RAPID CYBER AI
WEEK 7 OF 8
0 steps completed
WEEK 7

Advanced Security Patterns

Zero Trust, threat modeling, automated incident response

8-10 hours

Lab 1: Zero Trust Architecture

~90 min

Implement identity-based access

Allow traffic based on service identity, not IP address. Works even if pods move between nodes.

Zero Trust
# Istio AuthorizationPolicy — identity-based, not network-based
$ cat > authz-policy.yaml << 'EOF'
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: backend-policy
  namespace: bootcamp-app
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/bootcamp-app/sa/frontend"]
    to:
    - operation:
        methods: ["GET", "POST"]
        paths: ["/api/*"]
EOF

$ kubectl apply -f authz-policy.yaml
WHY THIS MATTERS

Zero Trust means never trust, always verify. Every request is authenticated regardless of where it originates — inside or outside the cluster.

Lab 2: STRIDE Threat Modeling

~60 min

Build the threat model

Map every STRIDE threat to a control you've built. This is your risk register.

STRIDE analysis
$ cat > threat-model.md << 'EOF'
# STRIDE Threat Model — Bootcamp Application

## Components
- User Browser → CloudFront → ALB → Frontend pods
- Frontend → Backend API → PostgreSQL RDS

## Threats & Controls
| Threat | Category | Control | Status |
|--------|----------|---------|--------|
| Service impersonation | Spoofing | Istio mTLS | ✓ |
| Data in transit | Tampering | TLS everywhere | ✓ |
| Unaudited actions | Repudiation | CloudTrail + K8s audit | ✓ |
| Secret exposure | Info Disclosure | ESO + KMS encryption | ✓ |
| Resource exhaustion | DoS | LimitRange + Quotas | ✓ |
| Container escape | Elev. of Privilege | PSS restricted + Falco | ✓ |
EOF

Lab 3: Automated Incident Response

~90 min

Build an automated IR playbook

GuardDuty finding → EventBridge → Lambda → auto-isolate + snapshot + notify.

Lambda IR
# EventBridge rule → Lambda → auto-remediation
$ cat > ir-lambda.py << 'EOF'
import boto3

def handler(event, context):
    finding = event['detail']
    severity = finding['severity']
    resource = finding['resource']['instanceDetails']['instanceId']
    
    ec2 = boto3.client('ec2')
    
    # Isolate the instance
    ec2.modify_instance_attribute(
        InstanceId=resource,
        Groups=['sg-quarantine']  # Empty SG = no network access
    )
    
    # Snapshot for forensics
    volumes = ec2.describe_volumes(
        Filters=[{'Name': 'attachment.instance-id', 'Values': [resource]}]
    )
    for vol in volumes['Volumes']:
        ec2.create_snapshot(
            VolumeId=vol['VolumeId'],
            Description=f'IR snapshot - {resource}'
        )
    
    return {'status': 'isolated', 'instance': resource}
EOF

Lab 4: Security Monitoring & Dashboards

~60 min

Deploy Prometheus + Grafana

Centralized metrics and dashboards for security monitoring.

Monitoring stack
$ helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
$ helm install prometheus prometheus-community/kube-prometheus-stack \
    --namespace monitoring --create-namespace

# Access Grafana
$ kubectl port-forward svc/prometheus-grafana 3000:80 -n monitoring
# Open http://localhost:3000 (admin/prom-operator)

Lab 5: Security Automation Framework

~60 min

Create security-as-code repo

All security policies as code, version controlled, reviewed, and auto-deployed.

GitOps
$ mkdir -p security-policies/{opa,falco,network-policies,config-rules}

# All policies live in git
# ArgoCD syncs them to the cluster automatically
# Changes require PR review from security team
# Unit tests validate policies before deployment

$ cat > security-policies/README.md << 'EOF'
# Security Policy Repository
## Structure
- opa/ — Gatekeeper constraint templates
- falco/ — Runtime detection rules  
- network-policies/ — Namespace segmentation
- config-rules/ — AWS Config compliance rules
EOF
NEXT: WEEK 8 →