Get your free practice exam (complete set with 57 questions!) https://exampro.co/terraform

I create free cloud certifications full-time. I sat this exam so I could share my test-taking experience as well as an introspective of how I feel this certification fits in the industry.

TL;DR: The exam is easy, but also unbalanced, I do recommend obtaining this certification if your path is DevOps Engineer due to industry demand and the exam fee is very inexpensive. I recommend studying beyond the exam guide outline to round out your knowledge.

My Effort and Results

Exam Run

• There are 57 questions
• You have an exam time of 1 hour
• The exam is $70.50 USD
• I took the online proctored exam via PSI Online (only option)
• I cleared this exam in 24 minutes

Final Score

Status: Pass

Overall Score: 84%

Breakdown by content area:

• 1.0  100% Understand infrastructure as code (IaC) concepts: 
• 2.0  50% Understand Terraform's purpose (vs other IaC): 
• 3.0  85% Understand Terraform basics: 
• 4.0  83%  Use the Terraform CLI (outside of core workflow):
• 5.0  83%  Interact with Terraform modules:
• 6.0  91% Navigate Terraform workflow: 
• 7.0  87% Implement and maintain state: 
• 8.0  72% Read, generate, and modify configuration:
• 9.0 100%  Understand Terraform Cloud and Enterprise capabilities: 

Exam Experience

The exam was not hard or stressful. The exam guide was not useful, I would disregard its contents. Some questions were frustrating in two regards:

1. Tricky Question Wording

I felt I lost some points because of how a handful of questions were written, not due to the fact I did not understand Terraform but the language being used was not straightforward.

With exams like AWS they follow a strict guide on how questions should be written. I think at this time HashiCorp does not have that kind of conformity in their exams yet.

I think if you are a non-native English speaker you might find this more frustrating.

2. Unimportant Technical Questions

There were a few questions, where I thought, why would you test this? One, in particular, was a lineup of built-in string functions.

I don't think this makes for a good exam question because it is something you would commonly google.

A better question would be have been to highlight the automated service offering of GitOps built into Terraform Cloud or how Vault would be integrated into the Terraform pipeline to inject secrets.

Funny Blunder

One question where I totally faceplanted was what is the name of terraform state file?

• I wrote tfstate,
• than tfstate.state
• then remembered it was a json file so I wrote tfstate.json.
• The real answer is terraform.tfstate

How embarrassing. LOL 😅

Unbalanced Exam

There are nine domains on the exam, but the exam pool I received felt very limited to a handful of very specific commands.

From a test taker perceptive who is looking to pass this is good because you narrow your study time on a small subset of concepts and have a short study time eg:

refresh, taint, init, plan, apply, fmt, validate, depends_on, versioning, provisioners, state files, modules, data sources, for_each, Sentinel, Terraform Enterprise....

I'm being very non-descript on the exam questions with respect to HashiCorp Training and Certifications team.

This probably explains why I see Terraform Certification study courses 1 to 2 hours. They'll get you there, but you'll have serious gaps in the application of Terraform Infrastructure workflows.

If it was me, this is what I would have liked to see on the exam:

• Pricing
• Support Tiers
• GitOps workflows
• Immutable Infrastructure
• Cross-referencing Stacks
• Terraform Troubleshooting
• String Interpolation and Directives
• Balancing DRY vs Readability eg. Local Values
• Backups
• Progressive Versioning
• Drift and Repair
• Terraform Workflow Evolution
• Standard Backend (locking and security)
• Packer Integration
• Vault Integration
• Air Capped Environments
• Terraform and Ansible

My upcoming free HashiCorp Terraform course includes all these topics.

Is It Worth it?

I would say the certification proves you know the fundamentals of Terraform.

The demand of the market in DevOps skills right now is: AWS > Azure > Terraform > Kubernetes, so even though this certification needs some work, I think due to market demand it should be obtained for DevOps roles.

I think HashiCorp Training and Certification team is reworking the certification since the 1.0.0 release and the time I sat this I was seeing pre 1.0.0 questions.

If you're seeking a junior role, a shorter study time of 1-2 hours to obtain the certification is fine. If you want to quickly progress to a senior role, you will want to check out my free Terraform course when it is published to freeCodeCamp, because it will be the only long-form course out there.

Exam Preparation and Resources

I've spent three weeks on Terraform, but I'm going much deeper than is required. You could prepare in a week or less.

I've heavily worked with CloudFormation, ARM Templates, Cloud-Init, Ansible and so I didn't feel the need to put into practice much of what I learned. I just made sure I knew how to provision a resource to AWS, Azure, GCP, take the local state, move it to Terraform cloud, and saw how terraform refresh worked. If you don't have prior experience with IaC tools you need to put more time than I did.

I think I should have spent more time putting into practice module development because it was a big part of the exam I did not expect and so I had to guess alot.

• I used Sandip's HashiCorp Terraform Certification course to spot check some gaps in knowledge or get an alternative explanation.
• I used a bit of the Learn HashiCorp, the Learn Platform is okay, but I don't learn this way and it felt like a very slow learning path because its not geared towards the certification path.
• There is a study guide on Learn Hashicorp that references other Learn materials, and links out to HashiCorp blog posts, this was my original study path, but lots of content did not seem relevant (which turned out to be the case) so I ended up quitting this path.
• I heavily used the Terraform CLI documentation sequentially working through the table of contents, I had to frequently reach out to external resources (DA's, Ambassadors) because the technical documentation is very sparse.
• WhizLabs practice exams were useless, they were far off from the actual exam questions, and contained mistakes both in technical description or just the format of the question.
• Will Brock's Terraform Playlist was an excellent way to quickly learn advanced language features and I consider it a must to watch.
• freeCodeCamp Terraform Course by Sanjeev is well-produced a good introduction but only covers the most basics of Terraform compared to Will's

While not necessary I would recommend watching Armon Dadgar (CTO of HashiCorp) Whiteboarding videos. I don't personally like learning by whiteboarding, but his videos are short, and answers a lot of "whys" which helps to cement how Terraform and other HashiCorp products solves multi-cloud solutions.

I am fortunate to be an AWS Community Hero so I was able to ask Anton Babenko and Brian Tarbox as many practical Terraform questions.

