the engineering principles behind secure cloud environments. Learn how to design resilient identity systems, protect workloads, secure data, detect threats, and respond to incidents across AWS, Microsoft Azure, and Google Cloud using production-tested techniques and real-world architectures.

Minimum price

$19.00

$29.00

You pay

Author earns

$

Also available for 1 book credit with a Reader Membership

PDF
EPUB
WEB
APP
About

About

About the Book

Cloud security is not a product you buy. It is an engineering discipline that requires deep understanding of identity, infrastructure, data, and process across multiple platforms. This book provides production-grade guidance for securing workloads on AWS, Microsoft Azure, and Google Cloud Platform, with equal emphasis on shared principles and platform-specific implementations. From foundational IAM design to advanced incident response, from offensive attack paths to defensive detection engineering, every chapter delivers the technical depth that cloud security engineers, DevSecOps practitioners, and security architects need to build secure systems that actually work in production.

Author

About the Author

Steve T. Publications

Steve T. is a cybersecurity leader, researcher, and engineer with more than 20 years of experience across application security, infrastructure security, vulnerability management, software development, and secure engineering practices. Having built his career alongside the growth of the modern internet, he has worked through multiple generations of technology, evolving security threats, and changing development methodologies.

He is currently part of the advanced research organization at a leading cybersecurity company, where he focuses on emerging threats, security innovation, and the practical application of research. His work involves investigating new attack techniques, evaluating emerging technologies, conducting deep technical analysis, and helping organizations better understand and manage complex security risks.

In addition to his research responsibilities, Steve leads a team of senior engineers and subject matter experts who create technical books, training programs, and educational resources for security professionals. Through this work, he helps engineers, developers, architects, and security practitioners strengthen their skills and build more secure systems.

Steve's technical expertise spans software development, reverse engineering, web application security, penetration testing, security architecture, incident response, vulnerability research, operating system internals, and secure software development. His ability to analyze systems at both the source code and binary levels enables him to bridge the worlds of software engineering, security research, and practical defense.

Over the course of his career, Steve has worked with organizations across a wide range of industries, helping them identify, assess, and remediate security weaknesses in critical applications and infrastructure. He is recognized for combining deep technical expertise with a pragmatic approach to security, focusing on solutions that are effective, sustainable, and aligned with business goals.

Through his work in research, engineering, leadership, and education, Steve continues to contribute to the advancement of cybersecurity and the development of secure, resilient technology systems.

Contents

Table of Contents

A Practical Guide to Securing AWS, Azure, and Google Cloud

Introduction: Why Cloud Security Is an Engineering Problem

  1. The Scale of the Problem
  2. What Makes Cloud Security Different
  3. How to Use This Book

Chapter 1: The Cloud Security Landscape

  1. What Is Cloud Security Engineering
  2. The Shared Responsibility Model Across Providers
  3. How Cloud Attacks Differ From Traditional Attacks
  4. The Economics of Cloud Security
  5. Common Pitfalls and Operational Trade-offs
  6. Building Your Cloud Security Mindset

Chapter 2: Identity and Access Management

  1. IAM Fundamentals and the Principle of Least Privilege
  2. AWS IAM: Policies, Roles, and Advanced Patterns
  3. Azure RBAC and Entra ID Security
  4. GCP IAM and Organization Policies
  5. Cross-Account and Cross-Cloud Identity Strategies
  6. Case Study: Capital One (2019) – SSRF, IMDSv1, and the Cost of Excessive IAM Roles
  7. Case Study: Snowflake (2024) – Credential Stuffing and the MFA Gap
  8. Case Study: Okta (2023) – Session Token Theft and MFA Bypass
  9. IAM Attack Paths: Privilege Escalation and Identity Abuse
  10. IAM Operational Trade-offs and Common Pitfalls

Chapter 3: Cloud Networking Security

  1. Cloud Networking Fundamentals
  2. AWS VPC Security and Network ACLs
  3. Azure Virtual Networks and NSGs
  4. GCP VPC and Firewall Rules
  5. Private Connectivity: VPC Peering, ExpressRoute, Interconnect
  6. DNS Security and DDoS Protection
  7. Attack Simulation: Network-Based Lateral Movement in AWS
  8. Networking Decision Framework: Security Group vs. NACL vs. Firewall
  9. Networking Operational Trade-offs and Common Pitfalls

Chapter 4: Zero Trust Architecture in the Cloud

  1. Zero Trust Principles for Cloud Environments
  2. Microsegmentation Across Platforms
  3. Identity-Aware Proxy and API Security
  4. Device and Workload Attestation
  5. Implementing Zero Trust in Multi-Cloud
  6. When Zero Trust Controls Fail
  7. Zero Trust Operational Trade-offs and Common Pitfalls

