Glossary

2  Glossary

A
Access Control List (ACL)   A document that defines who can access a particular bucket or
object. Each bucket and object in Amazon Simple Storage Service (Amazon S3) has an ACL.
The document defines what each type of user can do, such as write and read permissions.

Access Key   The combination of an Access Key ID (AKI) (like AKIAIOSFODNN7EXAMPLE)

and a Secret Access Key (SAK) (like wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You
use access keys to sign API requests that you make to AWS.

Access Key ID (AKI)   A unique identifier that’s associated with a Secret Access Key (SAK);
the AKI and SAK are used together to sign programmatic AWS requests cryptographically.

Account   A formal relationship with AWS that is associated with: (1) the owner’s email
address and password, (2) the control of resources created under its umbrella, and (3) pay-
ment for the AWS activity related to those resources. The AWS account has permission to
do anything and everything with all the AWS account resources. This is in contrast to a
user, which is an entity contained within the account.

Action (in a Policy)   Defines the actions for which the permission in a policy applies. This
could be * for all actions, one or more individual actions, or a wildcard defining multiple
actions (such as Read*).

Activities (AWS Data Pipeline)   A pipeline component that defines the work to perform.

Amazon API Gateway   A fully managed service that makes it easy for developers to create,
publish, maintain, monitor, and secure Application Programming Interfaces (APIs) at any
scale.

Amazon Aurora   Amazon Aurora is a fully managed Amazon RDS database engine.
Amazon Aurora is MySQL-compatible and provides increased reliability and performance
over standard MySQL deployments.

Amazon CloudFront   A content delivery service that helps you improve the performance,
reliability, and availability of your websites and applications.

Amazon CloudWatch   A web service that enables you to monitor and manage various
metrics and configure alarm actions based on data from those metrics.

Amazon Cognito   A web service that makes it easy to save mobile user data, such as
app preferences or game state, in the AWS Cloud without writing any back-end code or
managing any infrastructure. Amazon Cognito offers mobile identity management and data
synchronization across devices.

Amazon DynamoDB   A fully managed, fast, and flexible NoSQL database service for
all applications that need consistent, single-digit millisecond latency at any scale.
Amazon DynamoDB is a cloud database that supports both document and key/value
store models.
 Glossary  3

Amazon Elastic Block Store (Amazon EBS)   A service that provides block-level storage
volumes for use with Amazon Elastic Compute Cloud (Amazon EC2) instances.

Amazon Elastic Block Store (Amazon EBS) Snapshot   Point-in-time backup of your
volume stored in Amazon Simple Storage Service (Amazon S3). Can be used as the starting
point for new Amazon EBS volumes or to protect your data for long-term durability.

Amazon Elastic Compute Cloud (Amazon EC2)   A web service that enables you to launch
and manage Linux/UNIX and Windows server instances in Amazon’s data centers.

Amazon Elastic Transcoder   A cloud-based media transcoding service. Elastic Transcoder

is a highly scalable tool for converting (or transcoding) media files from their source format
into versions that will play on devices like smart phones, tablets, and PCs.

Amazon ElastiCache   A web service that simplifies deploying, operating, and scaling an
in-memory cache in the cloud. The service improves the performance of web applications by
providing information retrieval from fast, managed, in-memory caches, instead of relying
entirely on slower disk-based databases.

Amazon Elasticsearch   A managed service for deploying, operating, and scaling

­Elasticsearch, an open source search and analytics engine.

Amazon Glacier   A secure, durable, and low-cost storage service for data archiving and
long-term backup. You can reliably store large or small amounts of data for significantly
less than on-premises solutions. Amazon Glacier is optimized for infrequently accessed
data, where a retrieval time of several hours is suitable.

Amazon Kinesis Streams Application   A data consumer that reads and processes data
from an Amazon Kinesis stream.

Amazon Machine Image (AMI)   An encrypted machine image stored in Amazon Elastic
Block Store (Amazon EBS) or Amazon Simple Storage Service (Amazon S3). AMIs are like
a template of a computer’s root drive. They contain the Operating System (OS) and can also
include software and layers of your application, such as database servers, middleware, web
servers, and so on.

Amazon Redshift   A fully managed, petabyte-scale data warehouse service in the cloud. With
Amazon Redshift, you can analyze your data using your existing business intelligence tools.

Amazon Relational Database Service (Amazon RDS)   A web service that makes it easier
to set up, operate, and scale a relational database in the cloud. It provides cost-efficient,
resizable capacity for an industry-standard relational database and manages common data-
base administration tasks.