• Anton has a weekly terraform newsletter weekly.tf
• Brian has a presentation to translate CloudFormation knowledge to Terraform

HashiCorp has a very good Developer Advocate team. Anything I couldn't find, they filled in the gaps,

• Nic Jackson had an incredible wealth of knowledge and was able to answer all of my "whys" and I had a lot of "whys". 🙃
• Kerim Satirli was able to quickly point to resources that I overlooked

I think if I knew about HashiCorp Office Hours I may have attempted to leverage that as part of my learning experience and asking Rosemary Wang and Jim Lambert for Terraform live stream as they are more relatable in their teaching approach to beginners. Maybe not for my own study preference but to broaden the learning resources out there.

Background: 1st Line/2nd Line IT guy for O365 and Windows 10 etc. for the past 3 years looking to grow career over the coming years. Interested in Azure/Cloud/Powershell/Automation etc.

Supporting users in a traditional IT role with on-prem servers or Intune is something which doesn't pay as much and isnt as cool or sexy (at least to me) as being a Cloud Engineer in Azure/AWS setting up servers and apps in servers, DevOps stuff etc. Actually, the pay is probably 2 times the pay for traditional IT here in the UK

Is it recommended to first be a system admin in a user support role before becoming Cloud engineer in Azure/AWS GCP?

Defining the cloud role

When I start to hear PowerShell, Automation, setting up servers and apps, the role sounds like a DevOps Engineer though the original poster (OP) is talking about a Cloud Engineer role.

I want to spend a bit of time clarifying these different roles.

To help, I created this ven-diagram:

• the outside labels being traditional roles,
• and the interior labels being cloud roles.

There is no perfect ven-diagram for cloud roles, so take this with a grain of salt. It's totally possible to see DevOps and Solutions Architect flipped in position depending on how you characterize the underlying skill requirements.

Traditional Roles

Let's start by describing the traditional roles, so we can align our existing interests and skillset to find the right cloud role for us.

Developer

A developer builds web, mobile or desktop applications. A developer is going to have deep knowledge of programming languages and frameworks. A developer may also know how to deploy their application to servers but they will have more strength in feature development, debugging and bug-fixing or fine-tuning the performance of their application. A developer could lack traditional Computer Science background in algorithms and systems design and rely on being a good practitioner of programing by sourcing existing solutions or third-party libraries to achieve an end result.

Administrator

An administrator configures, troubleshoots and maintains existing software, hardware or systems. Administrators belong to the sphere of Information Technology (IT), like computer networking, computer repair, support desk, maintaining workstations, or Windows or Unix servers. A very common route for Administrators into the cloud industry is via Microsft Azure because IT is heavily entrenched in Microsoft Windows Servers, Exchange Servers (Email), and Windows Workstations. Many organizations are looking to offload their traditional infrastructure to cloud services, and Microsoft's migration path is much easier than say AWS or GCP which have been more focused on modern application development. An Administrator does not tend to have deep programming knowledge with more of a focus on scripting languages to configure and automate programs eg. Bash or PowerShell. An Administrator is used to dealing with layers of legacy systems, with incomplete documentation and appears to discover or manufacture solutions from thin air. They aren't bothered by not fully knowing why a solution works, because the underlying information or reason is not known.

Systems Engineer

A systems engineer, designs, integrates and manages complex systems. Engineers come from an academic background in ComputerScience (CompSci) with a deep understanding of Mathematics, Algorithms and Systems Design. An Engineer may not have deep knowledge in a specific programming language or framework, but use their foundational knowledge as an all-purpose tool to tackle any kind of technical challenge. Putting design to paper before implementation is common. When dealing with technical uncertainty a systems engineer will form a hypothesis and create iterative prototypes to arrive at a conclusion. They want to know why in multiple variations and edge cases whether their technical solution works, where an Administrator or Developer may accept a "good enough" solution to meet the business use-case or time-constraint.

Which traditional role?

So it sounds like the OP has been operating as an Administrator of sorts.

Cloud Roles

Now, let's take a look at different cloud roles and see which one best reflects the OP interests.

Cloud Developer

A Cloud Developer builds web or mobile applications while offloading as much of the functionality to cloud services. There are three approaches that a Cloud Developer has over a traditional developer.

Bolting Approach

A Cloud Developer can take an existing monolithic web application like a Ruby on Rails app and bolt-on cloud services such as background jobs, assets management and transactional emails. This is known as the move-and-improve migration by Google Cloud. For deployment, they can utilize a Platform as Service (PaaS) such as AWS Elastic Beanstalk, Azure App Services or Google App Engine so they can focus on their code and not worry about the underlying infrastructure. An exceptional cloud developer may be able to setup or at least debug a CI/CD pipeline such as AWS CodePipeline, AWS Codebuild and AWS CodeDeploy but often this is the responsibility of a Cloud Engineer or DevOps Engineer.

Cloud-Native Framework and Platform Approach

A Cloud Developer could also leverage a modern application architecture that is highly opinionated such as AWS Amplify, Google Cloud's Firebase or Supabase. For Amplify and Firebase, these frameworks leverage serverless cloud services and in some regards completely abstract away the Infrastructure as a Service (IaaS) offering so you can write code that will be highly scalable, secure, durable and globally available with a built-in CI/CD pipeline. Supabase is a cloud-native CSP agnostic framework so you trade portability for convenience.

Serverless Approach

A Cloud Developer can build their web application entirely using serverless services to have the maximum amount of control with the least amount of responsibility at the greatest cost-saving but with the steepest learning path. Rolling your own serverless at the time of writing this article is a rare skill.

I didn't forget containers and microservice architecture. I just felt that is more in the realm of a Cloud Engineer and DevOps Engineer.

Cloud Engineer

A cloud engineer is the most important support role because they can help everyone.

Supporting Cloud Developers

A Cloud Engineer would be capable of building web applications (and most likely modern application architecture) a Cloud Engineer would free up a Cloud Developer time to focus on their application code while a Cloud Engineer can focus on application integration to various cloud services.

Supporting Solutions Architects

A Cloud Engineer would implement prototypes or production cloud workloads architected by a Solutions Architect. This would free up a Solutions Architect to spend more time on communication, vision, research and architectural design.

