SCS-C02 Exam Glossary - 149 Terms

Search the terminology pack for AWS Certified Security - Specialty. Use these definitions with the study guide and practice questions.

Download App Study Guide Free Practice Exam

A

ABAC: Attribute-based access control, an authorization strategy based on attributes.
ACM: Abbreviation for AWS Certificate Manager.
Amazon API Gateway: An AWS service referenced as a resource that can require encryption in transit.
Amazon Athena: An AWS service for running SQL queries on data stored in Amazon S3.
Amazon CloudFront: An AWS edge service that can be combined with AWS WAF and load balancers for layered defense.
Amazon CloudWatch: An AWS monitoring service used for metrics, alarms, dashboards, and event monitoring.
Amazon CloudWatch Logs: An AWS logging service used to store and analyze logs from services and applications.
Amazon Cognito: An AWS service used for creating and managing identities.
Amazon Data Lifecycle Manager: An AWS service used for automatic lifecycle management of resources such as snapshots.
Amazon Detective: An AWS service used to investigate and analyze security findings and suspicious activity.
Amazon DynamoDB: An AWS NoSQL database service referenced for encryption and resource policy controls.
Amazon EBS: Abbreviation for Amazon Elastic Block Store.
Amazon ECR: Amazon Elastic Container Registry, an AWS service that can be scanned for vulnerabilities in container images.
Amazon EFS: Amazon Elastic File System, an AWS file storage service referenced for encryption in transit and at rest.
Amazon Elastic Block Store: An AWS block storage service used with EC2 instances and volume snapshots.
Amazon EventBridge: An AWS event bus service used to route events between AWS services and third-party services.
Amazon GuardDuty: An AWS threat detection service that identifies suspicious activity and potential threats.
Amazon Inspector: An AWS service for automated security assessment and vulnerability detection.
Amazon Macie: An AWS service that discovers and protects sensitive data, especially in Amazon S3.
Amazon Managed Blockchain: An AWS blockchain service listed as out of scope for the exam.
Amazon QLDB: Abbreviation for Amazon Quantum Ledger Database.
Amazon Quantum Ledger Database (Amazon QLDB): An AWS ledger database service listed as out of scope for the exam.
Amazon RDS: An AWS managed relational database service referenced as a resource that can require encryption in transit and at rest.
Amazon Redshift: An AWS data warehouse service referenced as a resource that can require encryption in transit.
Amazon Route 53: An AWS edge service that can be part of security controls at the edge.
Amazon S3: An AWS object storage service referenced for encryption, logging, lifecycle, and access control controls.
Amazon Simple Notification Service: An AWS messaging service used to send notifications and alerts.
Amazon SNS: Abbreviation for Amazon Simple Notification Service.
Amazon VPC: Amazon Virtual Private Cloud, an AWS service for creating logically isolated virtual networks.
AMI: Amazon Machine Image, a machine image used to create EC2 instances.
AMIs: Amazon Machine Images, which are among the AWS resources that can be managed through automatic lifecycle processes.
API keys: Secrets used to authenticate or authorize access to APIs.
ASFF: Abbreviation for AWS Security Finding Format.
asymmetric keys: Cryptographic keys that use a public/private key pair for encryption and decryption or signing and verification.
Athena: An AWS service used to analyze captured logs.
AWS account root user credentials: The credentials for the root user of an AWS account, which should be secured according to best practices.
AWS Audit Manager: An AWS service for continuously auditing AWS usage and assessing compliance with controls.
AWS Backup: An AWS service used to establish schedules and retention for backups across AWS services.
AWS Backup Vault Lock: An AWS Backup control used to protect backup data integrity by preventing modifications.
AWS Certificate Manager (ACM): An AWS service for provisioning, managing, and deploying SSL/TLS certificates.
AWS CLI: The AWS Command Line Interface, used to interact with AWS services from the command line.
AWS CloudFormation: An AWS infrastructure-as-code service used to deploy cloud resources consistently and securely.
AWS CloudHSM: An AWS service that provides hardware security modules for cryptographic key storage and operations.
AWS CloudTrail: An AWS service for recording and monitoring account activity and API usage.
AWS Config: An AWS service for tracking configuration changes and evaluating resource configurations against desired settings.
AWS Config aggregators: AWS Config components used to centrally aggregate configuration data and findings across accounts.
AWS Config rules: Rules created in AWS Config to detect noncompliant AWS resources.
AWS Control Tower: An AWS service used to set up and govern multi-account AWS environments with guardrails.
AWS cost and usage: AWS spending and consumption data used for anomaly identification.
AWS Cost Explorer: An AWS service used to identify unused resources and analyze cost-related usage patterns.
AWS Direct Connect: An AWS on-premises connectivity option used for dedicated network connectivity.
AWS Directory Service: An AWS service for managing directories and integrating with directory-aware applications.
AWS Firewall Manager: An AWS service for centrally configuring and managing firewall rules and protections across accounts.
AWS IAM Identity Center: An AWS identity service used for creating and managing identities.
AWS IAM Identity Center (AWS Single Sign-On): An AWS service for centrally managing workforce access to AWS accounts and applications.
AWS Identity and Access Management (IAM): An AWS service for controlling authentication and authorization to AWS resources.
AWS Key Management Service (AWS KMS): An AWS service for creating and controlling cryptographic keys used to encrypt data.
AWS KMS: Abbreviation for AWS Key Management Service.
AWS Lambda: An AWS serverless compute service used to run code in response to events.
AWS Management Console: The web-based interface for managing AWS services and resources.
AWS Network Firewall: An AWS managed firewall service for filtering network traffic.
AWS Organizations: An AWS service for centrally managing multiple AWS accounts.
AWS RAM: AWS Resource Access Manager.
AWS Resource Access Manager: An AWS service used to securely share resources across AWS accounts.
AWS SDKs: Software development kits provided by AWS for programmatic access to AWS services.
AWS Secrets Manager: An AWS service used to store and manage secrets such as credentials.
AWS Security Finding Format: A standardized format for AWS security findings used for integrations and security event handling.
AWS Security Finding Format (ASFF): A standardized format for AWS security findings used for integrations and security event handling.
AWS Security Hub: An AWS service that centralizes and prioritizes security findings from multiple AWS services.
AWS Security Incident Response Guide: An AWS guide referenced for incident response preparation and handling.
AWS Service Catalog: An AWS service used to configure and deploy portfolios of approved AWS services.
AWS Shield: An AWS service that provides protection against distributed denial-of-service attacks.
AWS Single Sign-On: The former name for AWS IAM Identity Center.
AWS Step Functions: An AWS service for orchestrating workflows and automating multi-step processes.
AWS STS: AWS Security Token Service, used to issue temporary credentials.
AWS Systems Manager: An AWS service used for operational management, automation, and runbooks.
AWS Transit Gateway: An AWS service used for inter-VPC connectivity and network design.
AWS Trusted Advisor: An AWS service used to identify unused resources and other optimization or security opportunities.
AWS VPN: An AWS on-premises connectivity option used for secure network communication.
AWS WAF: AWS Web Application Firewall, used to protect web applications from common web exploits.
AWS Well-Architected Framework: An AWS framework used to evaluate and improve cloud architecture, including identifying anomalies based on resource utilization and trends, finding unused resources with AWS tools, and using the AWS Well-Architected Tool to identify security gaps.
AWS Well-Architected Tool: An AWS tool used to identify security gaps in an AWS environment.

