Domain 4 of 6 · Chapter 6 of 7

Cloud Application Architecture

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • Supplemental security components and the layer each protects
  • Cryptography and key placement inside the application
  • Sandboxing, microservices, and container isolation
  • Exam-pattern recognition for cloud application architecture

Supplemental security components: which layer each one protects

ComponentLayer it inspectsPrimary threat it addressesWhat it does NOT cover
Web application firewall (WAF)HTTP/HTTPS, layer 7Injection, XSS, OWASP Top 10 web patternsXML schema attacks; in-database activity; non-HTTP traffic
XML firewall (XML gateway)XML/SOAP messagesXML injection, schema violations, entity expansion (billion laughs)Generic web app attacks outside XML; database queries
API gatewayAPI requests (REST/SOAP/gRPC)AuthN/Z, rate limiting, request validation, meteringDeep content inspection of payloads; data-at-rest protection
Database activity monitoring (DAM)Database queries and sessionsPrivileged/abnormal access, SQLi seen at the DB, exfiltrationPre-DB request filtering; encryption of the data itself

Decision tree

Threat at the data store?Database activitymonitoring (DAM)YesPayload is SOAP / XML?NoXML firewall(XML gateway)YesGovern / authN / rate-limitmany APIs?NoAPI gatewayYesWeb applicationfirewall (WAF)No: HTTP L7Always: supplemental controls layer on secure code, never replace it

Cheat sheet

  • A WAF inspects HTTP at layer 7 for injection and XSS, so it matches web-application attacks
  • A WAF is a compensating control, not a replacement for input validation
  • A WAF in monitor/count mode blocks nothing
  • An XML firewall validates XML schema and stops XML-specific attacks a WAF cannot
  • An API gateway centralizes authN/Z, rate limiting, and metering for many APIs
  • Database activity monitoring is a detective control that watches queries at the data store
  • Pick the supplemental component by the layer the threat lives on
  • Storage encryption does not hide data from a compromised app, an insider, or the provider
  • Application- or client-side encryption narrows who can read the plaintext
  • Tokenization removes the sensitive value and shrinks compliance scope
  • Keys belong in a KMS or HSM, separated from the ciphertext
  • Customer-held keys (BYOK/HYOK) answer 'the provider must never decrypt our data'
  • Sandboxing contains a compromise; it does not prevent malicious code from running
  • A container shares the host kernel, so it is weaker isolation than a VM
  • Harden containers: non-root, dropped capabilities, seccomp/AppArmor, scanned images
  • Microservices multiply the attack surface, so isolate and least-privilege each service
  • The orchestrator's control plane is itself a high-value target
  • Supplemental controls layer on the secure SDLC; they are not the SDLC
  • RASP is embedded inside the running app to detect and block attacks in real time
  • RASP must be performance-trialed and baked into the base image for ephemeral workloads
  • Scan container images before pushing them to the trusted registry
  • Images with HIGH or CRITICAL findings are rebuilt or deleted, not deployed
  • In a service mesh the sidecar proxy intercepts all traffic and enforces mTLS
  • Zero trust in a mesh denies by default and authenticates every workload call
  • A TPM seals secrets to PCR boot measurements and signs quotes for remote attestation
  • FaaS statelessness enables flow-bypass and residual /tmp data leakage across invocations

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. OWASP Top 10 — Standard awareness document for web application security risks
  2. OWASP XML External Entity Prevention Cheat Sheet (entity expansion / billion-laughs DoS)
  3. NIST Cryptographic Module Validation Program (FIPS 140-2 / FIPS 140-3 module validation) Whitepaper
  4. NIST SP 800-57 Part 1 Rev. 5 — Recommendation for Key Management Whitepaper