📖 Cloud Security Glossary

No terms match your search. clear.

📚 Contents

• Cloud Service & Deployment Models
• Compute, Containers & Serverless
• Identity & Access Management (IAM)
• Networking & Zero Trust
• Data Protection, Secrets & Cryptography
• Logging, Detection & Response
• Posture, Policy & the *PM Family
• Vulnerability & Supply-Chain Security
• Compliance Frameworks
• Threats, Attacker Techniques & Frameworks
• AI, LLM & Agentic-System Security
• DevOps, IaC & Operating Concepts
• Standards Bodies & Authorities

☁️ Cloud Service & Deployment Models

IaaS — Infrastructure as a Service

Raw compute, storage, and network resources on demand. You manage the OS and everything above. Examples: EC2, Azure VM, GCE.

PaaS — Platform as a Service

The provider runs the OS and runtime; you ship code. Examples: App Service, App Engine, Elastic Beanstalk.

SaaS — Software as a Service

Fully hosted application; you manage only your data and users. Examples: Microsoft 365, Salesforce, Workday.

FaaS — Function as a Service

Run a piece of code in response to an event. Provider handles everything else. Examples: AWS Lambda, Azure Functions, GCP Cloud Functions.

Public / Private / Hybrid / Multi-Cloud

Public is shared infrastructure (AWS, Azure, GCP). Private is dedicated. Hybrid mixes them. Multi-cloud uses two or more public providers.

Cloud-Native

Architecture that takes advantage of cloud-specific properties — elasticity, managed services, ephemeral compute, declarative APIs.

Shared Responsibility Model

The provider secures the cloud (hardware, hypervisor, physical sites); the customer secures what's in the cloud (data, identities, configuration). The line shifts depending on the service tier.

🐳 Compute, Containers & Serverless

Container

An OS-level isolated process bundle. Same kernel as the host, separate userland.

Image

The static template a container is launched from. Layered, immutable, and addressable by digest.

Registry

Where container images live (Docker Hub, ECR, GHCR, ACR, GAR).

Kubernetes (K8s)

Open-source container orchestration. Schedules workloads onto a fleet of nodes via a declarative API.

Pod

The smallest deployable unit in K8s — one or more co-located containers that share a network namespace.

Sidecar

A helper container co-located with an app container in the same pod (commonly for proxies, log shippers, secret fetchers).

Service Mesh

An infrastructure layer that handles east-west service-to-service traffic — mTLS, retries, traffic shifting. Examples: Istio, Linkerd.

Serverless

Compute model where you don't manage servers, scaling, or capacity — typically functions or container runtimes that scale to zero.

EKS / AKS / GKE

Managed Kubernetes from AWS / Azure / Google.

ECS / Fargate

AWS container orchestration (ECS) and its serverless data plane (Fargate).

Lambda / Functions / Cloud Functions

FaaS offerings from AWS / Azure / Google.

Confidential Computing

Hardware-enforced memory encryption (Intel SGX, AMD SEV, AWS Nitro, Azure Confidential VMs) so the cloud provider can't see your workload memory in plaintext.

Hypervisor

Software that creates and isolates virtual machines. Type 1 runs on bare metal (ESXi, Xen, KVM); Type 2 runs on a host OS (VirtualBox, Parallels). The control plane the cloud provider secures.

eBPF

Extended Berkeley Packet Filter — a Linux kernel runtime that safely executes sandboxed programs attached to syscalls, network paths, and tracepoints. The basis of modern runtime-security and observability tooling (Cilium, Falco, Tetragon).

🔑 Identity & Access Management (IAM)

IAM — Identity & Access Management

Who you are and what you're allowed to do. The control plane for cloud security.

Principal

The acting identity — a user, role, service account, or workload — making an authenticated request.

RBAC — Role-Based Access Control

Permissions assigned to roles, roles assigned to identities. Easy to reason about; coarse-grained.

ABAC — Attribute-Based Access Control

Permissions evaluated against attributes (tag, department, time of day). Fine-grained, harder to audit.

PBAC — Policy-Based Access Control

Decisions made by a centralized policy engine (e.g., OPA) rather than scattered ACLs.

