● 62 entries

Cloud Security

ASPM (Application Security Posture Management)A consolidation layer above SAST/DAST/SCA/secrets/IaC scanners that normalizes findings, ties them to application context, deduplicates, prioritizes by reachability and exploitability, and tracks remediation across teams.
AWS IMDSv1 AttackTheft of EC2 instance role credentials by sending unauthenticated GET requests to the legacy IMDSv1 endpoint, typically via SSRF.
AWS IMDSv2The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request.
AWS Lambda SecurityThe security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.
Bring Your Own Key (BYOK)A key-management model where the customer generates or imports its own encryption keys into the cloud provider's KMS instead of relying on provider-generated keys.
CASB (Cloud Access Security Broker)A policy enforcement point that sits between users and cloud/SaaS applications to enforce visibility, data protection, and threat controls.
CIEM (Cloud Infrastructure Entitlement Management)A discipline and tooling category that discovers, analyzes, and right-sizes the identities and permissions that exist inside cloud environments.
CiliumAn eBPF-based Container Network Interface that provides networking, observability, and security for Kubernetes workloads at kernel speed.
Cloud Control Plane AttackAn attack that targets the management API of a cloud provider (AWS, Azure, GCP) — IAM, billing, deployment APIs — rather than workloads, achieving tenant-wide impact through stolen tokens, federation abuse, or partner-channel compromises.
Cloud CryptojackingUnauthorized use of a victim's cloud compute resources to mine cryptocurrency, generating costly bills while the attacker earns the rewards.
Cloud Data ExfiltrationThe unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts.
Cloud EncryptionThe practice of encrypting data stored, processed, or transmitted in cloud services so that only authorized parties holding the correct keys can read it.
Cloud Key LeakAccidental exposure of long-lived cloud access keys in public repositories, container images, logs, or client-side code, often abused within minutes.
Cloud Metadata SSRFA server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials.
Cloud MisconfigurationA security gap caused by incorrect or insecure settings of cloud services, such as exposed storage, weak IAM policies, or open management ports.
Cloud SecurityThe set of policies, controls, and technologies that protect data, applications, and infrastructure hosted in public, private, or hybrid cloud environments.
Cloud Token TheftStealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
CNAPP (Cloud-Native Application Protection)An integrated security platform that combines CSPM, CWPP, CIEM, IaC scanning, and runtime detection to protect cloud-native applications from build to runtime.
Confidential ComputingProtecting data while it is being processed by running workloads inside hardware-based Trusted Execution Environments that isolate them from the host and the cloud operator.
Container EscapeAn exploit that breaks the isolation boundary between a container and its host, giving the attacker code execution on the underlying node or kernel.
Container SecurityThe practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
CSPM (Cloud Security Posture Management)A category of tools that continuously assess cloud accounts against best-practice and compliance baselines to detect and remediate misconfigurations.
CSPM FindingAn alert produced by a Cloud Security Posture Management tool when a cloud resource violates a security benchmark, policy, or compliance rule.
CWPP (Cloud Workload Protection Platform)A platform that protects cloud workloads — virtual machines, containers, and serverless functions — across their entire lifecycle, from build to runtime.
DSPM (Data Security Posture Management)A class of tools that discover, classify, and continuously monitor sensitive data across multi-cloud, SaaS, and data-lake environments, then surface posture risk such as exposed PII or over-permissioned datasets.
Function as a Service (FaaS)A serverless cloud model in which short-lived functions run on demand in response to events, with the provider managing servers, scaling, and runtime.
gVisorgVisor is an open-source application kernel from Google that intercepts container system calls in user space, shrinking the host kernel attack surface exposed to untrusted workloads.
Hold Your Own Key (HYOK)A key-management model where encryption keys never leave the customer's own HSM or key store; the cloud provider must call out to it to use the key.
IAM Misconfiguration (cloud)Insecure or overly permissive cloud Identity and Access Management settings that allow users, roles, or services to perform actions beyond what they actually need.
