Certified DevSecOps Architect CDA

The most comprehensive DevSecOps certification in the world. This AWS DevSecOps Certification is designed to implement the DevSecOps principle on AWS by securing compute services, patch management, data and network security, compliance, and more.

AWS Certification

  • Earn the certification by passing the 24-hour practical exam.
  • Certification proves to employers and others the practical understanding of the advanced concepts like custom rule sets.
  • A CDA is able to design secure solutions using DevSecOps Principles.

Prerequisites

  1. Course participants should have Certified DevSecOps Professional  (CDP) certification.
  2. Course participants should Basic knowledge of any public cloud implementation like AWS, GCP or Azure.

Chapter 1: Overview of DevSecOps

  1. What is DevOps?
  2. DevOps Building Blocks- People, Process and Technology.
  3. DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
  4. Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
  5. What is Continuous Integration and Continuous Deployment?.
    1. Continuous Integration to Continuous Deployment to Continuous Delivery.
    2. Continuous Delivery vs Continuous Deployment.
    3. General workflow of CI/CD pipeline.
    4. Blue/Green deployment strategy
    5. Achieving full automation.
    6. Designing a CI/CD pipeline for web application.
  6. Common Challenges faced when using DevOps principle.
  7. Case studies on DevOps of cutting edge technology at Facebook, Amazon and Google

Demo: A full enterprise grade DevSecOps Pipeline.

Chapter 2: Overview of DevSecOps on AWS

  1. What is Secure SDLC and DevSecOps
  2. Secure SDLC Activities and Security Gates
    1. Security Requirements ( Requirements)
    2. Threat Modelling  (Design)
    3. Static Analysis and Secure by Default ( Implementation)
    4. Dynamic Analysis(Testing)
    5. OS Hardening, Web/Application Hardening (Deploy)
    6. Security Monitoring/Compliance (Maintain)
  3. DevSecOps Maturity Model (DSOMM) on AWS
  4. Tools used during the course
    1. CodeCommit/CodeDeploy
    2. Packer
    3. Ansible
    4. Terraform
    5. Docker, ECR, and ECS
    6. AWS Inspector
    7. AWS Config, AWS organization and AWS artifact
    8. CloudTrail, CloudWatch and CloudWatch Logs
  5. Hands-On Labs:
    1. Use Terraform to practice Infrastructure as a Code on AWS
    2. Building a CI Pipeline using CodeCommit/CodeDeploy.
    3.  Create a CI/CD pipeline suitable for modern application on AWS.

Chapter 3: Attacking and Auditing modern DevOps systems

  1. Audit and exploit the DevOps Systems
    1. Version control systems like Gitlab/Github etc.,
    2. CI/CD systems like Jenkins/GitlabCI/Bitbucket
    3. Orchestration systems like kubernetes, swarm etc.,
    4. Infrastructure as Code tools like Ansible, Chef and Puppet
    5. Service discovery/secrets management systems like Consul/etcd/zookeeper and vault.
    6. Monitoring systems like ELK stack
    7. Cache management systems like redis/memcache
  2. Hands-on Lab: Exploiting Jenkins Server for mass pwnage.
  3. Hands-on Lab: Exploiting Service discovery and caching systems.

Chapter 4: Introduction to Amazon Web Services

  1. What is Cloud Computing
  2. IaaS, PaaS, SaaS
  3. Key cloud computing characteristics
  4. Cloud deployment methodologies
  5. What is AWS/GCP
  6. AWS Services and Use Cases
  7. Shared Security model
  8. Ways to interact with AWS Services
    1. AWS CLI, Console and SDKs
  9. Compliance and Legal Issues in Cloud.

Chapter 5: Identity and Access Management (IAM)

  1. Root Account and its security
  2. Different types of secrets ( credentials, key pairs, certificates etc.,)
  3. Users, Groups, Roles and Services
  4. IAM Policies
    1. AWS Managed
    2. Customer Managed
    3. Inline Policies
  5. Password Policy
  6. AWS Security Token Service (STS)
  7. Hands-On Labs: Lock down and setup monitoring on Root Account
  8. Hands-On Labs:  Write IAM Policies to implement least privileged controls

Chapter 6: Securing compute services in AWS

  1. AWS EC2 and its security
  2. EC2 instances and AMI security
  3. EBS volumes and Public Snapshots
  4. Continuous Hardening of AMI Images aka Golden Images.
  5. Hands-On Labs:  Harden base AMIs using Ansible.
  6. Hands-On Labs:  Encrypt EBS root volumes and Backups.

Chapter 7: Data security in AWS

  1. S3, Lifecycle management, and Public buckets.
  2. Bucket Policies and ACLs
  3. AWS S3 pre-signed URLs and Cloudfront origin access identity
  4. Hands-On Labs: Write bucket policies to safeguard data.
  5. Hands-On Labs: Write bucket policies to always send data on TLS.
  6. Encryption in rest
    1. Symmetric vs Assymmetric Encryption
    2. KMS support for Symmetric Encryption
      1. KMS managed keys
      2. Customer managed keys
    3. Hands-On Labs: Use KMS to encrypt EBS volumes and s3 buckets
  7. Default encryption with AWS managed keys
    1. KMS managed keys
    2. Key Management System
    3. Hands-On Labs: Use KMS to store sensitive information
  8. CloudHSM
    1. Shared vs Dedicated devices
    2. The business need for CloudHSM
    3. FIPS 140-2 and other compliance requirements.
  9. Encryption at transit

Chapter 8: Network Security in AWS

  1. VPC, subnets, Route tables and Security groups.
  2. Bastion hosts vs VPN for security
  3. VPC endpoints and security implications
  4. Deployment to Cloud.
    1. Deploying to Cloud vs Own Datacenter
    2. Deploying to AWS EC2
  5. AWS WAF and its benefits
  6. Hands-On Lab: Create a 2-tier VPC  with Bastion hosts
  7. Hands-On Lab: Vulnerability Assessment with AWS Inspector

Chapter 9: Infrastructure as Code(IaC) and Its Security

  1. What is Infrastructure as Code and its benefits
  2. Introduction to Terraform
    1. Benefits of Terraform
    2. Terraform vs CloudFormation
    3. Resources, input/out variables, modules and state files
    4. Terraform for continuous security in DevOps Pipelines
  3. Introduction to Packer
    1. Benefits of Packer
    2. Modules, tasks, roles and Playbooks
    3. Packer for continuous security in DevOps Pipelines
  4. Tools and Services for practising IaaC ( Terraform + Packer + Ansible + Docker )
  5. Hands-On Labs: Using Terraform + Ansible to harden on-prem/cloud machines for PCI-DSS
  6. Hands-On Labs: Create hardened Golden images using Packer + Ansible + Terraform

Chapter 10: Patch Management and Security Monitoring

  1. Approaches for patching running applications.
  2. Approaches for patching Immutable Infrastructure.
  3. Hot swap EC2 instances using Ansible.
  4. Security Monitoring using AWS CloudWatch, CloudTrail and Kinesis Firehose.

Chapter 11: Compliance in AWS

  1. Compliance and Legal Issues in Cloud.
  2. Different approaches to handle compliance requirements at DevOps scale
  3. AWS provided services like CloudTrail, Config, Organization, and Artifact
  4. Hands-On Lab: Manage compliance using AWS config rules
  5. Hands-On Lab: Using AWS organization to handle compliance in multiple accounts