IdP — Identity Provider

The system that authenticates users (Okta, Azure AD / Entra ID, Google Workspace).

SP — Service Provider / RP — Relying Party

The application that trusts the IdP's assertion of who the user is.

SSO — Single Sign-On

Sign in once, get into many applications without re-entering credentials.

SAML 2.0

XML-based federation protocol — the IdP sends a signed assertion to the SP.

OIDC — OpenID Connect

Identity layer on top of OAuth 2.0. Issues JWT ID tokens. The modern default.

OAuth 2.0

Delegated authorization framework. Issues access tokens; the spec doesn't define authentication.

JWT — JSON Web Token

A signed (and optionally encrypted) JSON blob used as a token. Common in OIDC and API auth.

MFA — Multi-Factor Authentication

Something you know + something you have (or are). Phishing-resistant MFA = WebAuthn / FIDO2.

FIDO2 / WebAuthn / Passkeys

Public-key authentication standards that resist phishing. Passkeys are syncable WebAuthn credentials.

Federation

Trusting tokens from a foreign IdP (e.g., GitHub Actions OIDC tokens trusted by AWS to assume a role).

STS — Security Token Service

Issues short-lived credentials, typically by exchanging a long-lived identity for a temporary role session.

AssumeRole

The AWS STS call that swaps your identity for temporary credentials of a target role.

Service Account / Managed Identity / Workload Identity

The non-human principal a workload uses to authenticate (GCP service account, Azure managed identity, Kubernetes ServiceAccount → cloud role).

OIDC Federation (workload identity federation)

A workload presents a short-lived OIDC token from its host (e.g., GitHub Actions) which the cloud trusts to issue temporary credentials. Removes long-lived secrets from CI.

Conditional Access

Policy that grants access only when contextual conditions are met (device compliant, location, risk score).

JIT — Just-In-Time Access

Permissions are elevated only for the duration of a task, then expire.

Least Privilege / Just-Enough Access

Grant the minimum permissions necessary for the task. The defining principle of cloud IAM.

SCP — Service Control Policy

AWS Organizations guardrail; sets the maximum permissions an account can have, even for the root user.

Permission Boundary

An IAM policy that caps the effective permissions of an entity, regardless of attached policies.

IMDS / IMDSv2

Instance Metadata Service — the link-local 169.254.169.254 endpoint that hands credentials to EC2 instances. v2 requires a session token to defeat SSRF abuse.

Active Directory (AD)

Microsoft's directory service for on-prem identity. Still the primary user/group/auth backend for most enterprises; cloud identity providers federate to it.

Entra ID

Microsoft's cloud identity service (formerly Azure AD). Hosts users, groups, conditional-access policies, and the SAML/OIDC endpoints behind Microsoft 365 and Azure.

Kerberos

Network authentication protocol using time-bound encrypted tickets. The auth fabric of Active Directory; compromise of the krbtgt account yields a "Golden Ticket".

ACL — Access Control List

A list of rules attached to a resource specifying who can access it and how. Predates RBAC/ABAC; still common on filesystems, S3 objects, and network devices.

🌐 Networking & Zero Trust

VPC / VNet

Virtual Private Cloud / Virtual Network — your isolated network space inside a cloud account.

Subnet

A slice of a VPC's IP range, bound to one availability zone.

Security Group

A stateful per-ENI firewall (AWS / Azure NSG / GCP firewall rule).

NACL — Network Access Control List

A stateless subnet-level firewall (AWS).

Peering / Transit Gateway / Cloud Interconnect

Mechanisms for connecting VPCs / VNets to each other or to on-prem networks.

NAT — Network Address Translation

Lets private-subnet workloads reach the internet through a shared egress IP.

PrivateLink / Private Endpoint / Private Service Connect

Private routable endpoints for cloud services that never traverse the public internet.

Ingress / Egress

Inbound / outbound traffic. Egress controls are where most data exfil hides.

WAF — Web Application Firewall

Layer-7 filter for HTTP traffic — XSS, SQLi, rate limits, geo blocks.

Bastion Host / Jump Box

A hardened entry point into a private network. Modern equivalents: SSM Session Manager, IAP, Azure Bastion.

Zero Trust

Architectural principle: assume the network is hostile. Authenticate and authorize every request, regardless of source.