C

Certificate management: The administration of digital certificates, including issuance, use, and lifecycle handling.
CloudTrail Insights: A CloudTrail analysis feature used to identify unusual activity patterns in logs.
CloudWatch: An AWS monitoring service used for metrics, alarms, dashboards, and event monitoring.
CloudWatch log groups: Amazon CloudWatch log group containers that can be managed through automatic lifecycle policies.
CloudWatch Logs filter: A tool used to analyze captured logs by filtering CloudWatch Logs.
CloudWatch Logs Insights: A CloudWatch Logs feature used to query and analyze log data.
container images: Packaged container artifacts that can be included in automatic lifecycle management.
customer managed keys: AWS KMS keys that are managed by the customer rather than fully managed by AWS.
customer-provided key material: Key material supplied by the customer that can be imported into and removed from AWS KMS.

D

Data retention standards: Standards that define how long data must be retained.
DDoS: Distributed denial-of-service attack, a common attack type mentioned as a threat to edge services.
Detective: An AWS service used to investigate and analyze security findings and suspicious activity.
DNS logs: Logs that record DNS activity and can be used as a source for logging and analysis.
drift detection: A mechanism for identifying differences between the intended infrastructure configuration and the actual deployed state.

E

EBS volume snapshots: Point-in-time backups of Amazon EBS volumes that can be included in automatic lifecycle management.
EC2 Image Builder: An AWS service used in provisioning and maintenance of EC2 instances, including creating hardened AMIs.
EventBridge: An AWS event bus service used to route events between AWS services and third-party services.

