Domain 3: Cloud Platform & Infrastructure Security Module 27 of 70

Module 27: Cloud Infrastructure Components

CCSP Domain 3 — Cloud Platform & Infrastructure Security Section A 6–8 min read
The CCSP exam expects you to understand not just what cloud infrastructure components are, but how they shift security responsibilities between the customer and the provider depending on service model.

Why the Exam Cares About Infrastructure Components

Cloud infrastructure is the foundation of every service model. The exam tests whether you understand that security responsibility changes based on which components you control versus which the provider controls.

The key mental model:

IaaS gives you the most control — and the most responsibility.
SaaS gives you the least control — and the least responsibility.
PaaS sits in between.

When the exam presents a scenario, your first question should be: Who owns this component?

The Physical Layer: What You Cannot See

In traditional IT, you manage everything from the data center floor to the application layer. In cloud, the physical infrastructure is abstracted away.

Physical components include:

  • Servers and racks
  • Network switches and routers
  • Storage arrays and SANs
  • Power and cooling systems
  • Physical security controls (badges, cameras, mantraps)

Exam trap: A question might ask who is responsible for physical security in an IaaS deployment. The answer is always the cloud service provider (CSP). Even in IaaS, the customer never touches the physical layer.

The Virtualization Layer: The Real Boundary

The hypervisor is the critical trust boundary in cloud computing. It separates tenants from each other and from the underlying hardware.

Key exam concepts:

  • Type 1 hypervisors (bare metal) run directly on hardware — these are what CSPs use
  • Type 2 hypervisors (hosted) run atop an OS — these are not typical in production cloud
  • VM escape is the nightmare scenario where a guest VM breaks out of isolation
  • Side-channel attacks exploit shared hardware resources between tenants
If the exam asks about the GREATEST risk of multi-tenancy at the infrastructure level, think hypervisor compromise or side-channel attacks — not application vulnerabilities.

Networking Components in the Cloud

Cloud networking abstracts physical network infrastructure into software-defined constructs:

  • Virtual networks (VPCs/VNets) — logically isolated network segments
  • Subnets — further segmentation within a virtual network
  • Security groups / NACLs — virtual firewalls controlling ingress and egress
  • Load balancers — distribute traffic and can terminate TLS
  • Virtual private gateways — connect cloud networks to on-premises infrastructure

The exam expects you to know that network segmentation in cloud is achieved through software, not physical cables. This means misconfiguration is a bigger threat than physical tapping.

Storage Components and Their Security Implications

Cloud storage comes in several forms, each with different security considerations:

  • Object storage (e.g., S3) — flat namespace, accessed via API, commonly misconfigured as public
  • Block storage (e.g., EBS) — attached to VMs, encrypted at rest is customer responsibility in IaaS
  • File storage — shared file systems across instances
  • Ephemeral storage — temporary storage lost when an instance terminates
When the exam mentions data remnants or sanitization, remember: in cloud, you cannot physically destroy a disk. You rely on cryptographic erasure — destroying the encryption key to render data unreadable.

Compute Resources and Isolation

Beyond traditional VMs, modern cloud infrastructure includes:

  • Containers — share the host OS kernel, lighter isolation than VMs
  • Serverless functions — ephemeral compute that spins up per request
  • Bare metal instances — dedicated physical servers without a hypervisor layer

The exam tests whether you understand the isolation trade-offs. VMs provide hardware-level isolation via the hypervisor. Containers provide process-level isolation via the kernel. Serverless abstracts everything but introduces new trust boundaries around the execution environment.

The Shared Responsibility Trap

The single most important concept for infrastructure questions:

Security OF the cloud is the provider’s job.
Security IN the cloud is the customer’s job.

When the exam presents a misconfiguration scenario — an open security group, an unencrypted volume, a public storage bucket — the answer will almost always point to the customer. The provider gave you the tools; you failed to use them correctly.

When the scenario involves hypervisor patching, physical access, or hardware failure — that is the provider’s responsibility.

AI-Era Considerations

Modern cloud infrastructure increasingly includes specialized hardware for AI/ML workloads — GPUs, TPUs, and dedicated inference chips. The exam may test whether you understand that these shared accelerators introduce additional side-channel risk and that AI training data stored in cloud infrastructure requires the same classification and protection as any other sensitive data.

Next Module Module 28: Network and Communications Security