BeyondCorp

Google's foundational zero-trust paper / model — access decisions based on user + device + context, not network location.

SASE / SSE

Secure Access Service Edge / Security Service Edge — vendor-bundled cloud-delivered SWG + ZTNA + CASB + FWaaS.

ZTNA — Zero-Trust Network Access

Identity-aware proxy that replaces traditional VPN. Per-application access, not network-wide.

CASB — Cloud Access Security Broker

Inline or API-based control point for SaaS usage — DLP, posture, shadow-IT discovery.

Microsegmentation

Fine-grained network isolation between workloads, typically enforced by sidecar proxies or eBPF.

DDoS — Distributed Denial of Service

Overwhelming a service with traffic from many sources to make it unavailable. Mitigated by CDNs, scrubbing services, and rate-limited APIs.

ENI — Elastic Network Interface

An AWS virtual NIC that can be detached and reattached between EC2 instances. The unit a Security Group is bound to.

🔒 Data Protection, Secrets & Cryptography

KMS — Key Management Service

Managed service that creates, stores, and uses cryptographic keys. AWS KMS, Azure Key Vault, GCP Cloud KMS.

HSM — Hardware Security Module

Tamper-resistant hardware that performs crypto operations and never lets keys leave it.

KEK / DEK — Key Encryption Key / Data Encryption Key

Pattern: encrypt data with a DEK, then encrypt the DEK with a KEK held in KMS/HSM.

Envelope Encryption

The standard cloud pattern of wrapping a DEK with a KEK so the DEK can travel with the ciphertext.

BYOK / HYOK

Bring/Hold Your Own Key — customer supplies (or holds) the master key, not the cloud provider.

Secrets Manager / Vault

A managed store for credentials, API keys, and connection strings (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret Manager).

DLP — Data Loss Prevention

Tooling that detects and blocks sensitive data (PII, PHI, secrets) from leaving its boundary.

Tokenization

Replacing sensitive values with non-reversible references; the real value lives in a token vault.

Encryption at Rest / In Transit / In Use

Three states data can be in. Cloud KMS handles 1 & 2; confidential computing handles 3.

TLS — Transport Layer Security

Encrypts data in transit. TLS 1.2 minimum; 1.3 preferred.

mTLS — Mutual TLS

Both client and server authenticate via certificates. Common inside service meshes.

PKI — Public Key Infrastructure

The system of CAs, certificates, and trust chains that issues and validates the keys behind TLS, code signing, and S/MIME.

📡 Logging, Detection & Response

SIEM — Security Information and Event Management

Central log aggregation + correlation + alerting. Splunk, Sentinel, Chronicle, Elastic, Sumo.

SOAR — Security Orchestration, Automation, and Response

Runs automated playbooks against alerts — enrich, contain, ticket, page.

SOC — Security Operations Center

The team (and room) that monitors and triages security alerts.

EDR / XDR / NDR / MDR

Endpoint / eXtended / Network Detection & Response. MDR adds a managed service. XDR claims to unify telemetry across surfaces.

CloudTrail / Activity Log / Audit Log

The control-plane audit trail for AWS / Azure / GCP. Your most important log source in cloud.

VPC Flow Logs

Network metadata (5-tuple, action, bytes) for traffic in a VPC. Cheap, useful for DFIR.

GuardDuty / Defender for Cloud / Security Command Center (SCC)

Native threat detection services in AWS / Azure / GCP.

Falco

Open-source runtime threat detection for Linux and Kubernetes, originally based on syscalls and now eBPF.

Sigma

Vendor-agnostic detection rule format that compiles to SIEM-specific queries.

YARA

Pattern-matching rules for files, malware, and memory artifacts.

OpenTelemetry (OTel)

Open standard for emitting traces, metrics, and logs across languages and platforms.

IOC — Indicator of Compromise

An artifact (hash, IP, domain) tied to known-bad activity.

IOA — Indicator of Attack

A pattern of behavior suggesting attack regardless of specific artifacts.

Dwell Time

How long an attacker is in your environment before detection. The metric defenders try to shrink.

MTTD / MTTR

Mean Time To Detect / Respond. Common SOC KPIs.