Amazon Resource Name (ARN)   A standardized way to refer to an AWS resource. For
example:

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
4  Glossary

Amazon Route 53   A web service you can use to register new domains or manage the
Domain Name System (DNS) settings for existing domains.

Amazon Simple Email Service (Amazon SES)   An easy-to-use, cost-effective email solu-
tion for applications.

Amazon Simple Notification Service (Amazon SNS)   A web service that enables applica-
tions, end users, and devices to send and receive notifications instantly from the cloud.

Amazon Simple Queue Service (Amazon SQS)   Reliable and scalable managed queues
for storing messages as they travel between computers.

Amazon Simple Queue Service (Amazon SQS) Access Control   Amazon SQS has its
own resource-based permissions system that uses policies written in the same language used
for AWS Identity and Access Management (IAM) policies. This means that you can achieve
the same things with Amazon SQS policies that you can with IAM policies, such as using
variables.

Amazon Simple Queue Service (Amazon SQS) Dead Letter Queues  Amazon SQS
provides support for dead letter queues. A dead letter queue is a queue that other (source)
queues can target to send messages that for some reason could not be successfully pro-
cessed. A primary benefit of using a dead letter queue is the ability to sideline and isolate
the unsuccessfully processed messages. You can then analyze any messages sent to the dead
letter queue to try to determine the cause of failure.

Amazon Simple Queue Service (Amazon SQS) Delay Queues   Delay queues allow you
to postpone the delivery of new messages in a queue for a specific number of seconds. If you
create a delay queue, any message that you send to that queue will be invisible to consumers
for the duration of the delay period. To create a delay queue, use CreateQueue and set the
DelaySeconds attribute to any value between 0 and 900 seconds (15 minutes). You can also
turn an existing queue into a delay queue by using SetQueueAttributes to set the queue’s
DelaySeconds attribute. The default value for DelaySeconds is 0.

Amazon Simple Queue Service (Amazon SQS) Long Polling   When your application
queries the Amazon SQS queue for messages, it calls the function ReceiveMessage.
Historically, developers would design their systems to poll the queue as frequently as
possible to ensure that messages were not building up in the queue. However, because of
the way Amazon SQS is billed, polling in tight loops can be expensive and burn through
CPU cycles. In November 2012, AWS enabled long polling, which allows your Amazon
Elastic Compute Cloud (Amazon EC2) instances to poll the queue and, if nothing is
there, Amazon EC2 waits for an amount of time you specify (between 1 and 20 seconds).
If a message arrives in that time, it is delivered to your Amazon EC2 instance as
soon as possible. If a message does not arrive in that time, you need to execute the
ReceiveMessage function again.

Amazon Simple Queue Service (Amazon SQS) Message Attributes  Amazon SQS

provides support for message attributes. Message attributes allow you to provide
 Glossary  5

s­ tructured metadata items (such as timestamps, geospatial data, signatures, and

­identifiers) about the message. Message attributes are optional and separate from, but
sent along with, the message body. The receiver of the message can use this information
to help decide how to handle the message without having to process the message body
first. Each message can have up to ten attributes. To specify message attributes, you can
use the AWS Management Console, AWS Software Development Kits (SDKs), or query
Application Program Interface (API).

Amazon Simple Queue Service (Amazon SQS) Message Identifiers  Amazon SQS

assigns each message a unique ID that it returns to you in the SendMessage response. This
identifier is useful for identifying messages, but note that to delete a message, you need the
message’s receipt handle instead of the message ID. The maximum length of a message ID is
100 characters.

Amazon Simple Queue Service (Amazon SQS) Metadata   Amazon SQS supports mes-
sage metadata and allows you to send up to ten attributes on each message. With message
attributes, you can separate the body of a message from the metadata that describes it.
This allows you to route, process, and store information with greater speed and intelligence
because your applications no longer have to inspect an entire message before understand-
ing what processing steps are necessary. Amazon SQS message attributes take the form of
name-type-value triples. Types supported include string, binary, and number (including
integers, floating point numbers, and doubles).

Amazon Simple Queue Service (Amazon SQS) Queue   Amazon SQS uses three identifi-
ers that you need to be familiar with: queue URLs, message IDs, and receipt handles. When
creating a new queue, you must provide a queue name that is unique within the scope of all
your queues. This single namespace includes queues that you create using both the latest
WSDL and a previous version. Amazon SQS assigns each queue that you create an identifier
called a queue URL, which includes the queue name and other components that Amazon
SQS determines. Whenever you want to perform an action on a queue, you must provide its
queue URL.

