Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
The single biggest source of cloud breaches is teams thinking the cloud provider secures something the provider explicitly does not. AWS secures the hypervisor; you secure the S3 bucket policy. Azure secures the physical datacenter; you secure the NSG rules. Knowing where the line sits on each service before you turn it on is the difference between 'we got hacked' and 'we got audited and passed.'
Inspect a default S3 bucket and a default Azure storage account to see the exact knobs you own vs what the provider hardens by default.
Use these three in order. Each builds on the one before.
In one paragraph, explain the shared responsibility model like I'm new to it, with a concrete S3 example of where AWS's job ends and mine begins.
Walk me through how a misconfigured S3 bucket actually leaks data step by step — from the bucket policy evaluation to the public ACL to the listing — and which of those layers AWS controls.
Given an e-commerce app on Azure storing payment tokens in Blob Storage, what is the responsibility split for PCI-DSS compliance and which controls do I have to prove I configured?
# Create a bucket and immediately audit what YOU own
aws s3api create-bucket --bucket capstok-shared-resp-demo-$RANDOM \
--region us-east-1
BUCKET=$(aws s3api list-buckets --query 'Buckets[?contains(Name,`capstok-shared-resp`)].Name | [0]' --output text)
# These four are YOUR responsibility — provider sets defaults but you tune them
aws s3api get-public-access-block --bucket $BUCKET
aws s3api get-bucket-encryption --bucket $BUCKET
aws s3api get-bucket-versioning --bucket $BUCKET
aws s3api get-bucket-policy-status --bucket $BUCKET 2>/dev/null || echo "no policy"