DFIR — Digital Forensics & Incident Response

The discipline (and team) that handles incidents end-to-end.

🧭 Posture, Policy & the *PM Family

CSPM — Cloud Security Posture Management

Continuous misconfiguration scanning of cloud accounts (public S3, open SGs, missing MFA, etc.).

KSPM — Kubernetes Security Posture Management

Same idea, scoped to Kubernetes (RBAC sprawl, privileged pods, missing PSS).

CIEM — Cloud Infrastructure Entitlements Management

Permission analysis — finds unused permissions, identifies privilege paths, drives least privilege.

CWPP — Cloud Workload Protection Platform

Runtime protection for VMs, containers, and serverless — agent-based or eBPF.

CNAPP — Cloud-Native Application Protection Platform

The vendor super-bundle: CSPM + CWPP + CIEM + IaC scanning + sometimes DSPM/ASPM.

DSPM — Data Security Posture Management

Discovers and classifies sensitive data across cloud and SaaS, then flags risky exposure.

ASPM — Application Security Posture Management

Aggregates SAST/DAST/SCA findings and ties them to ownership, priority, and reachability.

CADR — Cloud Application Detection and Response

Newer category: runtime detection focused on application-layer attacks in cloud.

OPA — Open Policy Agent

General-purpose policy engine. Decisions in, decisions out.

Rego

The query language used by OPA.

Policy-as-Code

Expressing security and compliance rules as code — versioned, reviewable, testable.

Drift

Live infrastructure no longer matching its declared state (Terraform, Bicep, CFN). A common post-incident artifact.

Hardening / Baseline

Reducing attack surface to a defined "known good" configuration (CIS Benchmark, vendor security best practices).

PSS — Pod Security Standards

Kubernetes' built-in pod-hardening tiers — Privileged / Baseline / Restricted — replacing the deprecated PodSecurityPolicy.

🐛 Vulnerability & Supply-Chain Security

CVE — Common Vulnerabilities and Exposures

A unique ID for a publicly disclosed vulnerability, assigned by MITRE/CNAs.

CVSS — Common Vulnerability Scoring System

0–10 severity score for a CVE. Famously poorly correlated with actual exploitation.

EPSS — Exploit Prediction Scoring System

FIRST-maintained probability that a CVE will be exploited in the next 30 days. Pairs better with CVSS than CVSS does alone.

KEV — Known Exploited Vulnerabilities

CISA's catalog of CVEs known to be actively exploited. The "fix this now" list.

SAST / DAST / IAST

Static / Dynamic / Interactive Application Security Testing. Source-time / run-time / both.

SCA — Software Composition Analysis

Identifies open-source dependencies and their known vulnerabilities.

SBOM — Software Bill of Materials

The ingredient list for a piece of software — components, versions, licenses, hashes. Formats: SPDX, CycloneDX.

SLSA — Supply-chain Levels for Software Artifacts

OpenSSF framework defining levels of build-pipeline integrity (signed provenance, isolated builders, etc.).

Sigstore / cosign

Free, keyless artifact signing using short-lived OIDC-based certs and a public transparency log.

Provenance

Verifiable record of how a build artifact was produced — source commit, builder, dependencies.

Dependency Confusion

Supply-chain attack where a public package matches the name of a private internal one and gets pulled by mistake.

Typosquatting

Malicious package using a misspelling of a legitimate one.

VEX — Vulnerability Exploitability eXchange

Statement attached to an SBOM saying whether a known CVE is actually exploitable in this product / build.

CWE — Common Weakness Enumeration

MITRE's catalog of weakness types (e.g., CWE-79 = XSS, CWE-89 = SQL injection). CVEs are concrete instances; CWEs are the categories.

📜 Compliance Frameworks

SOC 2

AICPA audit covering Security (required) plus optional Availability, Confidentiality, Processing Integrity, and Privacy.

ISO/IEC 27001

International standard for an Information Security Management System (ISMS). Certifiable.

PCI DSS

Payment Card Industry Data Security Standard. If you process card data, this applies.

HIPAA

US healthcare regulation governing protected health information (PHI).

GDPR / CCPA / CPRA

EU and California data-protection laws. Govern lawful basis, rights, and breach disclosure.