Amazon Simple Queue Service (Amazon SQS) Queue Operations   The defined opera-
tions for Amazon SQS queues are CreateQueue, ListQueues, DeleteQueue, SendMessage,
SendMessageBatch, ReceiveMessage, DeleteMessage, DeleteMessageBatch, PurgeQueue,
ChangeMessageVisibility, ChangeMessageVisibilityBatch, SetQueueAttributes,
GetQueueAttributes, GetQueueUrl, AddPermission, and RemovePermission. Only the AWS
account owner or an AWS account that the account owner has delegated permissions to can
perform operations.

Amazon Simple Queue Service (Amazon SQS) Unique IDs   Your messages are identi-
fied via a globally unique ID that Amazon SQS returns when the message is delivered to the
queue. The ID isn’t required in order to perform any further actions on the message, but it’s
useful for tracking whether a particular message in the queue has been received. When you
receive a message from the queue, the response includes a receipt handle, which you must
provide when deleting the message.
6  Glossary

Amazon Simple Storage Service (Amazon S3)   Storage for the Internet. You can use it to
store and retrieve any amount of data, at any time, from anywhere on the web.

Amazon Simple Workflow Service (Amazon SWF)   A fully managed service that helps
developers build, run, and scale background jobs that have parallel or sequential steps.
Amazon SWF is like a state tracker and task coordinator in the cloud.

Amazon Simple Workflow Service (Amazon SWF) Actors   SWF consists of a number of
different types of programmatic features known as actors. Actors can be workflow start-
ers, deciders, or activity workers. These actors communicate with Amazon SWF through its
API. You can develop actors in any programming language.

Amazon Simple Workflow Service (Amazon SWF) Long Polling   Deciders and activity
workers communicate with Amazon SWF using long polling. The decider or activity worker
periodically initiates communication with Amazon SWF, notifying Amazon SWF of its
availability to accept a task, and then specifies a task list to get tasks from. Long polling
works well for high-volume task processing. Deciders and activity workers can manage
their own capacity, and long polling is easy to use when the deciders and activity workers
are behind a firewall.

Amazon Simple Workflow Service (Amazon SWF) Object Identifiers  Amazon SWF

objects are uniquely identified by workflow type, activity type, decision and activity tasks,
and workflow execution.

Amazon Simple Workflow Service (Amazon SWF) Task Lists   Task lists provide a way
of organizing the various tasks associated with a workflow. You could think of task lists
as similar to dynamic queues. When a task is scheduled in Amazon SWF, you can specify
a queue (task list) to put it in. Similarly, when you poll Amazon SWF for a task, you say
which queue (task list) to get the task from.

Amazon Simple Workflow Service (Amazon SWF) Tasks   Amazon SWF provides
activity workers and deciders with work assignments, given as one of three types of tasks:
activity tasks, AWS Lambda tasks, and decision tasks. An activity task tells an activity
worker to perform its function, such as to check inventory or charge a credit card. The
activity task contains all of the information that the activity worker needs to perform its
function.

Amazon Simple Workflow Service (Amazon SWF) Workflows   Using Amazon SWF, you
can implement distributed, asynchronous applications as workflows. Workflows coordinate
and manage the execution of activities that can be run asynchronously across multiple com-
puting devices and that can feature both sequential and parallel processing.

Amazon Virtual Private Cloud (Amazon VPC)   A web service for provisioning a logically
isolated section of the AWS cloud where you can launch AWS resources in a virtual network
that you define. You control your virtual networking environment, including selection
of your own IP address range, creation of subnets, and configuration of route tables and
network gateways.
 Glossary  7

Application Programming Interface (API)   A secure, REST-based interface for

controlling AWS Cloud services. This is the lowest level of control over the services.
While code can be written to access the API directly, it is more commonly accessed
through the AWS Software Development Kits (SDKs) or other tools such as the CLI or
AWS Management Console.
Application Version   A specific, labeled iteration of an application in AWS Elastic
Beanstalk that represents a functionally consistent set of deployable application code. A
version points to an Amazon Simple Storage Service (Amazon S3) object (for example, a
Java WAR file) that contains the application code.
Archive   Data in Amazon Glacier is stored in archives, identified by unique archive ID.
Archives typically contain TAR (Tape Archive) or ZIP files.
Asymmetric Key Algorithm   Any cryptographic system that uses pairs of keys: public keys
that may be disseminated widely paired with private keys that are known only to the owner.
Authentication   The process of proving your identity to a system.

