Glossary

API

Application Programming Interface, a set of operations that a system makes available for other systems. AWS offers a set of APIs to allow creating and managing resources inside an account.

ARN

Amazon Resource Name, a globally unique identifier for resources inside AWS. See more in the Resource lesson.

AWS Organizations

A service that manages member accounts under a management account. It makes it easy to create isolated accounts for applications. It also allows attaching Service-control policies that are the only permission type that restricts access from outside the account.

Access Key ID/Secret Access Key

These values identify the principal who is making a request to an AWS API. They are used to sign the request made to the API. Losing these keys allows an attacker to send requests in the name of the principal.

Attribute-Based Access Control (ABAC)

A permission strategy where users and resources have attributes attached to them and access control is based on these values. Done right, this makes a more scalable permission strategy than RBAC.

In AWS, attributes are tags that are attached to resources and principals. IAM policies can then use them in conditions, such as the aws:ResourceTag, the aws:PrincipalTag, and other service-specific keys.

Blast radius

The potential consequences of a security breach.

IAM

Identity and Access Management, the AWS service that manages identities (users and roles) and permissions inside an AWS account.

IAM policy

A JSON document that configures access control in IAM. See more in the IAM policies chapter.

IAM role

An IAM identity that uses temporary credentials to access an AWS account. It implements process-based credentials management. See more in the IAM roles of the Principal lesson.

IAM user

An IAM identity that can access an AWS account either via permanent credentials (Access Key ID-Secret Access Key pair) or password-based login on the Management Console. See more in the IAM users of the Principal lesson.

Identity-based policy

An IAM policy attached to an identity (IAM users or roles). See more in the Identity-based policies lesson.

Least privilege

A set of permissions that allows normal operations but nothing else.

Principal

The entity that is making a request to an AWS API. See more in the Principal lesson.

Request context

The collection of information regarding the request made to an AWS API. It contains who is initiating the request, what is being done, on what resource, and some other metadata. See more in the Access elements lessons.

Resource-based policy

An IAM policy attached to a resource. See more in the Resource-based policies lesson.

Role-Based Access Control (RBAC)

A permission strategy where users are organized in groups and only these groups have permissions. Individual users don’t have policies attached and access control is determined only by group membership. This makes a scalable permission strategy.

In AWS, implementing Role-Based Access Control is done using IAM groups.

Service Control Policy (SCP)

A policy type that is attached to an AWS account via Organizations. Only the management account can define SCPs and they are only effective for member accounts. See more in the Service control policy (SCP) lesson.

Shared responsibility model

The security framework defines the responsibilities of the cloud provider and the customer, in which the provider is responsible for the security of the cloud, while the customer is responsible for the security in the cloud.

In practical terms, AWS offers a set of tools to secure our account and the resources inside it, but we are required to use them properly. According to the shared responsibility model, we can be sure that hackers cannot circumvent the security controls but we need to configure them properly.

For example, AWS makes sure that only the principals we allow via IAM policies can read an S3 bucket and there is no other way to access the contents. But you need to ensure that we don’t allow public access to it.

Learn more about it in the Introduction chapter.