My dream one day is to work for a larger company as a Cloud Engineer and eventually specialize in AWS security. What is a realistic path?
Hello Andrew, I just wanted to start by thanking you for all you are doing for the devops community. A little background I have a bachelors in IT and I currently work in a IT Support/Junior System admin role. This is my first full time IT job and I have the opportunity to touch areas in my current role (operations, security, a little networking) My question for you is what would be a good path for me to take to get started on my AWS journey. My dream one day is to work for a larger company as a Cloud Engineer and eventually specialize in security.
I would say I have 2-3 hours a day during my job to study and learn new things (encouraged by my employer). As someone who is looking to progress into the cloud and learn more about AWS specifically, what is a realistic path I can focus on for the next 6 months. Thank you!
Thanks for the detailed question!
First I would recommend you read my answer to a similar question about Cloud Security to understand the challenges of cloud security for the various cloud service providers (CSPs)
The Cloud Security Engineer
What Cloud Security role should I be going for?
We've heard three different domains of interest mentioned in the question:
- Cloud Engineer โ Architecting and implementing cloud workloads
- DevOps โ IT Operations and Software Development Lifecycles (SDLC)
- Cloud Security โ Security relating to cloud workloads.
At the intersection of these domains is where we get the role of Cloud Security Engineer.
If a visual helps here is a ven-digram I created:
take this diagram with a grain of salt, notice Networking as an outer domain is missing. There are no one-size-fits-all visual graph for cloud roles
To understand the role of Cloud Security Engineer we need to understand two things first:
- Pushing Left
- DevSecOps
What is Pushing Left?
Pushing or Shifting Left means that we perform security at every step of the Software/System Development Life Cycle (SDLC), that security is not something we tack on, rework into our systems after the fact.
Tanya Janca writes about Pushing Left in greater detail on her blog
What is DevSecOps?
DevSecOps is what we get when we incorporate Pushing Left into DevOps.
If we were a Cloud Security Engineer and we had to build a deployment pipeline for an application we may need to do the following additional security tasks (not an exhaustive list):
- Prevent any code that has not been Code signed from being deployed
- Automate application security testing methodologies (SAST and DAST) to find security vulnerabilities that can make an application susceptible to attack
- Automate Synk as a step in our CI/CD to find and fix vulnerabilities in our software packages
- Enable VPC Flow Logs to ensure we have a baseline of IP traffic
- Automate everything with Infrastructure as Code (IaC) like using CloudFormation, turning on Drift Detection
- Creating Config Rules in AWS Config to alert us and remediate if any of our infrastructure expected configuration changes
- Configuring services to be the least-permissive as possible
AWS has a practical example of DevSecOps for CI/CD pipelines
What does a Cloud Security Engineer do?
The two primary responsibilities of a Cloud Security Engineer is:
- implementation and automating of security services eg. SIEM, WAF, IDS/IPS
- implement and secure cloud infrastructure pipelines eg. CodePipline, K8, Jenkins
While it might seem that becoming a Cloud Security Engineer requires a lot of knowledge I think it's one of the more accessible Cloud Security roles because it's a practical role, where other Cyber Security roles require many recognized and costly security certifications.
Do I need Certifications to get this role?
Depends on the industry/vertical as some organizations may have specific cybersecurity certification requirements, but there are many companies who just want to see you have general cybersecurity knowledge. So I would suggest picking what interests you the most and start studying:
- GIAC Security Essentials (GSEC)
- GIAC Certified Incident Handler (GCIH)
- Certified Ethical Hacker (CEH)
- GIAC Certified Intrusion Analyst (GCIA)
- CSA Certificate of Cloud Security Knowledge (CCSK)
- Certified Information Systems Security Professional (CISSP)
freeCodeCamp has a free course to study for the CCISP
I personally like the CCSK as a fundamental certification.
CyberSecurity certifications are expensive, and if your company is not going to pay for you to sit the exam then I'd recommend just buying a study guide or using free content and put a larger focus on rounding out your DevOps skills. You can always just begin your journey as a Cloud Engineer or DevOps role and transition to Cloud Security Engineer when you've gained credentials or enough knowledge.
