Skip to content
>_
SecOps
Log
_
Home
Courses
Learning path
Resources
Topics
Blog
All courses
AWS security engineering
Advanced
5 sections · 15 lessons · ~9h total · 60-question self-test
Start course
01
IAM depth & escalation paths
3 lessons
Test yourself
01
The IAM evaluation model
Deny wins, ceilings are conjunctive, grants additive.
35 min
02
PassRole & escalation paths
The permission combinations that become admin.
35 min
03
Federation & killing static keys
Identity Center for humans, OIDC for CI, roles on instances.
35 min
02
Threat detection & findings
3 lessons
Test yourself
01
GuardDuty threat detection
Agentless findings from CloudTrail, flow, and DNS.
30 min
02
Security Hub & standards
Aggregate, normalize, and score against CIS/FSBP.
30 min
03
Detection as code & response
EventBridge to SIEM/SOAR and auto-containment.
35 min
03
Data protection & encryption
3 lessons
Test yourself
01
KMS & envelope encryption
Data keys, key policies, rotation, and the kill switch.
35 min
02
S3 data protection
Block Public Access, TLS/encryption policies, Object Lock.
30 min
03
Macie & Secrets Manager
Find sensitive data; rotate secrets by identity.
30 min
04
Network security & segmentation
3 lessons
Test yourself
01
VPC segmentation
Identity-referenced SGs, private subnets, blast radius.
30 min
02
Egress control & Network Firewall
Domain allowlists, DNS Firewall, exfiltration defense.
35 min
03
Private endpoints & east-west TLS
PrivateLink, endpoint policies, mTLS internally.
30 min
05
Guardrails, IR & forensics
3 lessons
Test yourself
01
SCP guardrails & landing zones
Preventive limits and secure-by-default accounts.
30 min
02
Org trails & immutable logging
One trail to a locked account, tamper-evident.
30 min
03
Incident response & forensics
Contain, revoke sessions, preserve, hunt persistence.
35 min
Final exam
Test yourself on everything
60 questions drawn from all 5 sections — every answer explained as you pick.
Start final exam