Supporting DevOps Engineers

A Cloud Engineer could be responsible for building the first version of a deployment pipeline but is not focused on the automation or the long-term refinement of said pipeline. Once that pipeline is proven the responsibility of automation and refinement can be passed on to a DevOps Engineer.

The-All-Hats or Solo Role

A Cloud Engineer can also perform well on their own or taking on any role which is yet to have a dedicated resource. In larger teams a Cloud Engineer can be seen as Solutions Architect Jr, carrying out implementations and little to no input to the overall architecture.

DevOps Engineer

A DevOps Engineer is focused on the Software/System Development Lifecycle (SDLC). They automate cloud services by writing Infrastructure as Code (IaC) with AWS CloudFormation, AWS CDK, Hashicorp Terraform, Pulumi, AWS CDK, Google Cloud Deployment Manager, Azure ARM Templates or Azure Blueprints. They have good skills working with scripting languages, and they will need to have enough programing knowledge in common languages eg (Javascript, Python), to work with SDKs.

A DevOps Engineer has deep knowledge of virtualization and all levels of compute eg: Virtual Machines, Bare Metal, Containers, Serverless Containers, Functions as a Service, Kubernetes (K8).

A DevOps Engineer has a strong understanding of Cloud Networking.

The difference between a DevOps Engineer and a Systems Administrator (aka DevOps Jr) is that a DevOps Engineer is a proactive role implementing an automated system that can auto-remediate and prevent issues before they arise, whereas a Systems Administrator is reactive, where they are the ones responding to emerging incidents, or they are dealing with non-automated infrastructure.

A Cloud Security Engineer is a sub-class of a DevOps Engineer, where they incorporate Security in all aspects when building out automated cloud workloads as well as working with specialized security cloud services.

Solutions Architect

A Solutions Architect focuses more on researching emerging cloud services, eliminating technical uncertainty for future projects, communicating and directing their technical vision during a project with multiple team members, and designing cloud workloads rapidly with confidence in pre-sales activities to acquire or retain customers.

A Solutions Architect should be capable of doing everything a Cloud Engineer can do, but they have to watch out for spending too much time away from implementation otherwise their designs will look good on paper but in practice due to lacking the experience of the various caveats and configurations of cloud services. This is what we would call in the industry a "Paper Architect".

The Solutions Architect is the most sought-after cloud role but unfortunately is not accessible to most because really a senior role. I think this is the fault of the AWS Solutions Architect Associate certification being popular, easy, broad, and one of the first cloud certifications. Really I think what most people want is to be a Cloud Engineer.

Which cloud role?

After a tour of the cloud roles, I think the OP is looking to be a DevOps Engineer, but they'll have to decide based on my provided descriptions.

WTF is a Cloud Architect?

There is one cloud role you might come across called a "Cloud Architect" in various educational articles from ACloudGuru, Cloud Academy and Study.

Sometimes a Cloud Architect is described as a Cloud Engineer or a Solutions Architect or neither.

However, when you search job boards, interact with bootcamp, private schools career services or directly with tech companies, you'll be hard press to find this role.

I think Cloud Architect is lazy marketing teams possibly just copying each other marketing materials, trying to upsell to their educational services.

Neither I nor the cloud industry has room for another cloud role title.

Honestly, I think if we give it a bit of time and someone is going to invent "Cloud Administrator"

The OPs Question

To answer the OPs question:

Is it recommended to first be a system admin in a user support role before becoming Cloud engineer in Azure, AWS or GCP?

You don't need to be a Systems Administrator before becoming a Cloud Engineer. You would just straight off be a Cloud Engineer as it's commonly the catch-all junior role and the main entry for most people as their first cloud proper role

Modifying the OPs question to be more inline with what I think they're asking:

Is it recommended to first be a system admin in a user support role before becoming DevOps engineer in Azure, AWS or GCP?

Systems Administrator is generally a DevOps Jr role and it's very common to start off as a Systems Administrator first before getting a DevOps role but you can also be a Cloud Engineer and transition to DevOps Engineer.

If you're being pigeon hold as a Systems Administrator then you may actually be a Cloud Support Engineer which by the OP description was they don't want to be.

You need to change teams or companies until you find one with upward mobility to a DevOps role, or self-study enough for a DevOps position while being a Systems Administrator or Cloud Engineer.

Another variant I think that should be asked:

Do you need a background in Computer Science to be a Cloud Engineer?

No, it will help to have good knowledge of systems design, but you can become a practitioner in systems design just by studying cloud certifications. Of course the larger the company the more they tend to prefer Computer Science degrees.

Parting Thoughts

I think the center of the ven-diagram is up for debate. It could have been either Solutions Architect, DevOps Engineer or Cloud Engineer. Even as I write this I would rather put Cloud Engineer in the middle due to it being a supporting role but I put Solutions Architect at the center for it being one of the most senior roles that test your depth of knowledge in cloud services.

This article wasn't a definitive list of all Cloud roles. A very common entry role is Cloud Support Engineer.

If anyone has their own opinions about my role definitions, my diagram or whether Cloud Architect is a real role, feel free to share your comments.

Hello Andrew, I just wanted to start by thanking you for all you are doing for the devops community. A little background I have a bachelors in IT and I currently work in a IT Support/Junior System admin role. This is my first full time IT job and I have the opportunity to touch areas in my current role (operations, security, a little networking) My question for you is what would be a good path for me to take to get started on my AWS journey. My dream one day is to work for a larger company as a Cloud Engineer and eventually specialize in security.

I would say I have 2-3 hours a day during my job to study and learn new things (encouraged by my employer). As someone who is looking to progress into the cloud and learn more about AWS specifically, what is a realistic path I can focus on for the next 6 months. Thank you!

Thanks for the detailed question!

First I would recommend you read my answer to a similar question about Cloud Security to understand the challenges of cloud security for the various cloud service providers (CSPs)

The Cloud Security Engineer

What Cloud Security role should I be going for?

We've heard three different domains of interest mentioned in the question:

• Cloud Engineer — Architecting and implementing cloud workloads
• DevOps — IT Operations and Software Development Lifecycles (SDLC)
• Cloud Security — Security relating to cloud workloads.

At the intersection of these domains is where we get the role of Cloud Security Engineer.

If a visual helps here is a ven-digram I created:

take this diagram with a grain of salt, notice Networking as an outer domain is missing. There are no one-size-fits-all visual graph for cloud roles

To understand the role of Cloud Security Engineer we need to understand two things first:

1. Pushing Left
2. DevSecOps

What is Pushing Left?

Pushing or Shifting Left means that we perform security at every step of the Software/System Development Life Cycle (SDLC), that security is not something we tack on, rework into our systems after the fact.

Tanya Janca writes about Pushing Left in greater detail on her blog

What is DevSecOps?

DevSecOps is what we get when we incorporate Pushing Left into DevOps.

If we were a Cloud Security Engineer and we had to build a deployment pipeline for an application we may need to do the following additional security tasks (not an exhaustive list):

• Prevent any code that has not been Code signed from being deployed
• Automate application security testing methodologies (SAST and DAST) to find security vulnerabilities that can make an application susceptible to attack
• Automate Synk as a step in our CI/CD to find and fix vulnerabilities in our software packages
• Enable VPC Flow Logs to ensure we have a baseline of IP traffic
• Automate everything with Infrastructure as Code (IaC) like using CloudFormation, turning on Drift Detection
• Creating Config Rules in AWS Config to alert us and remediate if any of our infrastructure expected configuration changes
• Configuring services to be the least-permissive as possible

AWS has a practical example of DevSecOps for CI/CD pipelines

What does a Cloud Security Engineer do?

The two primary responsibilities of a Cloud Security Engineer is:

1. implementation and automating of security services eg. SIEM, WAF, IDS/IPS
2. implement and secure cloud infrastructure pipelines eg. CodePipline, K8, Jenkins

While it might seem that becoming a Cloud Security Engineer requires a lot of knowledge I think it's one of the more accessible Cloud Security roles because it's a practical role, where other Cyber Security roles require many recognized and costly security certifications.

Do I need Certifications to get this role?

Depends on the industry/vertical as some organizations may have specific cybersecurity certification requirements, but there are many companies who just want to see you have general cybersecurity knowledge. So I would suggest picking what interests you the most and start studying:

• GIAC Security Essentials (GSEC)
• GIAC Certified Incident Handler (GCIH)
• Certified Ethical Hacker (CEH)
• GIAC Certified Intrusion Analyst (GCIA)
• CSA Certificate of Cloud Security Knowledge (CCSK)
• Certified Information Systems Security Professional (CISSP)

freeCodeCamp has a free course to study for the CCISP

I personally like the CCSK as a fundamental certification.

CyberSecurity certifications are expensive, and if your company is not going to pay for you to sit the exam then I'd recommend just buying a study guide or using free content and put a larger focus on rounding out your DevOps skills. You can always just begin your journey as a Cloud Engineer or DevOps role and transition to Cloud Security Engineer when you've gained credentials or enough knowledge.

As you focus your studies on either DevOps or Cloud Engineer just give special attention to security adopting the Pushing Left mindset. Cloud Security requires a deeper understanding of services, so I would say it would speed up your cloud journey rather than slow it down.

Since you want to work with AWS in specific I'd recommend the following certification path:

The AWS Security Speciality I believe should really be called the AWS DevSecOps Associate because it's not that hard and has a strong focus on automating cloud security within AWS. It is essential for your cloud security journey.

I am working on my own free Cloud Security Fundementals course and I've secretly started on it in my free SC-900.

You can see it under the Security Concepts as this content is not actually supposed to part of the SC-900 but I figured a Cloud Security primer was needed.

Security Concepts

• Common Threats
• Vulnerabilities
• Encryption
• Cyphers
• Cryptographic Keys
• Hashing and Salting
• Digital Signatures
• In Transit vs At Rest
• MFA
• SIEM
• SOAR
• XDR
• EDR
• CASB
• Security Posture
• CSPM
• JIT & JEP
• Ingress vs Egress
• Shadow It
• AIR
• Threat Modeling
• STRIDE
• IDS IPS
• MITRE Attack Framework

What are the job requirements?

If you search "Cloud Security Engineer" on any job board you will start to notice the same terminologies listed:

• AWS, Docker, Kubernetes, Jenkins, Terraform, Ansible Expertise
• DAST, SAST, DDoS Mitigation, CASB, SIEM, WAN Security, DLP, Vulnerability Scanning, IPS/IDS, Secure Proxies, SSL cryptographic keys.
• Okta, Azure AD B2C, ZScaler
• Fedramp, FISMA, SCO, ISO, HIPPA, HITRUST, GDPR

I would say the hardest thing to learn is Authentication eg. Okta.

Learning Capacity

I believe in the rule of threes (you need to do something 3 times before you fully understand it). There is also a cap to how fast a human can absorb information. So tempering expectations I think in 6 months your goal is to be a Practitioner of DevOps, Cloud Engineer and Cloud Security.

A Practitioner is someone who knows how to apply learned skills but cannot describe or recall why what their doing is correct.

If we repeat our journey three times your progression should look like this:

• Phase 1 — Practitioner / Junior (6 months)
• Phase 2 — Associate / Intermediate (6 months)
• Phase 3 — Professional / Senior (6 months)

So your goal can be accomplished in 1.5 years or 3 years. It just depends on how hard you want to go at your goal.

With 2-3 hours a day for 6 months (~180 days), that would give us a study capacity in the range of 360-540 hours. How could we best maximize our cloud growth in 6 months with 420 hours?

I would divide that time in half:

• 210 hours allocated for certification study
• 210 hours allocated for putting our knowledge into practice

Cloud Certification Study

An idea for cloud certification study path:

• 20hrs — CCSK
• 12hrs — AWS Certified Cloud Practitioner
• 8hrs — Hashicop Terraform
• 14hrs — Microsoft Security, Compliance, Identity Fundamentals
• 30hrs — SysOps Associate
• 30hrs — DevOps Professional
• 20hrs — AWS Security Certification
• 20hrs — Certified Kubernetes Application Developer (CKAD)
• 20hrs — Certified Kubernetes Security Specialist (CKS)
• 20hrs — Okta Certified Professional 194 hours (16 surplus hours)

The goal is not to pass these exams but to get through as much content as possible to acclimate ourselves to the body of knowledge we need to know. If your employer is willing to pay for you to sit the exams by all means sit them but do not extend your study time to guarantee a pass, and do not let a failure cause you to linger on a topic in order to fully understand before proceeding.

Personal Projects

You need to find ways to apply your learned knowledge, you could take on after-work side projects for your work or design your own project

I'm sure at some point I'll release a free personal project guide for Cloud Security Engineer on the 100DaysOfCloud Github Project Ideas.

Summary

Cloud Security Engineer demand is growing, it's a fun and challenging role and also the most accessible cybersecurity role. All you have to do is put in the time and stick to a three-year plan.

I've seen the name Cloudinary around (mostly in part because of Tessa Mero), but for years I had no idea what it did because I did not give it much attention until now.

While setting up TheDev.Cloud Forem server I was trying to figure out how to configure the generation of social graphic thumbnails for when a user does not supply their own banner image eg.

I figured it had to be Cloudinary because I vaguely remember Cloudinary had to do something with being a CDN or something with dynamic assets so it was time to dive a bit deeper.

This is not a sponsored article but Cloudinary, if you feel like sending me a t-shirt. I'm a large. 😉

What is Cloudinary?

Cloudinary is a Software as Service (SaaS) to upload, store, manage, manipulate, and deliver images and video for websites and apps.

So its a unified asset management and delivery system composed of:

• A Content delivery network (CDN)
• Serverless Object Storage
• Image and Video Media Transformation Servers
• A rich HTTP API where you can change query string within your browser for on-the-fly image and video transformations.

All of this infrastructure being abstracted away into a serverless offering. You just have to worry about the organization of your content and the utilization of credits.

According to Cloudinary the primary technical use-cases would be:

• Programmable Media for image and video API
• Media Optimizer for performance and delivery

• Dynamic Asset Management for creation and collaboration

  

What's the business application of Cloudinary?

Cloudinary highlights the following industries/verticals. After exploring the platform I have thought of 3 use-cases to help to contextualize its application.

Dynamic Catalogs for eCommence

We are an online clothing and shoe store. we need to take many images of products for our catalogue. Instead of batch processing all the variant image sizes and apply text and image overlays within Photoshop, we upload our "Golden Images" to Cloudinary. Once in Cloudinary, we dynamically generate overlays and image size variants at the time of the request. We could easily run A/B testing of different overlays by simply swapping out the values in the query string or via the Cloudinary SDK.

Continuous Moderation and Reporting for Travel Lifestyle Youtuber

We are a lifestyle YouTuber specializing in living abroad in Denmark. We have a million-dollar sponsored trip by an airline company to all the major cities eg. Copenhagen, Aarhus, Odense, and Aalborg. Part of our campaign is to document our journey and create a social stream producing hundreds of images and videos daily, delivered across various forms of social media over the span of 3 months.

Since we need to continuously deliver content daily we need to ensure our content is moderated to prevent adult-oriented and inappropriate images that may have found their way into the background.

Using Cloudinary add ons we can easily leverage third-party adds on such as

• WebPurify Image Moderation
• AWS Rekognition AI Image or Video Moderation

to detect and exclude any troublesome images.

At the end of the trip, we want to know what were our best performing pieces of media so we can curate that content to be used to produce collage videos for each major city. These collage videos will be used by our airline sponsor to attract more travellers to these cities.

Using Cloudinary reporting we can see our top pieces of content that were consumed by users.

Personalize Engagement for Private Community Member

We're an infamous tech mentor and we are leveraging an open-source social platform to host a private community where people are pay to be mentored. When people signup they fill out an assessment form.

We want to personalize the experience for newcomers by sending an image via SMS with text overlayed that leverages data from the assessment form so our group mentoring feels like a 1-to-1 mentoring experience.

We can leverage the programmatic API of Cloudinary to deliver that experience.

How do I integrate it into my platform?

There are three ways to integrate:

1. the SDK
2. the URL API
3. and Widgets and Players

SDK

When you want to programmatically integrate with your backed, frontend or mobile app you'll be using an SDK.

A Software Development Kit (SDK) lets you use your language or framework of choice to integrate third-party services. Cloudinary has many options.

there are many more Cloudinary SDKs than what is listed in that image.

Using the Cloudinary Ruby SDK you can see how easy it is to programmatically apply transformations

cl_image_tag("front_face.png", :secure=>true, :transformation=>[
  {:width=>150, :height=>150, :gravity=>"face", :crop=>"thumb"},
  {:radius=>20},
  {:effect=>"sepia"},
  {:overlay=>"cloudinary_icon_blue", :gravity=>"south_east", :x=>5, :y=>5, :width=>50, :opacity=>60, :effect=>"brightness:200"},
  {:angle=>10}
  ])

The code above is applying a sepia filter, rotating the image, resizing the image, and overlaying a watermark.

URL API

The other way you can interact with Cloudinary is via their URL API.

Technically when you are using the SDK it's just using this API underneath.

So I uploaded this image of Kirk fighting a Gorn from Stark Trek

And I applied various transformations with the Cloudinary platform, and it will generate out a URL for you.

https://res.cloudinary.com/thedev-cloud/image/upload/c_crop,g_faces,w_358,x_328,y_186/e_vectorize/bo_20px_solid_rgb:ff0000,e_outline/v1627235426/gorn_rvbiru.webp

Taking that URL I changed the image border color within my browser by swapping out the hexcode:

https://res.cloudinary.com/thedev-cloud/image/upload/c_crop,g_faces,w_358,x_328,y_186/e_vectorize/bo_20px_solid_rgb:0000ff,e_outline/v1627235426/gorn_rvbiru.webp

Give it a try, swap out the hexcode in your browser ☝️

Widgets and Players

Cloudinary has multiple embeddable widgets to easily get your content into your Cloudinary account. So you take the usual js embed code drop it into a script tag and there you go.

<button id="upload_widget" class="cloudinary-button">Upload files</button>

<script src="https://upload-widget.cloudinary.com/global/all.js" type="text/javascript"></script>  

<script type="text/javascript">  
var myWidget = cloudinary.createUploadWidget({
  cloudName: 'my_cloud_name', 
  uploadPreset: 'my_preset'}, (error, result) => { 
    if (!error && result && result.event === "success") { 
      console.log('Done! Here is the image info: ', result.info); 
    }
  }
)

document.getElementById("upload_widget").addEventListener("click", function(){
    myWidget.open();
  }, false);
</script>

If you're trying to have a white-label experience, I saw no way to style these widgets. While I'd say that these widgets are a tad ugly, they serve their purpose, by being straightforward and utilitarian meeting all use cases.

Cloudinary also have a rich media player to deliver video on demand (VODs) from your Cloudinary account. I personally use Plyr as my video player on my learning platform because I serve videos from both Youtube and Vimeo and want a unified experience.

I really dislike Vimeo's content management system, so if the price is right, maybe I might consider comprising the unified player experience for a better way to manage my video catalogue.

The Console Experience

It's an old and ugly-looking UI in most places but.... and this is important! Cloudinary does everything and anything you'd ever want from asset management and delivery service.

It's very utilitarian, optimized for power users, and with a fast UI loading UI, sure you might have to press an old-school refresh button but it is a reliable experience, which is how I want my cloud platform console to be.

The amount of transformation options to choose from overflows the screen, and each transformation has many knobs and dials you can tweak.

Import, Export and Backup

You can bulk import from an Amazon S3 bucket.

You can download zipped archives.

When you upgrade your plan you can have automatic backups to your own Amazon S3 bucket.

So there is no data lock-in

Pricing and Limits

Okay, so what does it cost?

Credits initially confused me and I bulked at the pricing, but once I learned about what a single credit constitutes it was more reasonable.

Cloudinary has a Free plan, which does not require a credit card, and does not expire (some cloud services will urge you to upgrade after 14 days.)

1 Credit =

• 1,000 Transformations OR
• 1 GB Storage OR
• 1 GB Image Bandwidth OR
• 2 GB Video Bandwidth

The free plan gives you 25 monthly credits.

So this should translate to: 25 Credits =

• 25,000 Transformations OR
• 25 GB Storage OR
• 25 GB Image Bandwidth OR
• 50 GB Video Bandwidth

Which is very generous, assuming I didn't mess up the math here. 😅

The Plus Plan at $99 USD / month you get 225 credits:

So this should translate to: 25 Credits =

• 250,000 Transformations OR
• 225 GB Storage OR
• 225 GB Image Bandwidth OR
• 450 GB Video Bandwidth

Then there is:

• Advanced at $249 for 600 credits
• Advanced Extra $549 for 1,350 credits
• 1TB+ contact sales and they'll work something out.

Usage Limits

API Limits might be an important factor for you. When I am uploading Youtube and Vimeo videos it affects my content creation pipeline where I have to spread out my uploads over the monthly limits.

Via the Upload API - The Hourly requests is Unlimited, So no awful monthly caps (Yes, I'm talking about you Vimeo!).

Limits are less about monthly frequency and more around file size. Right now I am utilizing the free-tier and it says max 100 MB per video and max 10 MB per image.

So I'm not sure what the upper limit in the paid plans is before upgrading.

You probably don't want to be mass images and videos anyway, to converse on your credits.

Final Impressions

Everything is so fast, which I guess makes sense if a big part of your business is delivering assets globally over the internet.

Cloudinary does so much in terms of fine-grain feature control that I run the risk of making the longest article in the world (for assets and delivery management) or I missed out on something cool.

The pricing feels economical like a cloud service provider (CSP), it was so easy to start using, and what I like the most is that I haven't experienced any aggressive drip emails with salespeople clambering to get on the phone or Zoom only to try to max out how much much they can get way charging you (this is what most cloud vendors do 😑)

The Console's UI is a bit dated, (which doesn't matter) and the marketing website could appeal a bit more to developers and pick a thing to be more focused.

Lingering Questions 🤔

I have some questions for Cloudinary, that I'd be interested to know and would love to get a reply over at https//www.thedev.cloud

Credit Math

Did I get my credit math correct about storage and sizes? 😅

Cost-effectiveness of credits

I feel like there could be more complexity around credit consumption, or there is some strategy to being cost-effective with credits that I'm missing out on.

One thought I had, is the edge cases of storage consumption.

Is it based on the original asset or on the original and stored assets that have been transformed? If I uploaded large images, but I don't need my "golden image" to be stored at a massive resolution, could I downscale that, and that is my "golden image"?

Usage Tiers for Paid Plans

Just curious, what is the largest image or video limits I can upload if I had paid plans?

Widget White labelling

Can you white-label widgets or would Cloudinary ever consider custom CSS so if someone was building a SaaS product that leverages Cloudinary, to deliver on a seamless experience but save time coding their own interfaces to Cloudinary.

Any Hidden Gems

Did I miss anything really cool? Cloudinary just does so much.

Other CSP cloud storage options.

Amazon S3 is great and all, but do you have support for import, export, backup for Azure Storage Accounts or Googe Cloud Storage?

Hello Andrew I have total 16 years of experience which includes both application development and application security I want to start with cloud security, However, my current organization is not working with cloud in any way and doesn't look like it will for another few years I have experience in application security testing and secure code review I have also completed the CCSK certification

CCSK and Theoretical Cloud Security

For those who are reading, the CSA Certificate of Cloud Security Knowledge (CCSK) is a vendor-neutral cloud security certification that costs $395 USD to sit.

I would not describe it as difficult but being very broad as you can see with the following domains:

1. Cloud Computing Concepts and Architectures
2. Governance and Enterprise Risk Management
3. Legal Issues, Contracts and Electronic Discovery
4. Compliance and Audit Management
5. Information Governance
6. Management Plane and Business Continuity
7. Infrastructure Security
8. Virtualization and Containers
9. Incident Response
10. Application Security
11. Data Security and Encryption 1.Entitlement, and Access Management
12. Security as a Service
13. Related Technologies

If you want a good sense of what the CCSK covers at a granular layer look at the table of contents for the CCSK Exam Guide on Amazon

Just like the CompTIA Cloud+, I think there is lots of great knowledge here, but I'm dissuaded to recommend individuals to sit the exam at such a high price point (unless of course your company is willing to pay for it, or you have identified employers who are asking for it as a requirement)

If you can afford the ~$40 USD CSSK Exam Guide on Amazon I consider it a must-read before you start diving into practical cloud security.

