Week 8: Capstone Project — RAPID CYBER AI

Lab 1: Capstone Architecture & Design

~60 min

Design the application architecture

Three-tier application with security controls mapped to every layer.

Architecture
$ cat > architecture.md << 'EOF'
# Capstone Architecture

## Application
- Frontend: React (CloudFront → ALB → EKS)
- Backend: Python FastAPI (EKS, private)
- Database: PostgreSQL (RDS, private subnet)

## Security Controls
- Network: VPC segmentation, NetworkPolicies, WAF
- Identity: IRSA, RBAC, mTLS via Istio
- Data: KMS encryption at rest, TLS in transit
- Compute: PSS restricted, Falco, Gatekeeper
- CI/CD: SAST, SCA, image scanning, signing
- Monitoring: CloudTrail, GuardDuty, Prometheus
EOF

Lab 2: Infrastructure Deployment

~90 min

Deploy full infrastructure with Terraform

Everything from Weeks 1-7 deployed together as a production environment.

Deploy
$ cd capstone-project/terraform
$ terraform init
$ terraform plan -out=tfplan

# Review the plan — should create:
# VPC, EKS, RDS, ECR, KMS, CloudTrail, GuardDuty
$ terraform apply tfplan

# Install security infrastructure
$ helm install istio istio/istiod -n istio-system --create-namespace
$ helm install falco falcosecurity/falco -n falco --create-namespace
$ helm install gatekeeper gatekeeper/gatekeeper -n gatekeeper-system --create-namespace

Lab 3: Application Deployment

~90 min

Build, scan, sign, and deploy

Images are scanned, signed, and deployed with full security controls.

Full pipeline
# Build hardened images
$ docker build -t $ECR_REPO/frontend:v1 ./frontend
$ docker build -t $ECR_REPO/backend:v1 ./backend

# Scan
$ trivy image --exit-code 1 --severity HIGH,CRITICAL $ECR_REPO/frontend:v1
$ trivy image --exit-code 1 --severity HIGH,CRITICAL $ECR_REPO/backend:v1

# Push and sign
$ docker push $ECR_REPO/frontend:v1
$ docker push $ECR_REPO/backend:v1
$ cosign sign --yes $ECR_REPO/frontend:v1
$ cosign sign --yes $ECR_REPO/backend:v1

# Deploy to EKS
$ kubectl apply -f k8s/

# Verify
$ kubectl get pods -n bootcamp-app
$ kubectl get svc -n bootcamp-app

Lab 4: Security Validation

~60 min

Run the full security audit

Audit every layer. Simulate attacks. Document findings.

Comprehensive audit
# IAM audit
$ aws iam get-account-authorization-details | jq '.UserDetailList[].AttachedManagedPolicies'

# Network audit  
$ kubectl get networkpolicies -A
$ aws ec2 describe-security-groups --query 'SecurityGroups[*].{Name:GroupName,Ingress:IpPermissions}'

# Container audit
$ trivy image $ECR_REPO/frontend:v1
$ trivy image $ECR_REPO/backend:v1

# K8s audit
$ kubectl get pods -A -o json | jq '.items[].spec.containers[].securityContext'

# CIS Benchmark
$ kubectl apply -f kube-bench-job.yaml
$ kubectl logs job/kube-bench | tail -20

# Simulated attack: try to bypass controls
$ kubectl run attacker --image=busybox -n bootcamp-app -- sh
# Should be rejected by PSS + Gatekeeper

Lab 5: Portfolio Documentation

~60 min

Package your capstone

This README, your code, and your security validation report are your interview portfolio.

Portfolio
$ cat > README.md << 'EOF'
# Cloud Security Engineering — Capstone Project

## Architecture
[Architecture diagram]

## Security Controls
| Layer | Control | Evidence |
|-------|---------|----------|
| Network | VPC segmentation + NetworkPolicies | Flow logs, policy YAMLs |
| Identity | IRSA + RBAC + mTLS | IAM roles, RBAC audit |
| Data | KMS encryption + TLS | Config check |
| Compute | PSS restricted + Falco | Pod security audit |
| CI/CD | SAST + SCA + signing | Pipeline logs |
| Monitoring | CloudTrail + GuardDuty | Alert history |

## Threat Model
[STRIDE analysis with controls mapping]

## Validation
[CIS benchmark results, simulated attack outcomes]
EOF

# Push to GitHub
$ git add . && git commit -m 'Capstone complete'
$ git push origin main

Bootcamp complete

You've built a production-grade secure cloud application from scratch. You've hardened IAM, VPCs, containers, Kubernetes, CI/CD pipelines, and implemented Zero Trust, threat modeling, and automated incident response. This is the skillset that commands $130K-$180K. Go get it.