As you focus your studies on either DevOps or Cloud Engineer just give special attention to security adopting the Pushing Left mindset. Cloud Security requires a deeper understanding of services, so I would say it would speed up your cloud journey rather than slow it down.
Since you want to work with AWS in specific I'd recommend the following certification path:
The AWS Security Speciality I believe should really be called the AWS DevSecOps Associate because it's not that hard and has a strong focus on automating cloud security within AWS. It is essential for your cloud security journey.
I am working on my own free Cloud Security Fundementals course and I've secretly started on it in my free SC-900.
You can see it under the Security Concepts as this content is not actually supposed to part of the SC-900 but I figured a Cloud Security primer was needed.
Security Concepts
- Common Threats
- Vulnerabilities
- Encryption
- Cyphers
- Cryptographic Keys
- Hashing and Salting
- Digital Signatures
- In Transit vs At Rest
- MFA
- SIEM
- SOAR
- XDR
- EDR
- CASB
- Security Posture
- CSPM
- JIT & JEP
- Ingress vs Egress
- Shadow It
- AIR
- Threat Modeling
- STRIDE
- IDS IPS
- MITRE Attack Framework
What are the job requirements?
If you search "Cloud Security Engineer" on any job board you will start to notice the same terminologies listed:
- AWS, Docker, Kubernetes, Jenkins, Terraform, Ansible Expertise
- DAST, SAST, DDoS Mitigation, CASB, SIEM, WAN Security, DLP, Vulnerability Scanning, IPS/IDS, Secure Proxies, SSL cryptographic keys.
- Okta, Azure AD B2C, ZScaler
- Fedramp, FISMA, SCO, ISO, HIPPA, HITRUST, GDPR
I would say the hardest thing to learn is Authentication eg. Okta.
Learning Capacity
I believe in the rule of threes (you need to do something 3 times before you fully understand it). There is also a cap to how fast a human can absorb information. So tempering expectations I think in 6 months your goal is to be a Practitioner of DevOps, Cloud Engineer and Cloud Security.
A Practitioner is someone who knows how to apply learned skills but cannot describe or recall why what their doing is correct.
If we repeat our journey three times your progression should look like this:
- Phase 1 โ Practitioner / Junior (6 months)
- Phase 2 โ Associate / Intermediate (6 months)
- Phase 3 โ Professional / Senior (6 months)
So your goal can be accomplished in 1.5 years or 3 years. It just depends on how hard you want to go at your goal.
With 2-3 hours a day for 6 months (~180 days), that would give us a study capacity in the range of 360-540 hours. How could we best maximize our cloud growth in 6 months with 420 hours?
I would divide that time in half:
- 210 hours allocated for certification study
- 210 hours allocated for putting our knowledge into practice
Cloud Certification Study
An idea for cloud certification study path:
- 20hrs โ CCSK
- 12hrs โ AWS Certified Cloud Practitioner
- 8hrs โ Hashicop Terraform
- 14hrs โ Microsoft Security, Compliance, Identity Fundamentals
- 30hrs โ SysOps Associate
- 30hrs โ DevOps Professional
- 20hrs โ AWS Security Certification
- 20hrs โ Certified Kubernetes Application Developer (CKAD)
- 20hrs โ Certified Kubernetes Security Specialist (CKS)
- 20hrs โ Okta Certified Professional 194 hours (16 surplus hours)
The goal is not to pass these exams but to get through as much content as possible to acclimate ourselves to the body of knowledge we need to know. If your employer is willing to pay for you to sit the exams by all means sit them but do not extend your study time to guarantee a pass, and do not let a failure cause you to linger on a topic in order to fully understand before proceeding.
Personal Projects
You need to find ways to apply your learned knowledge, you could take on after-work side projects for your work or design your own project
I'm sure at some point I'll release a free personal project guide for Cloud Security Engineer on the 100DaysOfCloud Github Project Ideas.
Summary
Cloud Security Engineer demand is growing, it's a fun and challenging role and also the most accessible cybersecurity role. All you have to do is put in the time and stick to a three-year plan.