Cloud Security Index Purpose This index is the root entry point for the cloud-security branch of the cybersecurity vault. Use it to: - understand cloud as identity, network, storage, metadata, logging, and cost boundaries - build safe cloud labs without accidental exposure or runaway spend - map cloud misconfigurations into attack surface and defensive controls - separate cloud target-domain security from DevSecOps delivery workflow Use Reference Registry — Cloud Security as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches. Before this branch: - Foundations (Phase 0). - Networking (especially DNS, TLS, reverse proxies). - Cryptography for IAM/keys/secrets reasoning. Recommended learning order Phase 1 — Cloud model and safe labs cloud-security-basics cloud-lab-infrastructure Phase 2 — Access and administration cloud-iam-boundaries ssh-access-to-cloud-hosts cloud-secrets-management Phase 3 — Exposure and reachability cloud-network-boundaries cloud-metadata-security public-cloud-storage-exposure cloud-dns-and-certbot Phase 4 — Visibility and response cloud-logging-and-detection Core Cloud Security Cluster Branch maturity This branch is depth-mature as of 2026-04-30. All 10 atomic notes follow the canonical 11-section template, include practical labs, and now carry worked examples that connect provider configuration to identity, network, data, metadata, logging, cost, and teardown decisions. Foundations and labs cloud-security-basics cloud-lab-infrastructure Identity and secrets cloud-iam-boundaries ssh-access-to-cloud-hosts cloud-secrets-management Exposure and network boundaries cloud-network-boundaries cloud-metadata-security public-cloud-storage-exposure cloud-dns-and-certbot Detection cloud-logging-and-detection Cross-links to other branches Networking NAT and Private Networks Metadata Endpoints DNS Resolution TLS and HTTPS Firewalls and Network Boundaries Attack surface mapping External Attack Surface Exposed Storage Admin Interface Discovery Third-Party Exposure DevSecOps Secrets Management Container Security CI/CD Hardening Suggested future notes IaC Security cloud-asset-inventory cloud-tagging-strategy cloud-kms-boundaries cloud-container-security cloud-serverless-security cloud-iam-policy-analysis cloud-account-organization cloud-cost-security Possible future playbooks build-safe-cloud-lab audit-public-cloud-storage review-cloud-iam-risk trace-cloud-metadata-exposure cloud-logging-baseline Branch maintenance notes Keep cloud service behavior and provider-control design in this branch. Keep generic TCP/IP, DNS, TLS, and metadata mechanics in index. Keep CI/CD, dependency, build, and release controls in index. Cloud labs should include budget, least privilege, teardown, and exposure checks. Use unresolved wikilinks for future atomic notes so Obsidian can track the branch expansion. Maintain the cloud decision pattern: every note should show how a provider setting affects blast radius, ownership, evidence, and the next safe action. References Foundational: AWS Shared Responsibility Model — https://aws.amazon.com/compliance/shared-responsibility-model/ Foundational: Google Cloud shared responsibility and shared fate — https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate Foundational: Microsoft Cloud Adoption Framework security — https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/