F

Firewall Manager: An AWS service used to enforce security policies across AWS resources.

G

GuardDuty: An AWS threat detection service that identifies suspicious activity and potential threats.

I

IaC: Abbreviation for infrastructure as code.
IAM: Abbreviation for AWS Identity and Access Management.
IAM access keys: AWS Identity and Access Management credentials used to authenticate programmatic access.
IAM instance roles: IAM roles attached to EC2 instances to authorize compute workloads.
IAM service roles: IAM roles used by AWS services to perform actions on behalf of a service.
infrastructure as code: A deployment approach that uses code-based templates or definitions to provision and manage cloud resources consistently and securely.
Infrastructure as code (IaC): A practice of defining and managing infrastructure through code rather than manual configuration.
IPsec: Internet Protocol Security, a VPN-related protocol used to protect data in transit.

K

KMS key policies: Policies that control who can use an AWS KMS key and for what actions, limiting usage to authorized users.

L

Lambda: An AWS service used to automate alerting and other event-driven actions.
least privilege: The principle of granting only the minimum permissions required to perform a task.
Lifecycle policies: Policies that define how data or resources are retained, transitioned, or removed over time.

M

Macie: An AWS service that discovers and protects sensitive data, especially in Amazon S3.
MFA: Multi-factor authentication, an authentication method that requires more than one factor.

N

Network Access Analyzer: An Amazon VPC feature used to analyze network access paths.
Network ACLs: Network access control lists used to control traffic at the subnet level in a VPC.

O

OSI model: Open Systems Interconnection model, a fundamental networking model used in troubleshooting.
OWASP Top 10: A list of common web application security risks used to select edge protections.

P

private VIF: A private virtual interface used for cross-Region networking.
public VIF: A public virtual interface used for cross-Region networking.

R

RBAC: Role-based access control, an authorization strategy based on roles.
RDP: Remote Desktop Protocol, referenced as a secure remote access method when used over Systems Manager Session Manager.
RDS volume snapshots: Backups of Amazon RDS storage volumes that can be managed through automatic lifecycle policies.

S

S3 Block Public Access: A control used to prevent unauthorized public access to Amazon S3 resources.
S3 Glacier Vault Lock: An Amazon S3 Glacier control used to protect data integrity and enforce retention by preventing modifications.
S3 Lifecycle: An Amazon S3 feature for managing object lifecycle transitions and expiration.
S3 Lifecycle policy: An Amazon S3 policy that automates lifecycle management for objects, including retention-related actions.
S3 Object Lock: An Amazon S3 feature that helps protect objects from being deleted or overwritten for a fixed retention period or under legal hold.
S3 replication: An Amazon S3 feature for copying objects between buckets or accounts.
SCPs: Service control policies used as a technical control to enforce policy across AWS accounts in AWS Organizations.
Secrets Manager: An AWS service used to protect credentials, secrets, and cryptographic key materials.
Secure remote access: A secure way to access systems remotely, included as an exam concept.
Security groups: Virtual firewalls that control inbound and outbound traffic for AWS resources.
Security Hub: An AWS service that centralizes and prioritizes security findings from multiple AWS services.
separation of duties: A security principle that enforces division of responsibilities to reduce misuse or fraud.
SSH: Secure Shell, a secure remote access method.
symmetric keys: Cryptographic keys where the same key is used for both encryption and decryption.
Systems Manager: An AWS service referenced as a tool for monitoring metrics and baselines.
Systems Manager Parameter Store: An AWS service used to store and manage configuration data and secrets.
Systems Manager Session Manager: An AWS Systems Manager capability used for secure remote access and forwarding traffic over secure connections.

T

TCP: Transmission Control Protocol, referenced in comparison with UDP in network troubleshooting.
TCP/IP: The core networking protocol suite referenced for troubleshooting network security.
TLS: Transport Layer Security, a protocol used to provide confidentiality and integrity for data in transit.
Traffic Mirroring: A security telemetry source used to capture traffic samples for analysis.

U

UDP: User Datagram Protocol, referenced in comparison with TCP in network troubleshooting.

V

VPC endpoints: Private connections that enable access to AWS services without traversing the public internet.
VPC Flow Logs: An AWS logging feature that captures network flow information for a VPC.
VPC Reachability Analyzer: An AWS tool used to analyze network reachability.

About These Definitions

These definitions are loaded from the shared release pack. Use them with the study guide and practice questions to connect vocabulary to exam scenarios.

Download App Read the full study guide Take the free practice exam