Authorization   The mechanism for assigning privileges to a properly authenticated

principal.
Auto Discovery   Clients connecting to Amazon ElastiCache clusters running Memcached
can use Auto Discovery to identify automatically all of the nodes in a cache cluster as the
cluster is resized or nodes are replaced.
Auto Scaling   A web service designed to launch or terminate instances automatically
based on user-defined policies, schedules, and health checks.
Auto Scaling Group   An Auto Scaling group helps you maintain application availability
and allows you to scale your Amazon EC2 capacity up or down automatically according to
conditions you define.
Availability   The probability that a system will work as required over some time period,
usually specified as some number of nines.
Availability Zone   A distinct location within a region that is insulated from failures in
other Availability Zones and provides inexpensive, low-latency network connectivity to other
Availability Zones in the same region.
AWS Application Programming Interface (API)   A secure, REST-based interface for
controlling AWS Cloud services. This is the lowest level of control over the services,
and while code can be written to access this API directly, it is more commonly accessed
through the AWS Software Development Kits (SDKs) or other tools such as the CLI or AWS
Management Console.
AWS Certificate Manager (ACM)   A web service for provisioning, managing, and
deploying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use
with AWS services.
8  Glossary

AWS CloudFormation   A service for writing or changing templates that provisions related
AWS resources together as a unit.

AWS CloudFormation Stack   A collection of AWS resources you create and delete as a
single unit.
AWS CloudFormation Template   JavaScript Object Notation (JSON)-formatted text files
that describe the resources to provision in AWS CloudFormation stacks.

AWS CloudTrail   A web service that records AWS API calls for your account and delivers
log files to you. The recorded information includes the identity of the API caller, the time
of the API call, the source IP address of the API caller, the request parameters, and the
response elements returned by the AWS service.

AWS Command-Line Interface (CLI)   A unified downloadable and configurable tool for
managing AWS Cloud services. Users can control multiple AWS Cloud services from the
command line and automate them through scripts.

AWS Config   A fully managed service that provides an AWS resource inventory, configu-
ration history, and configuration change notifications for better security and governance.
You can create rules that automatically check the configuration of AWS resources that AWS
Config records.

AWS Config Rule   Represents the desired configuration settings for specific AWS resources
or for an entire AWS account.

AWS Direct Connect   A web service that simplifies establishing a dedicated network
connection from your premises to AWS. Using AWS Direct Connect, you can establish
private connectivity between AWS and your data center, office, or colocation environment.
AWS Directory Service   A managed service for connecting your AWS resources to an
existing on-premises Microsoft Active Directory or to set up and operate a new, standalone
directory on the AWS Cloud.
AWS Elastic Beanstalk   A web service for deploying and managing applications on the
AWS Cloud without worrying about the infrastructure that runs those applications.
AWS Elastic Beanstalk Application   A logical collection of AWS Elastic Beanstalk com-
ponents, including environments, versions, and environment configurations. An application
is conceptually similar to a folder.

AWS Identity and Access Management (IAM)   A web service that enables AWS custom-
ers to manage users and user permissions within AWS.

AWS Identity and Access Management (IAM) Group   A collection of IAM users. You
can use IAM groups to simplify specifying and managing permissions for multiple users.

AWS Identity and Access Management (IAM) Role   A tool for giving temporary access to
AWS resources in your AWS account.
 Glossary  9

AWS Identity and Access Management (IAM) User   A person or application under
an account that needs to make API calls to AWS products. Each user has a unique name
within the AWS account and a set of security credentials not shared with other users. These
credentials are separate from the AWS account’s security credentials. Each user is associated
with one and only one AWS account.

AWS Key Management Service (KMS)   A managed service that simplifies the creation
and control of encryption keys that are used to encrypt data.

AWS Lambda   A serverless compute service that runs code in response to events and auto-
matically manages the underlying compute resources.

AWS Management Console   A graphical interface used to manage compute, storage, and
other cloud resources.

AWS OpsWorks App   Represents code to run on an application server. It contains the
information required to deploy the code to the appropriate application server instances.

AWS OpsWorks Layer   Represents an AWS OpsWorks stack component, such as a load
balancer or a set of application servers. Every stack contains one or more layers.

AWS OpsWorks Stack   A set of resources you manage collectively, typically because they
have a common purpose such as serving PHP applications. A stack serves as a container and
handles tasks that apply to the group of instances as a whole, such as managing applications
and cookbooks.

