Domain 5: Cloud Security Operations Module 53 of 70

Module 53: OS Hardening and Patch Management

CCSP Domain 5 — Cloud Security Operations Section B 6 min read
The CCSP exam tests OS hardening and patching through the lens of shared responsibility. In IaaS, the customer patches the guest OS. In PaaS and SaaS, the provider handles it. Every hardening question is ultimately about understanding where your responsibility begins and the provider's ends.

Hardening in the Shared Responsibility Model

Operating system hardening in the cloud follows the same principles as on-premises, but the responsibility varies dramatically by service model. The CCSP exam tests whether you can correctly assign hardening responsibilities:

  • IaaS: Customer is responsible for guest OS hardening, patching, configuration, and maintenance. The CSP handles the hypervisor and below.
  • PaaS: CSP manages the OS and runtime. Customer is responsible for application-level security and configuration.
  • SaaS: CSP manages everything except user access controls and data classification.

The exam pattern: if a question asks who should harden a virtual machine OS in IaaS, the answer is always the customer. If the question is about the runtime environment in PaaS, it is the provider.

OS Hardening Principles

Cloud-specific hardening builds on traditional security baselines but adds cloud considerations:

  • Golden images: Pre-hardened machine images used as deployment templates. The exam tests whether you maintain and update golden images rather than hardening each instance individually. This is the cloud-native approach to hardening at scale.
  • CIS Benchmarks: Industry-standard hardening guides for specific operating systems. The exam expects you to reference CIS Benchmarks as the baseline for cloud OS hardening.
  • Minimize attack surface: Disable unnecessary services, remove unused packages, close unnecessary ports. The exam tests whether you apply least functionality to cloud instances.
  • Endpoint protection: Cloud VMs need host-based security agents just like physical servers. The exam tests whether you deploy anti-malware, host-based firewalls, and integrity monitoring on cloud instances.
Exam trap: When a question presents a scenario where hundreds of VMs need to be hardened, the answer is golden images and automation, not manual hardening of individual instances. Manual approaches do not scale in cloud environments.

Patch Management in Cloud Environments

Patching in the cloud adds complexity because instances are ephemeral, auto-scaled, and distributed across regions. The exam tests your understanding of cloud-adapted patching strategies:

Immutable Infrastructure Patching

Instead of patching running instances, you build new images with patches applied and replace old instances. This is the preferred cloud approach because it eliminates configuration drift and ensures consistency. The exam favors immutable infrastructure over in-place patching for cloud environments.

Patch Prioritization

Not all patches are equal. The exam tests whether you can prioritize based on risk: critical security patches for internet-facing systems first, then internal systems, then lower-severity updates. CVSS scores combined with asset criticality drive prioritization.

Testing Before Deployment

The exam expects a patch testing pipeline: development environment first, then staging, then production. Cloud environments make this easier with infrastructure-as-code — you can spin up a test environment, apply patches, validate, and destroy the environment.

Container and Serverless Hardening

The exam tests modern compute models too. Container hardening includes using minimal base images, scanning for vulnerabilities in container registries, running containers as non-root, and implementing read-only file systems. Serverless hardening focuses on function permissions, dependency scanning, and runtime protection.

Compliance and Documentation

The exam tests whether hardening and patching activities are documented and auditable. Compliance frameworks require evidence that systems are hardened to baselines and patches are applied within defined timeframes. Cloud automation tools can generate compliance reports automatically, which the exam expects you to leverage.

Common Exam Traps

  • Patching PaaS instances: In PaaS, the provider patches the OS. If a question asks the customer to patch the OS in PaaS, it is a distractor.
  • Manual hardening at scale: The exam penalizes manual approaches. Choose automation, golden images, and infrastructure-as-code.
  • Patching without testing: Even critical patches should go through a test pipeline. The exam does not reward rushing patches to production without validation.
  • Forgetting containers: Container images need vulnerability scanning and hardening just like VMs. The exam tests whether you apply security baselines to all compute models.

Key Takeaways for the Exam

Hardening responsibility follows the shared responsibility model. Golden images and automation are the cloud-native approach to hardening at scale. Immutable infrastructure patching replaces in-place patching for consistency. Patch prioritization uses risk-based analysis combining CVSS and asset criticality. Containers and serverless require their own hardening approaches. All hardening and patching must be documented for compliance.

Next Module Module 54: Infrastructure as Code (IaC)