FedRAMP

US federal program authorizing cloud services for government use. Low / Moderate / High baselines.

NIST CSF — Cybersecurity Framework

Govern / Identify / Protect / Detect / Respond / Recover. Common North-Star for security programs.

NIST SP 800-53

The US-government control catalog underlying FedRAMP and many compliance regimes.

NIST SP 800-171

Controls for protecting Controlled Unclassified Information (CUI) in non-federal systems.

CIS Benchmarks

Hardening guides for specific platforms (AWS, Azure, GCP, K8s, OSes). Maintained by the Center for Internet Security.

CSA CCM — Cloud Controls Matrix

Cloud Security Alliance's cloud-specific control framework.

DORA

EU Digital Operational Resilience Act — financial-sector ICT risk and third-party oversight.

⚔️ Threats, Attacker Techniques & Frameworks

MITRE ATT&CK

Knowledge base of adversary tactics, techniques, and procedures. Has Cloud, Containers, Mobile, ICS matrices.

D3FEND

MITRE's defensive counterpart to ATT&CK — countermeasure techniques mapped to attacker techniques.

TTP — Tactics, Techniques, and Procedures

The "how" of an adversary's behavior, increasingly specific from tactic → technique → procedure.

Kill Chain

Lockheed Martin's seven-stage model of an intrusion: Recon → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives.

Initial Access

How the attacker first lands — phish, exposed service, valid credentials, supply chain.

Lateral Movement

Pivoting from one foothold to other systems, often using stolen tokens.

Privilege Escalation

Gaining higher rights than originally granted (vertical) or rights of a peer (horizontal).

Persistence

Mechanisms attackers leave to survive reboots, password rotations, and credential rotations.

Exfiltration

Stealing data out of the environment — often via DNS, S3, GitHub, or messaging services.

C2 — Command & Control

The channel an attacker uses to control implants. Often blended with legitimate cloud services.

Credential Stuffing

Replaying breached username/password pairs against other services.

Phishing / Spear Phishing / Whaling

Email-borne credential theft, targeted variant, and exec-targeted variant.

Consent Phishing / OAuth Phishing

Tricking a user into granting an attacker-owned OAuth app permission to their account. No password ever stolen.

MFA Fatigue / Push Bombing

Spamming push prompts until the user accepts one. Defeated by number matching and FIDO2.

SSRF — Server-Side Request Forgery

Trick a server into fetching an attacker-chosen URL. In cloud, the historical path to IMDS credentials.

XSS — Cross-Site Scripting

Injecting attacker-controlled JS into another user's session. Stored, reflected, DOM-based.

CSRF — Cross-Site Request Forgery

Tricking a victim's browser into making an authenticated request to a target site.

RCE — Remote Code Execution

Running attacker code on a server. The most consequential class of bug.

Golden SAML

Forging arbitrary SAML assertions after stealing the IdP's signing key. Made famous by SolarWinds.

Golden Ticket / Silver Ticket

Active Directory Kerberos ticket forgeries (krbtgt or service-account hashes).

Pass-the-Hash / Pass-the-Token / Pass-the-Cookie

Reusing stolen credential material without ever knowing the underlying password.

BOLA / IDOR

Broken Object Level Authorization / Insecure Direct Object Reference — accessing another user's record by changing an ID.

Living Off the Land (LOTL)

Attackers using legitimate, signed tools already in the environment (PowerShell, certutil, AWS CLI) to evade detection.

Shadow IT / Shadow AI

Unsanctioned services / AI tools adopted by employees, outside the visibility of security and IT.

🤖 AI, LLM & Agentic-System Security

LLM — Large Language Model

Transformer-based models trained on huge text corpora; the engine behind chat assistants and agents.

Prompt Injection

Untrusted input that overrides the system prompt or coerces the model into actions it shouldn't take. The defining LLM vulnerability.

Indirect Prompt Injection

Injection delivered via content the model retrieves (web pages, emails, docs) rather than the user's message.

Jailbreak

Inputs that bypass an LLM's safety training to elicit prohibited content.

RAG — Retrieval-Augmented Generation

Retrieving relevant documents at query time and stuffing them into the model's context.

