AWS Overview - Glossary of Terms

Glossary of terms

Explanation

Access Key ID

An AWS-specific string of characters that uniquely identifies an AWS user. It combines with the Secret Access Key to form an authentication key pair (similar to a username and password).

Access Control List (ACL)

A list of permissions or rules associated with an object or network resource in AWS. For subnets, ACLs act like firewalls to control inbound/outbound traffic. For S3, ACLs manage read/write permissions on buckets or objects for AWS accounts.

Amazon Machine Image (AMI)

An encrypted image file stored on AWS S3. It includes all necessary information to launch an AWS EC2 instance with the accompanying software, configurations, etc.

Application Programming Interface (API)

An interface based on libraries and/or operating systems that allows an application program to perform actions when calling the AWS API.

Archive

A storage unit in AWS Glacier, viewed as a file you want to store and considered a basic storage unit in AWS Glacier. It can store photos, videos, or documents, each with a unique ID and description.

Authentication

The process of verifying an individual or a program to authenticate into the AWS system. AWS requires requests to be authenticated using cryptographic hash functions.

Auto-scaling

An AWS service that allows customers to automatically scale AWS EC2 instances up or down based on predefined conditions.

Availability Zone (AZ)

AWS EC2 instances are located within Availability Zones and Regions. Each AZ is designed independently to increase high availability (HA) and fault tolerance.

Bastion Host

A specially configured computer in the external/public domain (DMZ) or outside the firewall, acting as an intermediary server, allowing you to connect to AWS instances within a Private Subnet. You can set up an AWS EC2 instance as an SSH bastion in the Public Subnet of a VPC.

Bucket

A collection of objects stored in AWS S3.

Certificate

AWS certificates used to authenticate AWS Accounts and Users, also known as X.509 certificates. These certificates are paired with a private key.

CIDR Block

Classless Inter-Domain Routing block of IP addresses. It can be understood as an IP range (e.g., 172.16.x.x).

Client-side Encryption

Encrypting data on the client side before uploading it to AWS S3.

CloudFormation

An AWS service that allows customers to save the entire configuration of their AWS resources (VPC, SG, Instance type, RDS, S3, etc.), helping customers manage and update versions suitable for their applications. CloudFormation can create identical environments when needed.

Cognito

An AWS service that helps authenticate users, store, manage, and sync data across multiple devices, platforms, and applications. It works with many existing identity providers (IdP) and supports guest users who do not need authentication.

Credentials

Necessary for processing authentication to AWS services. AWS credentials include passwords, secret access keys, X.509 certificates, and multi-factor tokens.

Dedicated Instance

AWS EC2 instances with physical isolation at the hardware level (single-tenant hardware). These instances run on dedicated hardware.

Digital Signature

An encryption method to ensure security and validity, allowing the receiver to believe the message was created by an authorized sender. Customers use digital signatures to send authenticated requests to the AWS API.

Direct Connect Service

This AWS service provides a dedicated physical connection between internal networks and AWS regions, offering high reliability and security. With this dedicated connection, you can connect directly to the AWS Cloud, Amazon VPC, and bypass the internet. AWS Direct Connect differs from VPN connections.

DynamoDB

A NoSQL database developed by AWS.

Elastic Block Store (EBS)

Provides block-level storage volumes for AWS EC2 instances. AWS EBS is independent of EC2 instances, meaning when you shut down an EC2 instance, EBS still exists and is not deleted.

ElastiCache

Sets up, manages, and scales in-memory caches in the AWS cloud.

Elastic Beanstalk

An AWS deployment and management tool that automatically provides capacity, load balancing, and auto-scaling for applications.

Elastic IP (EIP)

An AWS static/public IP address that can be assigned to any instance in Amazon VPC. AWS EIPs are independent of EC2 instances.

Elastic Load Balancer (ELB)

Used to distribute traffic to AWS EC2 instances, allowing distribution across all Availability Zones in a region to increase HA and fault tolerance.

