8.3. Glossary of Key AWS Security Services and Concepts

A shared vocabulary is the foundation of effective security communication. This glossary covers the core AWS services, security concepts, and architectural patterns that appear throughout the SCS-C03 exam. Use it as a quick-reference companion to the study guide — if a term appears in a scenario question and you can't immediately recall its purpose, this is where to reinforce it.

• ACM (AWS Certificate Manager): Managed service for provisioning, managing, and deploying public and private TLS certificates for AWS services and internal resources.
• Amazon Detective: Security investigation service that analyzes and visualizes security data from CloudTrail, VPC Flow Logs, and GuardDuty findings to identify root causes of security issues. Used during incident response — not for real-time detection.
• Amazon GuardDuty: Continuous threat detection service that monitors CloudTrail, VPC Flow Logs, and DNS logs using machine learning and threat intelligence to identify malicious activity and unauthorized behavior.
• Amazon Inspector: Automated vulnerability scanning service for EC2 instances, container images in ECR, and Lambda functions. Rescans automatically when new CVEs are published or when workloads change.
• Amazon Macie: Data security service that uses machine learning to discover, classify, and protect sensitive data (PII, financial data, credentials) stored in S3 buckets.
• Amazon Security Lake: Centralizes security data from AWS services, SaaS providers, and custom sources into a purpose-built data lake using the Open Cybersecurity Schema Framework (OCSF) format.
• Amazon VPC (Virtual Private Cloud): Logically isolated virtual network within AWS where you launch resources. Provides control over IP addressing, subnets, route tables, and network gateways.
• ASFF (AWS Security Finding Format): Standardized JSON format used by Security Hub to normalize findings from multiple security services (GuardDuty, Inspector, Macie, Config, third-party tools).
• Assume Breach: Security mindset that assumes attackers are already inside your environment. Drives design decisions toward microsegmentation, continuous monitoring, and blast-radius reduction.
• AWS Audit Manager: Continuous audit evidence collection service that maps AWS resource configurations to compliance framework controls (SOC 2, PCI DSS, HIPAA, GDPR).
• AWS Backup: Centralized backup service that automates and manages backups across AWS services (EBS, RDS, DynamoDB, EFS, S3) with cross-account and cross-Region vault capabilities.
• AWS CloudFormation: Infrastructure as Code service for provisioning AWS resources using declarative JSON or YAML templates. Supports drift detection to identify manual changes.
• AWS CloudHSM: Dedicated hardware security modules in the AWS Cloud for generating and managing cryptographic keys. Provides FIPS 140-2 Level 3 validated HSMs under your exclusive control.
• AWS CloudTrail: Records API calls and account activity across your AWS infrastructure. Management events track control plane operations; data events track data plane operations (S3 object access, Lambda invocations).
• AWS Config: Continuously records and evaluates resource configurations against desired state. Config rules detect non-compliant resources; auto-remediation fixes them via SSM Automation.
• AWS Control Tower: Orchestration service that sets up and governs a secure, multi-account AWS environment based on best practices. Manages guardrails (preventive, detective, proactive) across accounts.
• AWS Direct Connect: Dedicated network connection from your premises to AWS. Does not encrypt traffic by default — requires a VPN overlay or MACsec for encryption in transit.
• AWS Firewall Manager: Centralized security policy management service that applies WAF rules, Shield Advanced protections, security groups, and Network Firewall policies across accounts in an organization.
• AWS IAM (Identity and Access Management): Service for managing access to AWS resources through users, groups, roles, and policies. Foundation of the authorization model for all AWS services.
• AWS IAM Access Analyzer: Analyzes resource-based policies and IAM policies to identify resources shared with external entities, unused permissions, and custom policy validation errors.
• AWS IAM Identity Center: Centralized identity management for workforce users across multiple AWS accounts and applications. Supports federation with external IdPs (Okta, Azure AD, SAML 2.0).
• AWS IAM Roles Anywhere: Extends IAM roles to workloads running outside AWS by using X.509 certificates issued by a trusted certificate authority to obtain temporary AWS credentials.
• AWS KMS (Key Management Service): Managed service for creating, controlling, and auditing encryption keys. Supports symmetric and asymmetric keys, automatic rotation, and key policies for granular access control.
