ALL_SERIES
SERIES_OVERVIEW // CURRICULUM_MAP

Learn AWS Security, Monitoring and Management

// Membangun mental model AWS security operating model dari first principles: account, identity, policy, resource, event, log, finding, control, dan runbook.

72 Lessons1219 Min Total04 Phases

This overview is designed to help you choose the right entry point quickly. Follow the full track from lesson one, continue from your last checkpoint, or jump straight into a phase that matches what you need right now.

abacaccess-analyzeraccess-controlaccess-managementaccount-vending+163 more

Curriculum Map

Navigate by phase, then choose the lesson that matches your current depth.

01

Cloud Security Operating Model

16 min

Membangun mental model AWS security operating model dari first principles: account, identity, policy, resource, event, log, finding, control, dan runbook.

02

Shared Responsibility With Engineering Consequences

14 min

Membongkar shared responsibility model dari sisi engineering: siapa memiliki risiko apa, bagaimana tanggung jawab berubah per service, dan bagaimana menerjemahkannya menjadi control ownership.

03

AWS Control Plane and Data Plane

17 min

Membedah AWS control plane dan data plane sebagai fondasi threat modeling, audit, blast-radius control, recovery, dan security operations.

04

Threat Model for AWS Workloads

15 min

Menyusun threat model AWS workload yang bisa dipakai engineer: asset, boundary, actor, attack path, control matrix, evidence, dan remediation.

05

Security Invariants and Cloud Guardrails

23 min

Membangun security invariants dan cloud guardrails di AWS sebagai sistem kontrol yang bisa dicegah, dideteksi, dibuktikan, dan diperbaiki.

06

Multi-Account as Security Boundary

19 min

Memahami AWS multi-account architecture sebagai security, audit, blast-radius, dan operational boundary untuk environment production-grade.

07

Environment Separation Strategy

20 min

Mendesain strategi pemisahan environment AWS yang production-grade: account boundary, OU, ownership, blast radius, data sensitivity, compliance, observability, dan exception model.

08

Cloud Risk Register and Control Mapping

22 min

Membangun cloud risk register dan control mapping di AWS: dari threat scenario menjadi preventive, proactive, detective, responsive, evidence, owner, SLA, dan remediation workflow.

09

AWS Organizations Deep Dive

16 min

AWS Organizations deep dive untuk membangun governance foundation: management account, organization root, member account, OU, policy inheritance, delegated administrator, trusted access, dan operating model lintas akun.

10

Organizational Unit Design

14 min

Desain organizational unit AWS yang defensible: foundational OU, workload OU, sandbox, policy staging, exception, transitional, suspended, regulated workloads, control contract, account movement, dan failure mode.

11

Control Tower Landing Zone

20 min

Control Tower landing zone sebagai baseline governance multi-account AWS: account factory, guardrails, centralized logging, audit, drift, lifecycle, dan operating model production-grade.

12

Service Control Policies From First Principles

18 min

Service Control Policies dari prinsip dasar: permission ceiling, policy inheritance, deny-first guardrails, failure modes, deployment strategy, dan model evaluasi izin lintas AWS Organizations.

13

SCP Design Patterns

23 min

Pola desain Service Control Policies untuk guardrail organisasi: deny root, region restriction, protect audit services, protect security baseline, prevent privilege escalation, dan deployment SCP yang aman.

14

Resource Control Policies and Resource Boundaries

19 min

Resource Control Policies dan resource-side boundary di AWS Organizations: bagaimana RCP melengkapi SCP, resource policies, data perimeter, dan external access prevention.

15

Delegated Administrator Model

16 min

Model delegated administrator di AWS Organizations untuk memindahkan operasi security dan governance dari management account ke akun khusus yang lebih aman, auditable, dan scalable.

16

Account Vending Machine Design

15 min

Desain account vending machine untuk AWS multi-account environment: request model, provisioning pipeline, baseline security, Control Tower Account Factory, AFT, lifecycle, guardrail, evidence, dan failure mode.

17

IAM Mental Model

11 min

Mental model IAM production-grade: principal, action, resource, condition, policy statement, trust boundary, identity policy, resource policy, explicit deny, implicit deny, least privilege, dan cara membaca akses AWS secara sistematis.

18

IAM Policy Evaluation Engine

11 min

Deep dive policy evaluation engine AWS IAM: explicit deny, implicit deny, SCP, RCP, resource policy, identity policy, permission boundary, session policy, trust policy, cross-account evaluation, dan teknik debugging AccessDenied secara deterministik.

19

IAM Identity Center for Human Access

17 min

IAM Identity Center untuk human access production-grade: federation, permission set, account assignment, group model, session, audit, emergency access, dan failure mode.

