# Essential AWS DevSecOps Self-Study Path > **Intro:** This page translates a compact public AWS DevSecOps training syllabus into a practical self-study route that fits this KB. The goal is not to mirror a course. The goal is to turn the strongest themes into a repeatable learning path. > > **What this page includes** > > * a staged AWS DevSecOps learning route; > * mapping from syllabus themes to KB pages and labs; > * guidance on where to practice, where to automate, and where to document evidence; > * a portfolio-oriented output list for engineers who want visible learning results. ## Why this page exists A lot of AWS security learning material either stops at certifications or jumps straight to tool demos. The more useful path for Product Security and cloud security engineers is: 1. understand AWS security foundations; 2. understand attacks and defenses in the same environment; 3. automate guardrails and evidence collection; 4. practice in labs; 5. turn what you learned into reusable review patterns and portfolio artifacts. ## High-level learning sequence ### Stage 1 - AWS foundations with security context Cover the basics first: * core AWS services and account structure; * IAM and role assumption patterns; * networking and segmentation concepts; * audit and monitoring primitives. Use these KB pages first: * [AWS IAM and Role Design](/cloud-kubernetes-and-infrastructure-security/index/aws-iam-and-role-design.md) * [AWS Security Baseline and Top Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/aws-security-baseline-and-top-misconfigurations.md) * [Cloud Audit Cookbook by Provider](/cloud-kubernetes-and-infrastructure-security/index/cloud-audit-cookbook-by-provider.md) * [Cloud Auditing by API and Configuration State](/cloud-kubernetes-and-infrastructure-security/index/cloud-auditing-by-api-and-configuration-state.md) ### Stage 2 - AWS security principles Do not learn AWS only as a service catalog. Learn it as an attack-path and control-design environment. Focus on: * trusted relationships and role abuse; * metadata and credential exposure paths; * logging and audit blind spots; * identity design mistakes that become escalation paths; * the relationship between infrastructure choices and incident visibility. Pair this with: * [Cloud Security Across AWS, Azure, and GCP](/cloud-kubernetes-and-infrastructure-security/index/cloud-security-across-aws-azure-and-gcp.md) * [AWS Cloud Attack Chains](/attack-paths-testing-detection-and-hardening/index-1/aws-cloud-attack-chains.md) * [Logging and Telemetry Strategy](/attack-paths-testing-detection-and-hardening/index/logging-and-telemetry-strategy.md) ### Stage 3 - Automation and infrastructure as code The public course outline explicitly includes scripting, SDKs, CloudFormation, and Terraform. In this KB, the most practical bridge is infrastructure as code plus evidence-driven CI. Priority topics: * policy-as-code and static guardrails; * Terraform scanning and test strategy; * reusable CI security gates; * release evidence and provenance. Use: * [Terraform Security Scanning and Checkov](/cloud-kubernetes-and-infrastructure-security/index/terraform-security-scanning-and-checkov.md) * [Security as Policy for Terraform and Infrastructure as Code](/cloud-kubernetes-and-infrastructure-security/index/security-as-policy-for-iac.md) * [Infrastructure as Code Maturity and Test Strategy](/cloud-kubernetes-and-infrastructure-security/index/infrastructure-as-code-maturity-and-test-strategy.md) * [Security Quality Gates and Release Blocking](/devsecops-cicd-and-supply-chain/index-1/security-quality-gates-and-release-blocking.md) * [Signing, Attestation, and Verification - Legacy vs Current](/devsecops-cicd-and-supply-chain/index-1/signing-attestation-and-verification-legacy-vs-current.md) ### Stage 4 - Practice through labs This is where the learning path stops being theoretical. Recommended lab sequence: 1. [AWSGoat - AWS Cloud Lab](/learning-labs-interview-and-templates/index-2/awsgoat-aws-cloud-lab.md) 2. [CloudGoat - Cloud Scenarios Lab](/learning-labs-interview-and-templates/index-2/cloudgoat-cloud-scenarios-lab.md) 3. [OWASP EKS Goat - AWS EKS Lab](/learning-labs-interview-and-templates/index-2/owasp-eks-goat-aws-eks-lab.md) 4. [Terragoat - IaC Misconfiguration Lab](/learning-labs-interview-and-templates/index-2/terragoat-iac-misconfiguration-lab.md) 5. [Cloud Compliance Scan Lab - Scan -> Triage -> Fix -> Codify](/learning-labs-interview-and-templates/index-2/cloud-compliance-scan-lab-scan-triage-fix-codify.md) 6. [Containment and Eradication Automation Lab](/learning-labs-interview-and-templates/index-2/containment-and-eradication-automation-lab.md) ### Stage 5 - Build a visible portfolio The public training repo emphasizes helping learners build a portfolio of DevSecOps projects. That is the right instinct. Useful portfolio outputs: * an IAM review checklist for one sample AWS service stack; * a Terraform policy pack or small Checkov / OPA rule bundle; * a CloudTrail or audit-review cheat sheet; * a worked attack-path diagram for one AWS trust relationship problem; * a small CI example that blocks on security findings and records evidence; * a mini write-up of one lab: what failed, how it was detected, how it was fixed. ## Suggested 8-week route ### Weeks 1-2 * AWS IAM and trust basics; * audit and monitoring basics; * baseline misconfigurations. ### Weeks 3-4 * attack paths and cloud review thinking; * logging and telemetry design; * initial threat-model notes for one AWS-hosted service. ### Weeks 5-6 * Terraform scanning and policy-as-code; * CI quality gates; * signing, attestations, and release evidence. ### Weeks 7-8 * AWSGoat / CloudGoat / EKS Goat practice; * one cloud compliance lab; * one short portfolio artifact published in your own notes or repo. ## What to write down as you learn Keep a running log with: * AWS services you actually touched; * common attack-path mistakes you now recognize faster; * controls you would enforce in CI rather than manually; * controls that belong in architecture review instead of scanner policy; * evidence you would preserve during a cloud incident. That log will make later incident-response, architecture-review, and leadership material much easier to absorb. ## Common mistakes in AWS DevSecOps learning * learning services without learning trust boundaries; * spending all practice time in one scanner or one tool; * treating Terraform policy as the whole cloud-security story; * ignoring logging and response design until after deployment; * building no reusable output from the labs. ## Related pages in this KB * [Product Security Ramp-Up Tracks](/learning-labs-interview-and-templates/index-2/product-security-ramp-up-tracks.md) * [Curated Conference Talks 2021-2025](/learning-labs-interview-and-templates/index-2/curated-conference-talks-2021-2025-appsec-devsecops-cloud-product-security.md) * [AWSGoat - AWS Cloud Lab](/learning-labs-interview-and-templates/index-2/awsgoat-aws-cloud-lab.md) * [CloudGoat - Cloud Scenarios Lab](/learning-labs-interview-and-templates/index-2/cloudgoat-cloud-scenarios-lab.md) * [OWASP EKS Goat - AWS EKS Lab](/learning-labs-interview-and-templates/index-2/owasp-eks-goat-aws-eks-lab.md) * [Terragoat - IaC Misconfiguration Lab](/learning-labs-interview-and-templates/index-2/terragoat-iac-misconfiguration-lab.md) \---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-2/essential-aws-devsecops-self-study-path.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.