Elastic Network Interface (ENI)

In a VPC, an ENI is a second network interface that you can attach to an AWS EC2 instance. A network interface can be used to create a management network, a user network, or a security application in a VPC. It can be easily attached and detached from an instance and is independent of the AWS EC2 instance.

Endpoint

To reduce data latency in applications, most AWS services allow you to choose a region endpoint to send requests. Some AWS web services allow you to use a default endpoint without specifying a region, resolving to the us-east-1 endpoint. You can connect to AWS endpoints via HTTP or HTTPS (with SSL).

Federated User

A user, system, or application not authenticated to access AWS services but still wants access through temporary credentials. AWS federated users can use AWS Security Token Service (STS) APIs for this type of access.

Firewall

Controls inbound and outbound traffic, specifying the protocol, port, and source IP address allowed to access.

Guest OS

In an AWS virtual machine environment, multiple operating systems (OS) can run on specific hardware. Each instance is considered a guest on host hardware and uses its own OS.

Hash

A cryptographic hash function used to calculate a digital signature for signing requests to the AWS API. A cryptographic hash is a one-way function that returns a unique hash value based on input, including the request text file and the secret access key.

HMAC-SHA1/HMAC-SHA256

In cryptography, a keyed-Hash Message Authentication Code (HMAC or KHMAC) is a type of message authentication code (MAC) that uses a cryptographic function combined with a secret key. HMAC can be used to verify data integrity and authenticate the message. Cryptographic hash functions like SHA-1 or SHA-256 can be used to compute HMAC, resulting in HMAC-SHA1 or HMAC-SHA256.

Hardware Security Module (HSM)

An application providing secure cryptographic key storage and operation on a tamper-resistant hardware device. AWS HSM is designed to protect cryptographic keys and use them securely within applications, providing dedicated and single-tenant HSM applications.

Hypervisor

Also known as a Virtual Machine Monitor (VMM), it is virtualization software/hardware that allows multiple OS to run on a host computer.

Identity and Access Management (IAM)

Allows you to create multiple users and manage their permissions within an AWS account.

Identity Pool

Stores user identity information in AWS Cognito of an AWS account. Identity pools use AWS IAM roles, providing temporary security credentials to authenticate to AWS resources defined in the IAM role.

Identity Provider (IdP)

An online service responsible for issuing identities to users who want to interact with services or other cooperative services, such as identity providers like Facebook, Google, and Amazon.

Import/Export Service

An AWS service that allows transferring large amounts of data to AWS S3 or AWS EBS storage by securely shipping a physical device to AWS.

Instance

A virtual server, also known as a VM (virtual machine), including AWS hardware resources and a guest OS.

IP Address

Internet Protocol address.

IP Spoofing

Creating IP packets with a forged source IP, called spoofing, to hide the sender's identity or impersonate another computer.

Key

In encryption, a key is a parameter that determines the output of an encryption algorithm (hash function). A key pair is a set of security credentials used for digital identity, including a private key and a public key.

Key Rotation

The periodic process of changing cryptographic keys used to encrypt data or digital signatures. Similar to periodically changing passwords, AWS keys are rotated to reduce the risk of unauthorized access. AWS supports access keys and certificates, allowing users to rotate keys and certificates without causing application downtime.

Mobile Analytics

An AWS service that collects, displays, and understands mobile application data. It allows tracking customer behavior, aggregating metrics, and identifying useful patterns in mobile applications.

Multi-factor Authentication (MFA)

Using two or more authentication factors. Authentication factors can include passwords or tokens (generated from random number sequences). AWS IAM allows users to use a six-digit one-time code in addition to their username and password. Customers use a single-use code generated by a physical device (smartphone, token device, etc.) when accessing AWS Management Console, etc. (It is recommended to use an AWS MFA device, e.g., YubiKey, for enhanced security.)