CompTIA Cloud+: Cloud Architecture, Deployment, Security, and Operations

Cloud+ covers cloud architecture from an infrastructure perspective. Cloud service models: IaaS (you manage OS and above — EC2, Azure VMs, Compute Engine), PaaS (you manage applications and data — Elastic Beanstalk, App Service, App Engine), SaaS (you manage identity and data configuration — Salesforce, Office 365, Google Workspace). Deployment models: public cloud (shared infrastructure, multi-tenant, owned by cloud provider), private cloud (dedicated infrastructure — your own datacentre running OpenStack, VMware Cloud Foundation, or Nutanix), community cloud (shared by organisations with common requirements — government clouds, healthcare clouds), hybrid cloud (combination — workload portability and data flexibility). Cloud characteristics: on-demand self-service (provision without human interaction), broad network access (accessible over standard networks), resource pooling (shared pool, multi-tenant), rapid elasticity (scale up/down quickly), measured service (pay-per-use). Cloud+ exam emphasises multi-cloud management — managing resources and governance across AWS, Azure, and GCP simultaneously.

Virtualisation underlies all cloud computing. Hypervisors: Type 1 (bare metal — VMware ESXi, Microsoft Hyper-V, KVM — runs directly on hardware, smaller attack surface, better performance), Type 2 (hosted — VMware Workstation, VirtualBox — runs on top of an OS, higher overhead). VM components: vCPU (virtual CPU — mapped to physical CPU threads), vRAM, virtual disks (thin provisioning = allocate on write, thick provisioning = allocate all upfront), virtual NICs. Containers vs VMs: containers share host kernel (lightweight, fast startup), VMs have separate OS kernel per VM (stronger isolation, slower). Container orchestration: Kubernetes manages containerised workloads across node clusters. Cloud storage types: block storage (raw volumes attached to VMs — EBS, Azure Managed Disks, Persistent Disk — highest performance, lowest latency), object storage (flat namespace with HTTP API — S3, Azure Blob, Cloud Storage — unlimited scale, cheap, slow for random access), file storage (NFS or SMB shared file systems — EFS, Azure Files, Filestore — shared access from multiple VMs). Networking: VPC/VNet, subnets, route tables, security groups/firewall rules, load balancers, CDN for static content caching.

Cloud+ security covers both technical controls and governance. Shared responsibility model: provider secures hypervisor, network, and physical hardware; customer secures data, identity, and application configuration — the exact split depends on service model (IaaS you own more, SaaS you own less). Identity and access: IAM for resource access, MFA required for privileged accounts, service accounts for workload identity (not human accounts), least privilege in all role assignments. Encryption: data at rest (provider-managed keys, customer-managed keys), data in transit (TLS 1.2+ minimum), key management (cloud KMS for managed keys, HSM for highest security). Compliance frameworks: SOC 2 (service provider security, availability, confidentiality), ISO 27001 (information security management system), PCI DSS (cardholder data environments), HIPAA (protected health information in the US), GDPR (EU personal data). Cloud Security Posture Management (CSPM): continuously scans cloud configurations for misconfigurations — identifies public S3 buckets, permissive security groups, unencrypted storage. Vulnerability management: scan cloud workloads and container images regularly, prioritise by severity and exposure.