● 62 entries
Cloud Security
- ASPM (Application Security Posture Management)A consolidation layer above SAST/DAST/SCA/secrets/IaC scanners that normalizes findings, ties them to application context, deduplicates, prioritizes by reachability and exploitability, and tracks remediation across teams.
- AWS IMDSv1 AttackTheft of EC2 instance role credentials by sending unauthenticated GET requests to the legacy IMDSv1 endpoint, typically via SSRF.
- AWS IMDSv2The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request.
- AWS Lambda SecurityThe security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.
- Bring Your Own Key (BYOK)A key-management model where the customer generates or imports its own encryption keys into the cloud provider's KMS instead of relying on provider-generated keys.
- CASB (Cloud Access Security Broker)A policy enforcement point that sits between users and cloud/SaaS applications to enforce visibility, data protection, and threat controls.
- CIEM (Cloud Infrastructure Entitlement Management)A discipline and tooling category that discovers, analyzes, and right-sizes the identities and permissions that exist inside cloud environments.
- CiliumAn eBPF-based Container Network Interface that provides networking, observability, and security for Kubernetes workloads at kernel speed.
- Cloud Control Plane AttackAn attack that targets the management API of a cloud provider (AWS, Azure, GCP) — IAM, billing, deployment APIs — rather than workloads, achieving tenant-wide impact through stolen tokens, federation abuse, or partner-channel compromises.
- Cloud CryptojackingUnauthorized use of a victim's cloud compute resources to mine cryptocurrency, generating costly bills while the attacker earns the rewards.
- Cloud Data ExfiltrationThe unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts.
- Cloud EncryptionThe practice of encrypting data stored, processed, or transmitted in cloud services so that only authorized parties holding the correct keys can read it.
- Cloud Key LeakAccidental exposure of long-lived cloud access keys in public repositories, container images, logs, or client-side code, often abused within minutes.
- Cloud Metadata SSRFA server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials.
- Cloud MisconfigurationA security gap caused by incorrect or insecure settings of cloud services, such as exposed storage, weak IAM policies, or open management ports.
- Cloud SecurityThe set of policies, controls, and technologies that protect data, applications, and infrastructure hosted in public, private, or hybrid cloud environments.
- Cloud Token TheftStealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
- CNAPP (Cloud-Native Application Protection)An integrated security platform that combines CSPM, CWPP, CIEM, IaC scanning, and runtime detection to protect cloud-native applications from build to runtime.
- Confidential ComputingProtecting data while it is being processed by running workloads inside hardware-based Trusted Execution Environments that isolate them from the host and the cloud operator.
- Container EscapeAn exploit that breaks the isolation boundary between a container and its host, giving the attacker code execution on the underlying node or kernel.
- Container SecurityThe practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
- CSPM (Cloud Security Posture Management)A category of tools that continuously assess cloud accounts against best-practice and compliance baselines to detect and remediate misconfigurations.
- CSPM FindingAn alert produced by a Cloud Security Posture Management tool when a cloud resource violates a security benchmark, policy, or compliance rule.
- CWPP (Cloud Workload Protection Platform)A platform that protects cloud workloads — virtual machines, containers, and serverless functions — across their entire lifecycle, from build to runtime.
- DSPM (Data Security Posture Management)A class of tools that discover, classify, and continuously monitor sensitive data across multi-cloud, SaaS, and data-lake environments, then surface posture risk such as exposed PII or over-permissioned datasets.
- Function as a Service (FaaS)A serverless cloud model in which short-lived functions run on demand in response to events, with the provider managing servers, scaling, and runtime.
- gVisorgVisor is an open-source application kernel from Google that intercepts container system calls in user space, shrinking the host kernel attack surface exposed to untrusted workloads.
- Hold Your Own Key (HYOK)A key-management model where encryption keys never leave the customer's own HSM or key store; the cloud provider must call out to it to use the key.
- IAM Misconfiguration (cloud)Insecure or overly permissive cloud Identity and Access Management settings that allow users, roles, or services to perform actions beyond what they actually need.