MCP — Model Context Protocol

Open standard for giving LLMs structured access to tools and data sources.

Agent / Agentic System

An LLM that can take actions via tools, often in multi-step loops. Expands the blast radius of prompt injection.

Tool Use / Function Calling

An LLM emitting a structured request to call an external function (API, shell, browser).

Confused-Deputy (in agents)

An agent acting on behalf of the wrong principal — typically because tool input from one user is interpreted as instructions from another.

Guardrails

Input/output filters around an LLM to block prompt injection, PII leaks, or off-topic responses. Helpful, not sufficient.

Model Exfiltration

Stealing weights or fine-tuning data from a hosted model.

Training-Data Extraction

Eliciting verbatim training data from a model, especially memorized PII or secrets.

Red-Teaming (AI)

Adversarial probing of a model or agent for harmful, biased, or insecure behaviors.

OWASP LLM Top 10

The community-maintained top risks list for LLM applications.

NIST AI RMF

NIST's AI Risk Management Framework — Govern / Map / Measure / Manage.

Promptware

Malicious payloads delivered via prompts to LLMs and agents — a cloud-relevant attack class as agents gain real-world tool access (see Breach Kill Chains).

⚙️ DevOps, IaC & Operating Concepts

IaC — Infrastructure as Code

Declaring infrastructure in versioned code. Terraform / OpenTofu, CloudFormation, Bicep, Pulumi, Crossplane.

GitOps

Use Git as the source of truth for desired state; an agent reconciles the live system to match.

CI/CD — Continuous Integration / Continuous Delivery

Pipelines that build, test, and deploy code automatically.

Immutable Infrastructure

Servers/containers are never modified after deploy — they're replaced. Reduces drift and forensics surprises.

Blue/Green & Canary Deploys

Deployment patterns that ship to a subset of traffic to limit blast radius.

Blast Radius

The scope of damage if a credential, identity, or system is compromised. Minimizing it is a design principle.

Ephemeral Credentials

Short-lived (minutes to hours) credentials issued by STS / OIDC federation. The replacement for long-lived access keys.

Secrets Sprawl

Long-lived API keys checked into repos, dumped in shell histories, or shared in chat. Cloud's most reliable attack source.

Shift Left / Shift Right

Doing security in dev/CI (left) vs. runtime/production (right). Both are needed.

Toil

Repetitive manual operational work. SRE term — the thing automation aims to eliminate.

SLO / SLI / SLA

Service Level Objective / Indicator / Agreement — what you target, how you measure, what you're contractually liable for.

Runbook / Playbook

Documented procedures for handling specific operational or security events.

🏛️ Standards Bodies & Authorities

NIST

US National Institute of Standards and Technology. Owns CSF, the SP 800-series, NVD, and the AI RMF.

CISA

US Cybersecurity & Infrastructure Security Agency. Publishes KEV, advisories, and Secure-by-Design guidance.

MITRE

Operates the CVE program, ATT&CK, D3FEND, and CWE.

CSA — Cloud Security Alliance

Industry body behind CCSK, CCAK, the CCM, and the Egregious Eleven / Top Threats reports.

OWASP

Open Worldwide Application Security Project. Top 10 series, ASVS, ZAP.

ENISA

EU Agency for Cybersecurity. Publishes risk reports and threat-landscape research.

FIRST

Forum of Incident Response and Security Teams. Owns CVSS and EPSS, hosts the global CSIRT community.

CNCF

Cloud Native Computing Foundation. Stewards Kubernetes, Falco, OPA, OpenTelemetry, and more.

OpenSSF

Open Source Security Foundation. Stewards SLSA, Sigstore, Scorecard.

NVD — National Vulnerability Database

NIST's enriched feed of CVEs with CVSS scoring and CPE tagging.

CISA KEV

The Known Exploited Vulnerabilities catalog maintained by CISA. The authoritative "patch this now" list for vulnerabilities seen in real attacks.

OWASP ZAP

Open-source web-application security scanner from OWASP. Common in CI pipelines for DAST.

OpenSSF Scorecard

Automated checks that score the security posture of an open-source project — signed releases, branch protection, dependency pinning, fuzzing — producing a 0–10 score.