Chapter 5: Infrastructure as Code Security

  1. The Security Case for Infrastructure as Code
  2. Terraform Security Best Practices
  3. AWS CloudFormation and Native IaC Security
  4. Azure Bicep/ARM Template Security
  5. Policy as Code: OPA, Sentinel, Conftest
  6. Drift Detection and Compliance Automation
  7. Decision Framework: Choosing an IaC Tool
  8. When IaC Security Controls Fail
  9. IaC Operational Trade-offs and Common Pitfalls

Chapter 6: Container and Kubernetes Security

  1. Container Security Fundamentals
  2. EKS, AKS, and GKE Hardening
  3. Image Scanning and Signing
  4. Runtime Security and Admission Controllers
  5. Service Mesh Security: mTLS and Authorization
  6. Case Study: Kubernetes Cluster Compromise Patterns (2024)
  7. Kubernetes Attack Paths and Defense
  8. When Container Security Controls Fail
  9. Container and Kubernetes Operational Trade-offs and Common Pitfalls

Chapter 7: Serverless and Application Security

  1. Serverless Security Model
  2. AWS Lambda Security Patterns
  3. Azure Functions and GCP Cloud Functions Hardening
  4. API Gateway Security Across Platforms
  5. Application Layer Threats and WAF
  6. Function-Level Isolation and Resource Limits
  7. Attack Simulation: Serverless Exploitation Chain
  8. When Serverless Security Controls Fail
  9. Serverless Operational Trade-offs and Common Pitfalls

Chapter 8: Secrets Management and Encryption

  1. Secrets Management Fundamentals
  2. AWS Secrets Manager, Parameter Store, and KMS
  3. Azure Key Vault and Managed Identities
  4. GCP Secret Manager and Cloud KMS
  5. Encryption Architecture Patterns
  6. Key Rotation, HSMs, and Customer-Managed Keys
  7. Decision Framework: Choosing a Secrets Management Solution
  8. Secrets and Encryption Operational Trade-offs and Common Pitfalls

Chapter 9: Logging, Monitoring, and Threat Detection

  1. Cloud Logging Architecture
  2. AWS CloudTrail, GuardDuty, and Security Hub
  3. Azure Monitor, Defender for Cloud, and Sentinel
  4. GCP Cloud Audit Logs, Chronicle, and SCC
  5. Detection Engineering: SIEM Queries and Correlation Rules
  6. Threat Hunting Methodologies for Cloud
  7. Troubleshooting Logging and Detection Issues
  8. When Logging and Detection Controls Fail
  9. Logging and Detection Operational Trade-offs and Common Pitfalls

Chapter 10: Incident Response in the Cloud

  1. Why Cloud Incident Response Is Different
  2. Detection and Triage Workflows
  3. Containment Strategies: Network, Identity, and Compute
  4. Forensic Challenges in Ephemeral Environments
  5. Automated Response Playbooks
  6. Post-Incident Recovery and Lessons Learned
  7. Case Study: Cloud Credential Exposure via CI/CD Pipeline
  8. When Incident Response Controls Fail
  9. Incident Response Operational Trade-offs and Common Pitfalls

Chapter 11: DevSecOps and CI/CD Security

  1. The DevSecOps Pipeline
  2. CI/CD Pipeline Security Hardening
  3. Static Analysis: SAST, DAST, and SCA
  4. Container and Image Scanning in Pipelines
  5. Deployment Gates and Policy Enforcement
  6. Case Study: CI/CD Pipeline Compromise Patterns
  7. Secrets in Pipelines and Build Systems
  8. SBOM Generation and Management
  9. Artifact Signing and Verification
  10. Dependency Management and Vulnerability Tracking
  11. Cloud-Specific Supply Chain Attacks
  12. SLSA Framework and Provenance
  13. Supply Chain Operational Trade-offs and Common Pitfalls

Chapter 13: Governance, Compliance, and Multi-Account Architecture

  1. Multi-Account and Multi-Tenant Architecture
  2. Landing Zone Design Patterns
  3. Compliance Frameworks: NIST, CIS, SOC 2, ISO 27001
  4. Automated Compliance and Audit
  5. Cost Governance and Security Optimization
  6. Cross-Cloud Governance Challenges
  7. When Governance Controls Fail
  8. Governance and Compliance Operational Trade-offs and Common Pitfalls

Chapter 14: Advanced Topics and Emerging Threats

  1. AI and ML Workload Security
  2. Hybrid and Multi-Cloud Security Architectures
  3. Data Protection: Classification, DLP, and Tokenization
  4. Disaster Recovery and Resilience Patterns
  5. Emerging Cloud Threats: AI-Powered Attacks, Supply Chain, Zero-Day
  6. The Future of Cloud Security Engineering
  7. Advanced Topics Operational Trade-offs and Common Pitfalls

Conclusion: Engineering Security That Works

References

Glossary

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub