AWS Security Glossary

The process of obtaining temporary security credentials by calling AWS STS to take on the permissions of an IAM role.

A long-term credential pair (access key ID + secret access key) used to authenticate programmatic requests to AWS. Should be replaced with IAM roles wherever possible.

A set of best practices organized into six pillars (including Security) that help architects build secure, reliable, efficient, and cost-effective cloud workloads.

A chronological record of all activities in an AWS account (API calls, logins, configuration changes) used for security investigation and compliance evidence.

Security controls for Amazon API Gateway including authentication, authorization, throttling, WAF integration, and mutual TLS.

A technology that provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.

A managed stateful network firewall and intrusion prevention system (IPS) for VPCs, supporting domain filtering, protocol inspection, and Suricata-compatible rules.

AWS DDoS protection service with two tiers: Shield Standard (free, automatic L3/L4 protection) and Shield Advanced (paid, enhanced L7 protection with DRT support).

An automated vulnerability management service that continuously scans EC2 instances, Lambda functions, and container images in ECR for software vulnerabilities and network exposure.

A data security service that uses machine learning to automatically discover, classify, and protect sensitive data (PII, PHI, financial data) stored in Amazon S3.

Managed or custom rules that continuously evaluate AWS resource configurations against desired settings, flagging non-compliant resources automatically.

A security service that automatically collects and analyzes log data from AWS resources to help investigate and identify the root cause of security findings.

A service for centrally managing multiple AWS accounts with consolidated billing, service control policies (SCPs), and organizational units (OUs).

A managed service that automates the setup and governance of a secure, multi-account AWS environment based on AWS best practices (landing zone).

A service that provisions, manages, and auto-renews public and private SSL/TLS certificates for use with AWS services like ELB, CloudFront, and API Gateway.

A cloud-based hardware security module (HSM) that lets you generate and use your own encryption keys on FIPS 140-2 Level 3 validated hardware in AWS.

An IAM authorization strategy that uses tags (attributes) on principals and resources to define permissions, scaling better than traditional role-based access control.

A service that continuously audits AWS usage to simplify risk assessment and compliance with regulations like PCI DSS, HIPAA, SOC 2, and GDPR.

A self-service portal for on-demand access to AWS compliance reports (SOC, PCI, ISO) and security agreements (BAA, NDA) at no cost.

A resource-based JSON policy attached to an S3 bucket that controls who can access the bucket and its objects, including cross-account and public access.

The scope of impact when a security incident occurs - how many resources, accounts, or users are affected. Smaller blast radius means better security posture.

Protecting AWS backups with encryption, vault lock (WORM), cross-account copy, and access policies to ensure recoverability and ransomware resilience.

A security vulnerability where a trusted service is tricked into acting on behalf of an unauthorized party, typically prevented in AWS using external ID conditions.

The ability to grant permissions for identities in one AWS account to access resources in another, typically using IAM roles with trust policies.

The practice of regularly replacing access keys, passwords, and secrets with new values to limit the window of exposure if a credential is compromised.

AWS service that records every API call made in your account, providing an audit trail of who did what, when, and from where.

Meeting regulatory requirements and industry standards (SOC 2, HIPAA, GDPR, PCI DSS, CIS) for data protection, access control, and security practices in the cloud.

A prescriptive security configuration checklist from the Center for Internet Security that defines best practices for securing AWS accounts.

The incident response phase where you isolate affected resources to prevent the threat from spreading - deactivating keys, quarantining instances, blocking network access.

The practice of collecting, preserving, and analyzing digital evidence from cloud resources after a security incident to understand what happened and how.

Automated tools that continuously assess cloud infrastructure for misconfigurations, compliance violations, and security risks - in AWS, provided by Security Hub and Config.

Security practices for containerized workloads on AWS (ECS, EKS, Fargate) including image scanning, runtime security, and network policies.

Amazon Cognito provides user authentication and authorization for web/mobile apps with user pools (sign-up/sign-in) and identity pools (temporary AWS credentials).

When AWS access keys, session tokens, or passwords are exposed to unauthorized parties - the #1 most common AWS security incident.

Using Amazon CloudWatch for security monitoring - metric alarms for unauthorized API calls, log insights for investigation, and anomaly detection for unusual patterns.

A Distributed Denial of Service attack that overwhelms a target with traffic from multiple sources, making it unavailable to legitimate users.

A security strategy using multiple layers of controls (network, identity, data, application) so that if one layer fails, others still protect the environment.

Security controls for Amazon DynamoDB including encryption at rest, fine-grained access control with IAM conditions, VPC endpoints, and point-in-time recovery.

Security practices for DNS on AWS including Route 53 DNSSEC, DNS Firewall for VPCs, private hosted zones, and protection against DNS-based data exfiltration.

The process of categorizing data by sensitivity level (public, internal, confidential, restricted) to apply appropriate security controls and compliance requirements.

The concept of keeping data within specific geographic boundaries (AWS regions) to comply with data sovereignty laws like GDPR, CCPA, and local regulations.

Protecting stored data by encrypting it on disk so that it cannot be read without the encryption key, even if the storage media is compromised.

Protecting data as it moves between systems by encrypting the communication channel, typically using TLS/SSL to prevent interception or tampering.

A two-tier encryption strategy where data is encrypted with a data key, and the data key itself is encrypted with a master key (KMS key), combining performance with security.

Security practices for Amazon EC2 instances including IMDSv2, security groups, instance profiles, EBS encryption, and patching.

Amazon EBS encryption provides at-rest encryption for volumes, snapshots, and data in transit between EC2 and EBS using AES-256 and AWS KMS keys.

Security controls for Amazon EFS including encryption, POSIX permissions, IAM authorization, access points, and VPC-only network access.

Using Amazon EventBridge to build event-driven security automation - triggering Lambda functions, Step Functions, or SSM runbooks in response to security events.

AWS Fargate runs containers without managing servers, providing kernel-level isolation between tasks and eliminating host OS security responsibilities.

AWS managed threat detection service that continuously monitors your accounts for malicious activity using CloudTrail, VPC Flow Logs, and DNS logs.

A preventive or detective control that enforces security boundaries across AWS accounts, implemented through SCPs, AWS Config rules, or Security Hub standards.

An AWS identity with temporary credentials that can be assumed by users, services, or applications to perform actions without long-term access keys.

A JSON document that defines permissions - which actions are allowed or denied on which AWS resources, and under what conditions.

The process of allowing external identities (corporate directory, social providers) to access AWS resources without creating IAM users, using SAML, OIDC, or IAM Identity Center.

The structured process of detecting, containing, eradicating, and recovering from a security incident, following frameworks like NIST SP 800-61.

Managing and provisioning cloud infrastructure through machine-readable configuration files instead of manual processes, enabling version control, repeatability, and security review.

An AWS service that analyzes resource policies to identify resources shared with external entities and generates least-privilege policies from access activity.

The recommended AWS service for managing workforce access to multiple AWS accounts and applications with SSO, replacing the need for IAM users.

A step-by-step documented procedure for handling specific security incidents - from detection through containment, eradication, recovery, and lessons learned.

An AWS identity representing a person or application with long-term credentials. AWS recommends replacing IAM users with IAM Identity Center for humans and IAM roles for machines.

A cryptographic key managed by AWS Key Management Service used to encrypt and decrypt data across AWS services, with centralized key policies and automatic rotation.

Periodically replacing cryptographic keys with new ones to limit the impact of a potential key compromise, supported automatically by AWS KMS.

The security principle of granting only the minimum permissions needed to perform a task - no more, no less.

Security considerations for AWS Lambda serverless functions, including execution role permissions, function URL auth, VPC placement, and code signing.

A pre-configured, secure, multi-account AWS environment following best practices - including account structure, networking, identity, logging, and security controls.

A security mechanism requiring two or more forms of verification (password + device/token) before granting access to an AWS account or resource.

Using multiple AWS accounts to isolate workloads, environments, and teams, providing the strongest security boundary available in AWS.

Security patterns for microservices on AWS including service-to-service authentication, API authorization, secrets management, and network segmentation.

