Learn AWS Security, Monitoring and Management
// Membangun mental model AWS security operating model dari first principles: account, identity, policy, resource, event, log, finding, control, dan runbook.
This overview is designed to help you choose the right entry point quickly. Follow the full track from lesson one, continue from your last checkpoint, or jump straight into a phase that matches what you need right now.
Curriculum Map
Navigate by phase, then choose the lesson that matches your current depth.
Cloud Security Operating Model
16 minMembangun mental model AWS security operating model dari first principles: account, identity, policy, resource, event, log, finding, control, dan runbook.
Shared Responsibility With Engineering Consequences
14 minMembongkar shared responsibility model dari sisi engineering: siapa memiliki risiko apa, bagaimana tanggung jawab berubah per service, dan bagaimana menerjemahkannya menjadi control ownership.
AWS Control Plane and Data Plane
17 minMembedah AWS control plane dan data plane sebagai fondasi threat modeling, audit, blast-radius control, recovery, dan security operations.
Threat Model for AWS Workloads
15 minMenyusun threat model AWS workload yang bisa dipakai engineer: asset, boundary, actor, attack path, control matrix, evidence, dan remediation.
Security Invariants and Cloud Guardrails
23 minMembangun security invariants dan cloud guardrails di AWS sebagai sistem kontrol yang bisa dicegah, dideteksi, dibuktikan, dan diperbaiki.
Multi-Account as Security Boundary
19 minMemahami AWS multi-account architecture sebagai security, audit, blast-radius, dan operational boundary untuk environment production-grade.
Environment Separation Strategy
20 minMendesain strategi pemisahan environment AWS yang production-grade: account boundary, OU, ownership, blast radius, data sensitivity, compliance, observability, dan exception model.
Cloud Risk Register and Control Mapping
22 minMembangun cloud risk register dan control mapping di AWS: dari threat scenario menjadi preventive, proactive, detective, responsive, evidence, owner, SLA, dan remediation workflow.
AWS Organizations Deep Dive
16 minAWS Organizations deep dive untuk membangun governance foundation: management account, organization root, member account, OU, policy inheritance, delegated administrator, trusted access, dan operating model lintas akun.
Organizational Unit Design
14 minDesain organizational unit AWS yang defensible: foundational OU, workload OU, sandbox, policy staging, exception, transitional, suspended, regulated workloads, control contract, account movement, dan failure mode.
Control Tower Landing Zone
20 minControl Tower landing zone sebagai baseline governance multi-account AWS: account factory, guardrails, centralized logging, audit, drift, lifecycle, dan operating model production-grade.
Service Control Policies From First Principles
18 minService Control Policies dari prinsip dasar: permission ceiling, policy inheritance, deny-first guardrails, failure modes, deployment strategy, dan model evaluasi izin lintas AWS Organizations.
SCP Design Patterns
23 minPola desain Service Control Policies untuk guardrail organisasi: deny root, region restriction, protect audit services, protect security baseline, prevent privilege escalation, dan deployment SCP yang aman.
Resource Control Policies and Resource Boundaries
19 minResource Control Policies dan resource-side boundary di AWS Organizations: bagaimana RCP melengkapi SCP, resource policies, data perimeter, dan external access prevention.
Delegated Administrator Model
16 minModel delegated administrator di AWS Organizations untuk memindahkan operasi security dan governance dari management account ke akun khusus yang lebih aman, auditable, dan scalable.
Account Vending Machine Design
15 minDesain account vending machine untuk AWS multi-account environment: request model, provisioning pipeline, baseline security, Control Tower Account Factory, AFT, lifecycle, guardrail, evidence, dan failure mode.
IAM Mental Model
11 minMental model IAM production-grade: principal, action, resource, condition, policy statement, trust boundary, identity policy, resource policy, explicit deny, implicit deny, least privilege, dan cara membaca akses AWS secara sistematis.
IAM Policy Evaluation Engine
11 minDeep dive policy evaluation engine AWS IAM: explicit deny, implicit deny, SCP, RCP, resource policy, identity policy, permission boundary, session policy, trust policy, cross-account evaluation, dan teknik debugging AccessDenied secara deterministik.
IAM Identity Center for Human Access
17 minIAM Identity Center untuk human access production-grade: federation, permission set, account assignment, group model, session, audit, emergency access, dan failure mode.
