AWS DevSecOps

Course Outline

AWS DevSecOps

Module 1: Introduction to DevSecOps & AWS Fundamentals

Topics:

 

    • What is DevSecOps?
    • DevOps vs DevSecOps
    • AWS Shared Responsibility Model
    • Key AWS Services in DevSecOps

 

Lab Task:

 

  • Create a free-tier AWS account
  • Set up AWS CLI and IAM user with MFA

Module 2: Identity & Access Management (IAM) for DevSecOps

Topics:

 

    • IAM Users, Roles, and Policies
    • IAM Best Practices
    • Permissions Boundaries & Service Control Policies (SCPs)

 

Lab Task:

 

  • Create IAM roles for CI/CD pipelines
  • Implement least privilege with IAM policies

Module 3: DevSecOps CI/CD with CodePipeline

Topics:

 

    • CI/CD Overview in AWS
    • AWS CodeCommit, CodeBuild, CodePipeline
    • Securing the CI/CD pipeline

 

Lab Task:

 

  • Build a CI/CD pipeline using CodeCommit → CodeBuild → CodeDeploy
  • Integrate IAM roles for secure access

Module 4: Infrastructure as Code (IaC) with Security in Mind

Topics:

 

    • Introduction to AWS CloudFormation & Terraform
    • Secure secrets handling with AWS SSM & Secrets Manager
    • Validation & scanning (cfn-lint, tfsec)

 

Lab Task:

 

  • Deploy a secure EC2 instance using Terraform/CloudFormation
  • Store and retrieve secrets securely

Module 5: Container Security with ECS & EKS

Topics:

 

    • ECS vs EKS Overview
    • Container image scanning (Amazon Inspector, ECR scan)
    • IAM roles for service accounts in EKS

 

Lab Task:

 

  • Deploy a Docker app in ECS with secure task roles
  • Scan ECR image for vulnerabilities

Module 6: Security Monitoring and Logging

Topics:

 

    • AWS CloudTrail, CloudWatch, Config
    • Amazon GuardDuty, Security Hub, and Inspector
    • Logging best practices
    • Amazon Detective: For advanced threat investigation

 

Lab Task:

 

  • Enable CloudTrail and GuardDuty
  • Create an alert on suspicious IAM activity via CloudWatch
  • Use Detective to trace an IAM anomaly detected by GuardDuty

Module 7: Secrets, Parameters, and Key Management

Topics:

 

    • AWS Secrets Manager vs SSM Parameter Store
    • Encryption with KMS
    • Auditing and rotation policies
    • Envelope Encryption: KMS concepts like CMK, DEK

 

Lab Task:

 

  • Store secrets in Secrets Manager
  • Use KMS to encrypt an S3 bucket
  • Encrypt/decrypt data manually with KMS CLI

Module 8: DevSecOps Automation & Compliance

Topics:

 

    • AWS Config rules and Conformance Packs
    • Automating security checks with Lambda
    • CIS Benchmarks & AWS Trusted Advisor

 

Lab Task:

 

  • Set up Config rules to enforce tagging compliance
  • Auto-remediate non-compliant resources using Lambda

Module 9: Real-World DevSecOps Project

Topics:

 

    • Combine CI/CD, IaC, and Security Tools
    • End-to-end DevSecOps flow in a real AWS environment

 

Lab Task:

 

  • Build a full pipeline: Secure deployment of a web app using Terraform, CodePipeline, GuardDuty, Secrets Manager, and CloudTrail

Module 10: Final Assessment & Certification Guidance

  • Review key concepts
  • Tips for AWS Security Specialty & DevOps exams
  • Practice questions & project submission