• AWS Lambda: Serverless compute service that runs code in response to events without provisioning servers. Security responsibilities shift to code, dependencies, and execution role configuration.
• AWS Network Firewall: Managed stateful firewall service for VPCs. Supports rule groups for domain filtering, IDS/IPS, and protocol-level inspection using Suricata-compatible rules.
• AWS Organizations: Account management service for consolidating multiple AWS accounts into an organizational hierarchy with OUs. Enables centralized governance via SCPs, RCPs, and tag policies.
• AWS RAM (Resource Access Manager): Securely shares AWS resources (subnets, Transit Gateway, Resolver rules) across accounts within an organization without duplicating resources.
• AWS Secrets Manager: Manages, rotates, and retrieves database credentials, API keys, and other secrets throughout their lifecycle. Supports automatic rotation with Lambda functions.
• AWS Security Hub: Cloud security posture management service that aggregates findings from GuardDuty, Inspector, Macie, Config, Firewall Manager, and third-party tools into a centralized dashboard with security standards scoring.
• AWS Shield: DDoS protection service. Shield Standard is automatic and free (Layer 3/4). Shield Advanced provides enhanced detection, 24/7 DRT support, and cost protection for Layer 7 attacks.
• AWS STS (Security Token Service): Produces temporary, limited-privilege credentials for IAM users or federated users. Core mechanism behind role assumption, cross-account access, and federation.
• AWS Systems Manager (SSM): Operations management service. Key security features include Session Manager (agentless shell access without SSH), Patch Manager, Parameter Store, and Automation runbooks.
• AWS Verified Access: Zero-trust network access service that verifies identity and device posture for every request to corporate applications — replacing traditional VPN-based access.
• AWS Verified Permissions: Fine-grained authorization service using Cedar policy language. Externalizes application authorization logic so it can be audited, tested, and managed independently.
• AWS WAF (Web Application Firewall): Protects web applications from common exploits (SQL injection, XSS) at the edge. Deployed on CloudFront, ALB, API Gateway, or AppSync with managed and custom rules.
• AWS Well-Architected Tool: Evaluates architectures against the six pillars of the Well-Architected Framework (including Security) and generates improvement plans with prioritized recommendations.
• ABAC (Attribute-Based Access Control): Authorization strategy that uses tags (attributes) on both principals and resources to control access. Scales better than RBAC for dynamic environments with many projects.
• Availability Zone (AZ): One or more discrete data centers within a Region, each with independent power, cooling, and networking. Deploying across AZs provides fault tolerance within a Region.
• Cedar: Policy language used by AWS Verified Permissions for fine-grained authorization. Designed to be analyzable, auditable, and performant for real-time authorization decisions.
• CloudWatch Logs Insights: Interactive log analytics service for querying CloudWatch Logs using a purpose-built query language. Best for operational queries against recent log data.
• Conformance Pack: Collection of AWS Config rules and remediation actions deployed as a single unit. Maps to compliance frameworks (PCI DSS, HIPAA) for automated compliance evaluation.
• Data Event (CloudTrail): Records data plane operations on resources — S3 object reads/writes, Lambda function invocations, DynamoDB item operations. Disabled by default due to high volume and cost.
• Declarative Policy: Organization policy type (new in SCS-C03) that enforces service-level configurations rather than restricting API actions. Ensures baseline settings cannot be overridden by member accounts.
• Defense-in-Depth: Security strategy that layers multiple independent controls so that failure of one control doesn't compromise the entire system. Applied at edge, network, compute, identity, and data layers in AWS.
• Easiness Factor (EF): Spaced repetition metric that determines review intervals. Higher EF means longer intervals between reviews — indicating stronger retention.
• EventBridge (Amazon EventBridge): Serverless event bus that routes events from AWS services, SaaS partners, and custom applications to targets. Key bridge between detection findings and automated remediation.
• FIS (AWS Fault Injection Service): Chaos engineering service for running controlled fault injection experiments (network disruption, instance termination, API throttling) to test resilience and automated response.
• FIPS 140-2: US government cryptographic module validation standard. Level 2 (software-based, KMS) vs. Level 3 (tamper-evident hardware, CloudHSM) — know when each is required.
• GuardDuty Malware Protection: Extension of GuardDuty that scans EBS volumes attached to EC2 instances and container workloads for malware when triggered by suspicious findings.