Root User and Break-Glass Access
16 minRoot user dan break-glass access untuk AWS multi-account: kapan root dipakai, cara mengamankan, centralized root access, emergency path, evidence, runbook, dan failure mode.
IAM Roles and Trust Policies
19 minIAM roles dan trust policies secara production-grade: AssumeRole, trust boundary, cross-account access, external ID, confused deputy, source identity, session tags, role chaining, service principal, dan failure mode.
Permission Boundaries and Delegated Platform Teams
15 minPermission boundaries sebagai mekanisme delegated IAM governance: maksimum permission, platform team autonomy, role factory, safe self-service, boundary-aware policy evaluation, anti-escalation controls, dan operating model.
IAM Access Analyzer and Policy Generation
20 minIAM Access Analyzer sebagai mesin analisis akses, policy validation, unused access reduction, external access review, dan policy generation berbasis aktivitas CloudTrail untuk mengurangi privilege drift di AWS.
Attribute-Based Access Control in AWS
16 minAttribute-Based Access Control di AWS dengan principal tags, resource tags, request tags, session tags, IAM Identity Center attributes, tag governance, failure modes, dan pola implementasi ABAC production-grade.
Temporary Credentials and Session Design
18 minTemporary credentials, STS, session duration, source identity, session tags, session policies, credential vending, attribution, and revocation-minded access design for production AWS environments.
Workload Identity Patterns
16 minWorkload identity patterns for EC2 instance profiles, ECS task roles, Lambda execution roles, EKS IRSA, EKS Pod Identity, cross-account workload access, runtime verification, guardrails, and failure modeling.
Audit Architecture in AWS
21 minMembangun arsitektur audit AWS yang mampu membuktikan who did what, when, from where, against what, with what result, dan memastikan evidence tetap utuh saat terjadi insiden.
CloudTrail Deep Dive
17 minDeep dive AWS CloudTrail sebagai activity ledger untuk governance, compliance, audit, investigation, dan threat detection di AWS multi-account environment.
CloudTrail Design Patterns
17 minCloudTrail design patterns untuk centralized audit, organization trail, immutable evidence, multi-region coverage, data event strategy, CloudWatch/EventBridge integration, dan forensic-ready AWS audit pipeline.
Log Archive Account Design
17 minDesain Log Archive account untuk centralized log custody, immutable audit evidence, S3/KMS hardening, retention, legal hold, access model, cross-account delivery, dan forensic readiness di AWS Organization.
AWS Config as Configuration Timeline
16 minAWS Config sebagai configuration timeline untuk melihat state resource, perubahan konfigurasi, relationship, compliance posture, aggregator lintas account/region, dan investigasi drift di AWS Organization.
Config Rules and Conformance Packs
14 minDesain AWS Config Rules dan Conformance Packs sebagai policy evaluation system untuk compliance, remediation, governance-as-code, exception handling, dan deployment lintas AWS Organization.
VPC Flow Logs and Network Evidence
18 minVPC Flow Logs sebagai network evidence layer untuk security investigation, connectivity debugging, egress monitoring, traffic baseline, dan forensic readiness tanpa mengulang materi networking dasar.
CloudWatch Logs Architecture
18 minCloudWatch Logs architecture untuk log ingestion, retention, encryption, subscription, metric filter, Logs Insights, operational query, dan centralized logging tanpa kehilangan kontrol biaya dan evidence quality.
Data Classification for AWS
21 minData classification untuk AWS sebagai dasar engineering decision: data owner, sensitivity, handling requirements, storage boundary, retention, encryption, monitoring, compliance, discovery, dan automated guardrails.
AWS KMS Deep Dive
19 minAWS KMS deep dive dari prinsip dasar: key types, envelope encryption, key policy, IAM, grants, encryption context, rotation, multi-account, multi-region, auditing, deletion, dan operational failure modes.
KMS Policy Design Patterns
9 minKMS policy design patterns for production AWS environments: key policy, IAM policy, grants, encryption context, service-constrained usage, cross-account decrypt, admin separation, deletion safety, and auditability.
Secrets Manager and Parameter Store
10 minSecrets Manager and Systems Manager Parameter Store from a production security and operations perspective: secret lifecycle, config boundary, rotation, retrieval, KMS integration, audit, caching, incident response, and governance.
Certificate and Private CA Management
15 minCertificate and private CA management on AWS from a production security and operations perspective: TLS identity, ACM, AWS Private CA, renewal, revocation, expiry monitoring, audit, and failure-mode design.