Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Perimeter security assumes the inside of your VPC is safe — zero-trust assumes it's already compromised. The principles (never trust, always verify, least privilege, assume breach) translate directly into cloud controls: identity on every hop, mTLS between services, and IAM scoped to single actions. Skipping zero-trust is how a leaked AWS access key turns into ransomware on your DB.
Inspect identity-aware access controls that replace network-level trust.
*:* permissions — argue why each one violates least privilege.Use these three in order. Each builds on the one before.
In one paragraph, explain zero-trust like I'm new to security — what changes vs perimeter-based trust, and why.
Walk me through how a zero-trust request is verified end-to-end: identity, device, network context, and authorization at each step.
Given a 200-microservice mesh inside a single VPC, design a phased zero-trust rollout that starts with the most blast-radius-prone services first.
# Inspect a least-privilege IAM policy (one action, one resource)
aws iam get-policy-version --policy-arn <policy-arn> --version-id v1 \
--query 'PolicyVersion.Document'
# Service-to-service mTLS via ACM PCA + AWS App Mesh / VPC Lattice
aws vpc-lattice list-services --query 'items[*].[name,authType]'
# Audit who has admin (this should return very few principals)
aws iam list-policies --scope Local \
--query 'Policies[?contains(PolicyName, `Admin`)].[PolicyName,AttachmentCount]'