• IMDSv2 (Instance Metadata Service v2): Session-oriented metadata service requiring a PUT request to obtain a token before accessing metadata. Prevents SSRF-based credential theft that exploited IMDSv1.
• Least Privilege: Principle of granting only the minimum permissions required to perform a specific task. Applied to IAM policies, security groups, NACLs, and resource policies.
• MACsec (Media Access Control Security): Layer 2 encryption for Direct Connect links. Provides line-rate encryption between your network equipment and the AWS Direct Connect endpoint.
• Management Event (CloudTrail): Records control plane operations — creating/deleting resources, modifying configurations, signing in. Enabled by default in CloudTrail.
• NACL (Network Access Control List): Stateless firewall at the subnet level in a VPC. Evaluates rules by number order, processes both inbound and outbound rules independently, and requires explicit allow for return traffic.
• OAC (Origin Access Control): CloudFront feature that restricts S3 bucket access so content is only served through the CloudFront distribution. Replaces the legacy Origin Access Identity (OAI).
• OCSF (Open Cybersecurity Schema Framework): Vendor-agnostic schema for normalizing security event data. Used by Security Lake to standardize logs from diverse sources for cross-source correlation.
• Object Lock (S3): Write-once-read-many (WORM) protection for S3 objects. Compliance mode prevents deletion by anyone including root; Governance mode allows deletion with specific permissions.
• Permissions Boundary: IAM policy that sets the maximum permissions an IAM entity (user or role) can have. Used for delegated administration — preventing self-escalation even if the entity's identity policy grants broader access.
• RBAC (Role-Based Access Control): Authorization strategy that assigns permissions to named roles. Simpler to understand but requires new policies for each new project or team combination.
• RCP (Resource Control Policy): Organization policy type (new in SCS-C03) that controls what external principals can do with resources in your organization. Complements SCPs which control what your principals can do.
• Region (AWS Region): Geographically distinct cluster of Availability Zones. Security services must be enabled per Region; data residency requirements are enforced through Region selection.
• Resilience Hub (AWS Resilience Hub): Assesses application architecture against defined RTO/RPO targets and provides improvement recommendations. Complementary to FIS — assesses readiness vs. tests response.
• S3 Bucket Policy: Resource-based policy attached to an S3 bucket. Commonly used to enforce encryption in transit (deny unencrypted requests), restrict access to specific VPC endpoints, or grant cross-account access.
• SCP (Service Control Policy): Organization policy that sets maximum permissions for accounts in an OU or the entire organization. Does not apply to the management account — a key exam distinction.
• Security Group: Stateful firewall at the ENI (instance) level. Allows only — no deny rules. Return traffic is automatically allowed. Default behavior: deny all inbound, allow all outbound.
• Session Manager (SSM): Provides interactive shell access to EC2 instances without SSH keys, open inbound ports, or bastion hosts. All sessions are logged to CloudTrail and optionally to S3/CloudWatch.
• Shared Responsibility Model: Defines the security boundary between AWS (security OF the cloud — physical infrastructure, hypervisor, managed service internals) and the customer (security IN the cloud — data, identity, encryption, network configuration).
• Step Functions (AWS Step Functions): Serverless orchestration service for coordinating multi-step workflows. Used in security for complex incident response automation that requires conditional logic, parallel execution, and error handling.
• Tag Policy: Organization policy that enforces standardized tag keys and allowed values across member accounts. Enables tag-based access control (ABAC) and cost allocation at scale.
• Transit Gateway: Regional network hub that connects VPCs and on-premises networks through a central gateway. Simplifies network architecture and enables centralized traffic inspection via Network Firewall.
• VPC Endpoint: Private connection between a VPC and an AWS service that doesn't traverse the public internet. Gateway endpoints (S3, DynamoDB) are free; interface endpoints (PrivateLink) support endpoint policies for granular access control.
• VPC Flow Logs: Capture IP traffic metadata (source/destination IP, ports, protocol, action) for network interfaces in a VPC. Essential for network security investigations but do not capture packet payloads.
• Zero Trust: Security model that eliminates implicit trust based on network location. Every request is verified for identity, device posture, and context — regardless of whether it originates inside or outside the network perimeter.