IAM Privilege EscalationAbusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
Infrastructure as a Service (IaaS)A cloud service model in which the provider delivers virtualized compute, storage, and networking, while the customer manages the OS, middleware, and applications on top.
Infrastructure-as-Code (IaC) SecurityThe discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.
Istio SecurityThe security feature set of the Istio service mesh: workload identity via SPIFFE, automatic mutual TLS, and AuthorizationPolicy/RequestAuthentication for fine-grained access control.
Kata ContainersKata Containers is an open-source runtime that wraps each container or Kubernetes pod in a lightweight virtual machine to provide hardware-level isolation between workloads.
kube-benchAn open-source tool from Aqua Security that automatically checks a Kubernetes cluster's configuration against the CIS Kubernetes Benchmark.
Kubernetes Admission ControllerAn admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy.
Kubernetes Cluster AttackAn intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes.
Kubernetes Network PolicyKubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol.
Kubernetes RBAC MisconfigurationOver-permissive Kubernetes Role/ClusterRole bindings that grant workloads, users, or service accounts cluster-wide powers — verbs on Secrets, pods/exec, impersonate — turning a single compromised container into cluster takeover.
Kubernetes SecurityThe protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
KubescapeAn open-source Kubernetes security platform from ARMO that scans clusters, manifests, and images for misconfigurations, vulnerabilities, and policy drift.
KyvernoKyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.
OPA (Open Policy Agent)A CNCF-graduated, general-purpose policy engine that decouples authorization decisions from applications and Kubernetes admission control using the Rego language.
OPA GatekeeperOPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
Platform as a Service (PaaS)A cloud model in which the provider manages the runtime, middleware, OS, and infrastructure while the customer focuses on application code and data.
Pod Security StandardsPod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy.
Policy as CodeThe practice of defining security, compliance, and governance rules in machine-readable code so they can be versioned, tested, reviewed, and automatically enforced.
S3 Bucket MisconfigurationA configuration error on an Amazon S3 bucket (or equivalent object store) that exposes objects, allows unintended writes, or grants broad cross-account access.
Secure EnclaveA hardware-isolated, integrity-protected region of a processor or system-on-chip that runs sensitive code and stores keys outside the reach of the main operating system.
Security as CodeThe practice of expressing security controls, tests, and infrastructure in source code so they are versioned, peer-reviewed, automated, and continuously delivered alongside applications.
Serverless SecurityThe practice of securing event-driven, function-based workloads such as AWS Lambda, Azure Functions, and Google Cloud Functions, where the underlying servers are managed by the provider.
Service Account TokenA JWT credential mounted into a Kubernetes pod that authenticates the workload to the API server and to other services trusting the cluster's identity provider.
Service Mesh SecurityThe set of identity, encryption, and authorization controls a service mesh provides to secure service-to-service traffic in a cloud-native environment.
Shared Responsibility ModelA cloud security framework that splits security duties between the cloud provider (security of the cloud) and the customer (security in the cloud).
Software as a Service (SaaS)A cloud delivery model in which a vendor hosts and operates an application that customers access over the Internet on a subscription basis.
SPIFFEAn open standard for assigning cryptographic, portable identities to software workloads using URI-based SPIFFE IDs and short-lived X.509 or JWT SVIDs.
SPIRE RuntimeThe reference open-source implementation of SPIFFE: a server-and-agent system that attests workloads and issues short-lived X.509 or JWT SVIDs.
SSPM (SaaS Security Posture Management)A tooling category that continuously monitors SaaS application configurations, identities, and integrations to detect misconfigurations and risky behaviour.
Tenant IsolationThe set of controls that ensures one customer's data, identities, and workloads in a shared cloud or SaaS platform cannot be accessed or affected by another customer.
TetragonAn eBPF-based Kubernetes runtime security tool from the Cilium project that observes and synchronously enforces policy on processes, files, and network activity.
Trusted Execution Environment (TEE)A secure, isolated execution context within a processor where code and data are protected in confidentiality and integrity, even from the host OS and hypervisor.
Workload IdentityA cryptographic identity assigned to a service, container, or function so it can authenticate to other systems without long-lived shared secrets.