I think the CCSK is a lot more useful than the CompTIA Security+. Security+ feels like it's written through the lens of a network engineer, and I feel it's information you'll encounter elsewhere on your journey.

Practical Cloud Security

If you're looking to do Cloud Security the are 4 things you need to gain practical experience within:

1. Identity
2. Compliance
3. Governance
4. Security

1. Identity

When you think of Identity I want you to think about the Zero Trust Model.

The Zero Trust Model operates on the principle of “trust no one, verify everything”. It's not a new concept, and honestly, many security experts have lauded the term similar to systems engineers complaining about the term DevOps, for being both broad in scope and hard to define, and just part of the normal job.

The Zero Trust Model is a communication tool to help organizations think differently about their security perimeter and its popularity exploded due to COVID where Work from Home (WFH) became commonplace. Organizations could no longer rely on their physical office computer network to keep their organizational resources secure.

• Microsoft Azure has its own Zero Trust Model which revolves around Azure AD
• Google Cloud has its own Zero Trust Model which revolves around BeyondCorp
• AWS has... well they have an article about Zero Trust Architecture which looks far off from Azure and GCP.

AWS does not have an Identity as a Service (IDasS), Mobile Application Management (MAM) or Mobile Device Management (MDM) like Azure and GCP. AWS hasn't made it clear what third-party provider would be the best to utilize for Identity to implement a Zero Trust Model with your AWS workloads.

For Identity, I strongly recommend studying the SC-900 and Azure AD and learning about BeyondCorp.

2. Compliance

These are the 4 regulatory compliance programs I hear my fellow CTOs or CISOs griping to try and figure out: -SOC2, ISO 27001, FedRamp HIPPA

Having practical experience in regulatory compliance is extremely valuable, however, the only way to obtain this knowledge is if your company is going through the process and you are a key person in that initiative because it's very expensive and involved.

You can learn by proxy by talking to lots of cloud vendors specializing in compliance sitting through as many demos as possible and asking lots of questions.

You will also want to know in practice FIPS 140-2, GDPR, which are more accessible in learning since you can simulate it yourself within your own cloud service provider (CSP) account.

Tugboat Logic and Vanta being the two most popular compliance vendors, so learn about their offerings.

3. Governance

Governance is often accompanied by Compliance and Risk Management (GCR).

Governance is the practice of creating policies, procedures, playbooks, security controls, and guard rails to ensure your organization is meeting your security needs.

So in AWS, governance would be things like how to apply Service Control Policies to AWS Organizations, Adopting GitOps, Infrastructure as Code via CloudFormation, having departments procure cloud resources or workloads through AWS Service Catalog or applying IAM Permission Boundaries to IAM groups and users.

While there are lots of cloud services to support Governance you need to remember Governance is all about dealing with people and utilizing soft skills because no matter the tooling, you need to continuously train your team.

Playbook and Runbooks is something you want to learn how to write, however, you're not going to find any off-the-shelf examples because organizations invent their own. So get creative and design some with your best guess of what a good Playbook or Runbook should look like.

To learn the persuasive art of getting people to push left I recommend consuming large amounts of Mark Nunnikhoven content as a learning model for cloud security communication.

4. Security

For security, we'll take a closer look at each CSP's offerings.

AWS

AWS has three major security deficits:

1. A lack of robust Identity features
2. A lack of built-in visibility for assesing Security Posture
3. Poor assets and inventory management

So you really need to lean on third-party providers to meet your organization's security needs. So maybe you would use:

• JumpCloud as an agnostic Identity as a Service (IDaaS)
• JupiterOne for Graph-powered Cloud Asset/Inventory Management (CAM)
• Very Good Security to generate Security Scores

The hardest challenge is determining a good AWS Multi-account strategy. Unlike GCP and Azure, AWS is unique where there is lots of friction to create isolate workloads. There is AWS Control Tower that can set you up with AWS's best practices for multi-account and allow you to self-vendor new accounts but in practice, AWS Control Tower is not a one-size-fits-all so most companies are rolling their own strategies.

AWS Security Speciality

This certification focuses on the utility of AWS security services and it would be better to name this certification the AWS DevSecOps Speciality.

Although being a Speciality course its lacking lots of cloud security knowledge, and securing AWS really relies on utilizing third-party security vendors.

The CCSK would be a very useful precursor before taking this exam.

Microsoft's Active Directory is not really covered by AWS but because it's so prevalent in the industry there are many questions involving Active Directory on the exam.

This is why I would recommend spending time on Microsoft Azure learning Active Directory through Azure AD via the SC-900.

re:Inforce

AWS has an AWS Security convention called re:Inforce. It's more people wearing t-shirts than suits (unlike most security conferences) and there are lots of hands-on activities to gain practical AWS security knowledge.

It's very expensive but if you have the opportunity to go, it is well worth the investment.

Even though it's an AWS event all the security vendors are present and they're all secretly dying to talk about their multi-cloud offering so you can pick up lots of transferable knowledge to apply to any Cloud Service Provider (CSP).

AWS Security, Identity, and Compliance

AWS has a 3-hour course on AWS Training platform. It has the fault of being service-oriented and you can think of it as a light version of the AWS Security Speciality.

Microsoft Azure

Microsoft Azure has the most built-in security toolings out of all the CSPs, so you're leaning less on third-party security providers and I think the reason for this is because Microsoft is a hot-mess with so many sprawling services offerings if they didn't have the built-in tooling it would just be a security nightmare.

While AWS documentation focuses on each service and its utility, Microsoft documentation focuses heavily on business applications and for Security, they have lots of great content.

Microsoft Security Best Practices

I would strongly recommend Microsoft Security Best Practices which is both a video series and a PowerPoint document.

Microsoft Security Certifications

Microsoft Azure has multiple role-based security courses:

• SC-900, AZ-500, SC-300, SC-400, SC-200

If you take the SC-900 it's a broad introduction that touches a bit of everything which is covered in the associate security courses.