20

Root User and Break-Glass Access

16 min

Root user dan break-glass access untuk AWS multi-account: kapan root dipakai, cara mengamankan, centralized root access, emergency path, evidence, runbook, dan failure mode.

21

IAM Roles and Trust Policies

19 min

IAM roles dan trust policies secara production-grade: AssumeRole, trust boundary, cross-account access, external ID, confused deputy, source identity, session tags, role chaining, service principal, dan failure mode.

22

Permission Boundaries and Delegated Platform Teams

15 min

Permission boundaries sebagai mekanisme delegated IAM governance: maksimum permission, platform team autonomy, role factory, safe self-service, boundary-aware policy evaluation, anti-escalation controls, dan operating model.

23

IAM Access Analyzer and Policy Generation

20 min

IAM Access Analyzer sebagai mesin analisis akses, policy validation, unused access reduction, external access review, dan policy generation berbasis aktivitas CloudTrail untuk mengurangi privilege drift di AWS.

24

Attribute-Based Access Control in AWS

16 min

Attribute-Based Access Control di AWS dengan principal tags, resource tags, request tags, session tags, IAM Identity Center attributes, tag governance, failure modes, dan pola implementasi ABAC production-grade.

25

Temporary Credentials and Session Design

18 min

Temporary credentials, STS, session duration, source identity, session tags, session policies, credential vending, attribution, and revocation-minded access design for production AWS environments.

26

Workload Identity Patterns

16 min

Workload identity patterns for EC2 instance profiles, ECS task roles, Lambda execution roles, EKS IRSA, EKS Pod Identity, cross-account workload access, runtime verification, guardrails, and failure modeling.

27

Audit Architecture in AWS

21 min

Membangun arsitektur audit AWS yang mampu membuktikan who did what, when, from where, against what, with what result, dan memastikan evidence tetap utuh saat terjadi insiden.

28

CloudTrail Deep Dive

17 min

Deep dive AWS CloudTrail sebagai activity ledger untuk governance, compliance, audit, investigation, dan threat detection di AWS multi-account environment.

29

CloudTrail Design Patterns

17 min

CloudTrail design patterns untuk centralized audit, organization trail, immutable evidence, multi-region coverage, data event strategy, CloudWatch/EventBridge integration, dan forensic-ready AWS audit pipeline.

30

Log Archive Account Design

17 min

Desain Log Archive account untuk centralized log custody, immutable audit evidence, S3/KMS hardening, retention, legal hold, access model, cross-account delivery, dan forensic readiness di AWS Organization.

31

AWS Config as Configuration Timeline

16 min

AWS Config sebagai configuration timeline untuk melihat state resource, perubahan konfigurasi, relationship, compliance posture, aggregator lintas account/region, dan investigasi drift di AWS Organization.

32

Config Rules and Conformance Packs

14 min

Desain AWS Config Rules dan Conformance Packs sebagai policy evaluation system untuk compliance, remediation, governance-as-code, exception handling, dan deployment lintas AWS Organization.

33

VPC Flow Logs and Network Evidence

18 min

VPC Flow Logs sebagai network evidence layer untuk security investigation, connectivity debugging, egress monitoring, traffic baseline, dan forensic readiness tanpa mengulang materi networking dasar.

34

CloudWatch Logs Architecture

18 min

CloudWatch Logs architecture untuk log ingestion, retention, encryption, subscription, metric filter, Logs Insights, operational query, dan centralized logging tanpa kehilangan kontrol biaya dan evidence quality.

35

Data Classification for AWS

21 min

Data classification untuk AWS sebagai dasar engineering decision: data owner, sensitivity, handling requirements, storage boundary, retention, encryption, monitoring, compliance, discovery, dan automated guardrails.

36

AWS KMS Deep Dive

19 min

AWS KMS deep dive dari prinsip dasar: key types, envelope encryption, key policy, IAM, grants, encryption context, rotation, multi-account, multi-region, auditing, deletion, dan operational failure modes.

37

KMS Policy Design Patterns

9 min

KMS policy design patterns for production AWS environments: key policy, IAM policy, grants, encryption context, service-constrained usage, cross-account decrypt, admin separation, deletion safety, and auditability.

38

Secrets Manager and Parameter Store

10 min

Secrets Manager and Systems Manager Parameter Store from a production security and operations perspective: secret lifecycle, config boundary, rotation, retrieval, KMS integration, audit, caching, incident response, and governance.

39

Certificate and Private CA Management

15 min

Certificate and private CA management on AWS from a production security and operations perspective: TLS identity, ACM, AWS Private CA, renewal, revocation, expiry monitoring, audit, and failure-mode design.