Cloud Security Index

Purpose

This index is the root entry point for the cloud-security branch of the cybersecurity atlas.

Use it to: - understand cloud as identity, network, storage, metadata, logging, and cost boundaries - build safe cloud labs without accidental exposure or runaway spend - map cloud misconfigurations into attack surface and defensive controls - separate cloud target-domain security from DevSecOps delivery workflow

Use Reference Registry — Cloud Security as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches.

Before this branch: - Foundations (Phase 0). - Networking (especially DNS, TLS, reverse proxies). - Cryptography for IAM/keys/secrets reasoning.

Recommended learning order

Phase 1 — Cloud model and safe labs

1. cloud-security-basics
2. cloud-lab-infrastructure

Phase 2 — Access and administration

3. cloud-iam-boundaries
4. ssh-access-to-cloud-hosts
5. cloud-secrets-management

Phase 3 — Exposure and reachability

6. cloud-network-boundaries
7. cloud-metadata-security
8. public-cloud-storage-exposure
9. cloud-dns-and-certbot

Phase 4 — Visibility and response

10. cloud-logging-and-detection

Core Cloud Security Cluster

Branch maturity

This branch is depth-mature as of 2026-04-30.

All 10 atomic notes follow the canonical 11-section template, include practical labs, and now carry worked examples that connect provider configuration to identity, network, data, metadata, logging, cost, and teardown decisions.

Foundations and labs

• cloud-security-basics
• cloud-lab-infrastructure

Identity and secrets

• cloud-iam-boundaries
• ssh-access-to-cloud-hosts
• cloud-secrets-management

Exposure and network boundaries

• cloud-network-boundaries
• cloud-metadata-security
• public-cloud-storage-exposure
• cloud-dns-and-certbot

Detection

• cloud-logging-and-detection

Cross-links to other branches

Networking

• NAT and Private Networks
• Metadata Endpoints
• DNS Resolution
• TLS and HTTPS
• Firewalls and Network Boundaries

Attack surface mapping

• External Attack Surface
• Exposed Storage
• Admin Interface Discovery
• Third-Party Exposure

DevSecOps

• Secrets Management
• Container Security
• CI/CD Hardening

Suggested future notes

• IaC Security
• cloud-asset-inventory
• cloud-tagging-strategy
• cloud-kms-boundaries
• cloud-container-security
• cloud-serverless-security
• cloud-iam-policy-analysis
• cloud-account-organization
• cloud-cost-security

Possible future playbooks

• build-safe-cloud-lab
• audit-public-cloud-storage
• review-cloud-iam-risk
• trace-cloud-metadata-exposure
• cloud-logging-baseline

Branch maintenance notes

• Keep cloud service behavior and provider-control design in this branch.
• Keep generic TCP/IP, DNS, TLS, and metadata mechanics in index.
• Keep CI/CD, dependency, build, and release controls in index.
• Cloud labs should include budget, least privilege, teardown, and exposure checks.
• Use unresolved wikilinks for future atomic notes so Obsidian can track the branch expansion.
• Maintain the cloud decision pattern: every note should show how a provider setting affects blast radius, ownership, evidence, and the next safe action.

References

• Foundational: AWS Shared Responsibility Model — https://aws.amazon.com/compliance/shared-responsibility-model/
• Foundational: Google Cloud shared responsibility and shared fate — https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate
• Foundational: Microsoft Cloud Adoption Framework security — https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/