Honestly, Azure should have just taken all those associates and rolled it into a Professional or Speciality.

Azure has a huge focus on Active Directory and Identity since Azure AD is their flagship product.

There is a free learning path by Microsoft on Microsoft Learnbut I feel just like AWS they gloss over lots of security fundamentals.

I created a free SC-900 study course but my real motivation was to create a Cloud Security Primer that I front-loaded into the course. At some point I will extract that secret course and expand it into a practical cloud-agnostic security course.

Google Cloud

GCP is interesting in that its service offering is lean by design, and for that reason, security is a breeze on GCP.

GCP has been ahead of the game in many regards. For example, GCP doesn't have isolated GovCloud regions in the same sense as Azure or AWS. Many GCPs regions by design can handle FedRamp workloads and will be either designated appropriate for workloads that are High or Medium baselines.

GCP also has their own security key called Titan

Are Titan keys superior to YubiKeys? That's debatable but it's cool that Google makes their own.

Professional Cloud Security Engineer Certification

GCP has one certification for security the Cloud Security Engineer. Despite being called a Professional Certification it's not that difficult, but it's a well-balanced cloud security certification, unlike AWS which is more DevSecOps and Azure with focuses too much on Identity.

Additional Practical Cloud Security Content

INE

INE has a good mix of practical cloud security content. Their platform is $49 USD per month, you could probably consume most of what you need in a month and then unsubscribe.

If you want to inquire more about INE offerings, go and DM Tracy and tell them Andrew Brown sent you.

Rhino Security Labs and Cloud Goat

Rhino Security Labs is always putting out great content and open-source projects. One I like very much, in particular, is their project Cloud Goat.

CloudGoat allows you to provision a "Vulnerable by Design" AWS environment so that you pretend to be a malicious actor trying to find your way in.

If you get stuck and you want to see the answer they have these Exploitation Routes:

Conclusion

The Security industry is flush with security certifications but I feel there Cloud Security has quite a few holes yet to be filled with an end-to-end training solution.

There is no definitive path to a Cloud Security role, there are lots of bits and pieces all over the place and you need to patchwork together your own solution.

I mention a bunch of different paid providers, but I am not sponsored by anyone, no receive affiliates (at least at the time of writing this article). If anyone want to send me t-shirts, I take a large.

I've worked in IT since 2001, have knowledge in Linux admin and network resolution, but although I'm a software architect, my stack is limited to PHP and Oracle PL/SQL, I'm tired of my current job, what would you recommend?

The cloud is your oyster

When you have 20 years of experience, you're positioned to move into pretty much any kind of cloud role.

• DevOps
• Solutions Architect
• Data Engineer
• Cloud Engineer
• Cloud Security
• etc...

The unicorn for cloud recruiters

I usually say, Cloud Certifications is all about the journey, and in most cases, will be a minor factor in helping you secure a job.... except when you have 20 years of experience.

When you pair a couple of Professional level certifications eg. AWS DevOps Professional with 20+ years of experience cloud recruiters like Jefferson Frank will have an effortless time finding you a high-paying and rewarding career in the cloud. That combination of experience is highly in demand to the point that companies are ready and willing to sponsor non-native English speakers from India or elsewhere to come work in the US and Canada.

Deep programming and framework knowledge is overrated

The great thing about the cloud is that so much of the application workload is offloaded to managed services that companies who go cloud-native leveraging the most of what the cloud offers shifts the knowledge requirements of the software architect.

Companies become less concerned about deep knowledge of web or software frameworks and more on distributed systems knowledge and configuration details between services (application integration).

So when you say I have strong knowledge of one language and one database, that's more than enough to have transferable skills. You will encounter many different programming languages in the cloud, but you only have to have shallow knowledge eg. functions, variables, loops and SDKs.

You can pretty much copy and paste your way through most tasks.

Where to go from here?

When you have strong Networking and Virtualization knowledge adjacent to software development, you will likely be interested and accel in Modern Application Architecture.

Modern Application Architecture focuses on micro-service architecture (dividing monolithic apps into small isolated applications).

Modern Application Architecture is the cutting edge of software architecture for cloud workloads. So the learning path is not well-defined, but the upside is that you can define it yourself, and no one has the means to say you're doing it wrong.

From here, we have two choices: Containers or Serverless.

Containers

Containers generally mean Kubernetes (K8) because that's what all the companies want to use.

If you want to peek into this world, this recent article shared with me gives a good insight into how challenging containers are. No, We don't use Kubernetes

If you enjoyed Linux Administration over Programming (which is all about smashing your head against difficult configurations problems), the containers route is for you!

Technically this is a DevOp-ish path.

You can start on your journey by studying for the CKAD or CKA.

TechWorld with Nana is a free place to start

Serverless

Serverless is when you leverage cloud services that abstract away most or all of the infrastructure. So you don't worry about the configuration of the underlying infrastructure. You have a consumption model based on some abstract usage credits, cost can scale to zero, services are designed to be highly available, scalable and secure. You focus more on the configuration of cloud services, shallow programming and architecting and implementing solutions.

The above statement is a bit of a lie, or I should say Cloud Service Providers (CSPs) have been broadening the serverless term, applying to fully managed services that meet most but lack some of the tenants of serverless.

My friend Daniel who runs the Serverless Toronto User Group would say the way you should think of Serverless relating to cloud services is like how some home appliances have an energy efficiency rating; some services are more Serverless than others.

In serverless, you will also encounter containers; it's not Kubernetes, it's more like a containers-light skillset, where you build and use containers, but orchestration and networking are greatly simplified.

If you enjoyed Programming over Linux Administration, then Serverless is the route for you!

Learning serverless is a bit tricky since there are many schools of thought and essential need to join a dojo and learn from a person.

I think the leader of serverless technology is AWS, because they have the broadest amount of serverless services that are well interconnected and are cost-effective.

One route could be to take the Production Ready Serverless (they have a sponsorship program that can reduce the cost significantly)

I strongly recommend attending the Serverless Days Serverless Online Conference August 15 2021.

I am working on an entirely free serverless certification course because I feel there is a huge gap in accessible training for serverless, starting with my Serverless Fundamentals Certification.

👉 If you want to ask me a cloud journey question, details are here: 👈