- IAM Privilege EscalationAbusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
- Infrastructure as a Service (IaaS)A cloud service model in which the provider delivers virtualized compute, storage, and networking, while the customer manages the OS, middleware, and applications on top.
- Infrastructure-as-Code (IaC) SecurityThe discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.
- Istio SecurityThe security feature set of the Istio service mesh: workload identity via SPIFFE, automatic mutual TLS, and AuthorizationPolicy/RequestAuthentication for fine-grained access control.
- Kata ContainersKata Containers is an open-source runtime that wraps each container or Kubernetes pod in a lightweight virtual machine to provide hardware-level isolation between workloads.
- kube-benchAn open-source tool from Aqua Security that automatically checks a Kubernetes cluster's configuration against the CIS Kubernetes Benchmark.
- Kubernetes Admission ControllerAn admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy.
- Kubernetes Cluster AttackAn intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes.
- Kubernetes Network PolicyKubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol.
- Kubernetes RBAC MisconfigurationOver-permissive Kubernetes Role/ClusterRole bindings that grant workloads, users, or service accounts cluster-wide powers — verbs on Secrets, pods/exec, impersonate — turning a single compromised container into cluster takeover.
- Kubernetes SecurityThe protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- KubescapeAn open-source Kubernetes security platform from ARMO that scans clusters, manifests, and images for misconfigurations, vulnerabilities, and policy drift.
- KyvernoKyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.
- OPA (Open Policy Agent)A CNCF-graduated, general-purpose policy engine that decouples authorization decisions from applications and Kubernetes admission control using the Rego language.
- OPA GatekeeperOPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
- Platform as a Service (PaaS)A cloud model in which the provider manages the runtime, middleware, OS, and infrastructure while the customer focuses on application code and data.
- Pod Security StandardsPod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy.
- Policy as CodeThe practice of defining security, compliance, and governance rules in machine-readable code so they can be versioned, tested, reviewed, and automatically enforced.
- S3 Bucket MisconfigurationA configuration error on an Amazon S3 bucket (or equivalent object store) that exposes objects, allows unintended writes, or grants broad cross-account access.
- Secure EnclaveA hardware-isolated, integrity-protected region of a processor or system-on-chip that runs sensitive code and stores keys outside the reach of the main operating system.
- Security as CodeThe practice of expressing security controls, tests, and infrastructure in source code so they are versioned, peer-reviewed, automated, and continuously delivered alongside applications.
- Serverless SecurityThe practice of securing event-driven, function-based workloads such as AWS Lambda, Azure Functions, and Google Cloud Functions, where the underlying servers are managed by the provider.
- Service Account TokenA JWT credential mounted into a Kubernetes pod that authenticates the workload to the API server and to other services trusting the cluster's identity provider.
- Service Mesh SecurityThe set of identity, encryption, and authorization controls a service mesh provides to secure service-to-service traffic in a cloud-native environment.
- Shared Responsibility ModelA cloud security framework that splits security duties between the cloud provider (security of the cloud) and the customer (security in the cloud).
- Software as a Service (SaaS)A cloud delivery model in which a vendor hosts and operates an application that customers access over the Internet on a subscription basis.
- SPIFFEAn open standard for assigning cryptographic, portable identities to software workloads using URI-based SPIFFE IDs and short-lived X.509 or JWT SVIDs.
- SPIRE RuntimeThe reference open-source implementation of SPIFFE: a server-and-agent system that attests workloads and issues short-lived X.509 or JWT SVIDs.
- SSPM (SaaS Security Posture Management)A tooling category that continuously monitors SaaS application configurations, identities, and integrations to detect misconfigurations and risky behaviour.
- Tenant IsolationThe set of controls that ensures one customer's data, identities, and workloads in a shared cloud or SaaS platform cannot be accessed or affected by another customer.
- TetragonAn eBPF-based Kubernetes runtime security tool from the Cilium project that observes and synchronously enforces policy on processes, files, and network activity.
- Trusted Execution Environment (TEE)A secure, isolated execution context within a processor where code and data are protected in confidentiality and integrity, even from the host OS and hypervisor.
- Workload IdentityA cryptographic identity assigned to a service, container, or function so it can authenticate to other systems without long-lived shared secrets.