A stateless firewall at the subnet level that controls inbound and outbound traffic using numbered allow and deny rules.

Dividing a network into isolated segments (subnets, VPCs) to limit lateral movement and contain the blast radius of a security breach.

An advanced IAM feature that sets the maximum permissions an IAM entity can have, acting as a ceiling on what identity-based policies can grant.

An attack technique where a user gains higher permissions than originally granted, often by exploiting IAM misconfigurations like the ability to create policies or pass roles.

When an AWS resource (S3 bucket, RDS instance, security group) is accessible from the internet, intentionally or accidentally, creating a potential security risk.

Cryptographic algorithms designed to resist attacks from quantum computers, available in AWS KMS, CloudFront, ACM Private CA, and Secrets Manager since 2025.

The initial AWS account identity with unrestricted access to all resources. Should be locked down with MFA and never used for daily operations.

A policy attached directly to an AWS resource (S3 bucket, SQS queue, KMS key) that defines who can access it, including principals from other accounts.

Security practices for Amazon RDS including encryption, network isolation, IAM authentication, automated backups, and audit logging.

Metadata labels (key-value pairs) applied to AWS resources for organization, cost allocation, access control (ABAC), and compliance tracking.

An organization-wide guardrail that restricts what actions member accounts can perform, regardless of their IAM policies.

A centralized authentication mechanism that allows users to log in once and access multiple AWS accounts and applications without re-entering credentials.

The practice of securely storing, accessing, and rotating sensitive data like API keys, database passwords, and tokens using services like AWS Secrets Manager.

A virtual firewall for EC2 instances and other resources that controls inbound and outbound traffic at the instance level using allow rules.

AWS service that aggregates security findings from GuardDuty, Inspector, Macie, and third-party tools into a single dashboard with compliance scoring.

The framework defining that AWS is responsible for security of the cloud (infrastructure), while customers are responsible for security in the cloud (data, access, configuration).

Encryption performed by AWS on data after it is received by the service, protecting it at rest without requiring client-side encryption logic.

Security controls for Amazon S3 including Block Public Access, bucket policies, encryption, access points, Object Lock, and access logging.

An inline IAM policy passed when assuming a role or federating, which further restricts the session permissions to an intersection of the role policy and session policy.

A minimum set of security configurations that every AWS account must have - including CloudTrail, Config, GuardDuty, default encryption, and root account protection.

An event that threatens the confidentiality, integrity, or availability of AWS resources - including unauthorized access, data breaches, malware, and DDoS attacks.

One of six pillars of the AWS Well-Architected Framework, covering identity management, detection, infrastructure protection, data protection, and incident response.

The practice of defining security controls, policies, and configurations in version-controlled code - enabling automated, repeatable, and auditable security.

The automated process of periodically changing credentials (database passwords, API keys, tokens) to limit the window of exposure if compromised.

Short-lived AWS credentials (access key, secret key, session token) issued by STS that expire automatically, eliminating the risk of permanent credential exposure.

A resource-based policy attached to an IAM role that defines which principals (users, services, accounts) are allowed to assume that role.

The process of identifying potential security threats, malicious activity, and anomalous behavior in your AWS environment using automated monitoring tools.

A digital certificate that enables HTTPS by establishing encrypted connections between clients and servers, managed in AWS through ACM.

A network hub that connects VPCs, VPN connections, and Direct Connect gateways through a central point, simplifying network architecture at scale.

A structured process for identifying potential security threats to your AWS architecture, assessing their impact, and designing mitigations before building.

An isolated virtual network within AWS where you launch resources, with full control over IP addressing, subnets, route tables, and network gateways.

A private connection between your VPC and an AWS service that keeps traffic within the AWS network, eliminating the need for internet access.

A feature that captures metadata about network traffic in your VPC (source, destination, port, protocol, action) for security analysis and troubleshooting.

A firewall that filters HTTP/HTTPS traffic to web applications, blocking common attacks like SQL injection, XSS, and bot traffic using customizable rules.

A security model where no user, device, or network is trusted by default - every access request is verified regardless of location, using identity-based policies and continuous validation.