AWS Security Token Service (STS)   A web service for requesting temporary, limited-
privilege credentials for IAM users or for users that you authenticate (federated users).

AWS Storage Gateway   A web service that connects an on-premises software appliance
with cloud-based storage to provide seamless and secure integration between an organiza-
tion’s on-premises IT environment and AWS storage infrastructure.

AWS Web Application Firewall (WAF)   A web application firewall service that controls
access to content by allowing or blocking web requests based on criteria that you specify,
such as header values or the IP addresses that the requests originate from. AWS WAF helps
protect web applications from common web exploits that could affect application availability,
compromise security, or consume excessive resources.

B
Basic Monitoring   Amazon CloudWatch-provided monitoring of AWS-provided metrics
derived at a five-minute frequency.

Block Device   A storage device that supports reading and (optionally) writing data in
fixed-size blocks, sectors, or clusters.
10  Glossary

Block Storage   A storage device that supports reading and (optionally) writing data in
fixed-size blocks, sectors, or clusters.

Bootstrap   A user-specified script that runs on an Amazon Elastic Compute Cloud

(Amazon EC2) instance once when the instance is launched.

Bootstrapping   Providing a script that is executed when the instance is created to

configure the instance.

Bring Your Own License (BYOL)   Amazon RDS supports BYOL deployments for Oracle
and SQL Server.

Bucket   A container for objects stored in Amazon Simple Storage Service (Amazon S3).
Every object is contained in a bucket. For example, if the object photos/puppy.jpg is stored
in the johnsmith bucket, authorized users can access the object with the URL http://
johnsmith.s3.amazonaws.com/photos/puppy.jpg.

C
Cache   Replica or copy of frequently-used data often stored in-memory to provide fast
access. Using a cache allows you to offload read requests from a primary database, for
example.

Cache Behaviors   Configures functionality for files matching a specified URL path
pattern, including the origin used for those files.

Cache Cluster   A logical cache distributed over multiple cache nodes. A cache cluster can
be set up with a specific number of cache nodes.

Cache Node   A fixed-size chunk of secure, network-attached RAM. Each cache node
runs an instance of the Memcached service and has its own Domain Name System (DNS)
name and port. Multiple types of cache nodes are supported, each with varying amounts of
associated memory.

Cache Security Group   A group maintained by Amazon ElastiCache that combines

ingress authorizations to cache nodes for hosts belonging to Amazon Elastic Compute
Cloud (Amazon EC2) security groups specified through the console or the Application
Program Interface (API) or command-line tools.

Canonical Name Record (CNAME)   A type of resource record in the DNS that specifies
that the domain name is an alias of another, canonical domain name. More simply, it is an
entry in a DNS table that lets you alias one fully qualified domain name to another.

Change Set   A summary of proposed changes to the running resources in an AWS

­CloudFormation stack.

Classless Inter Domain Routing (CIDR)   An Internet protocol address allocation and
route aggregation methodology.
 Glossary  11

Client-Side Encryption   The user encrypts objects before uploading them to Amazon
Simple Storage Service (Amazon S3).

Cloud-init   An open source application built by Canonical that is used to bootstrap Linux
images in a cloud computing environment.

CloudWatch Logs agent   The CloudWatch Logs agent provides an automated way to
send log data to CloudWatch Logs for Amazon EC2 instances running Amazon Linux or
Ubuntu.

Cluster (Amazon Redshift)   A cluster is the key building block of Amazon Redshift, and
it is composed of a leader node and one or more compute nodes. Amazon Redshift supports
different node types to meet your storage and compute needs.

Condition (in a Policy)   An optional parameter in a permission that defines additional

constraints such as the source IP address or a specific time/date range.

Config Configuration Item   A point-in-time view of the various attributes of a supported

AWS resource that exists in an account.

Configuration History   A collection of the AWS Config configuration items for a given
resource over any time period.

Configuration Recorder   Stores the configurations of the supported resources in an

account as AWS Config configuration items.

Configuration Snapshot   A collection of the AWS Config configuration items for the
supported resources that exist in your account.

Connection Draining   Connection Draining ensures that the load balancer stops sending
requests to instances that are deregistering or unhealthy, while keeping the existing con-
nections open. This enables Elastic Load Balancing to complete in-flight requests made to
instances that are deregistering or unhealthy.

Content Delivery Network (CDN)   A globally distributed network of caching servers that
speed up the downloading of web pages and other web content.

Cooldown Period   The Auto Scaling cooldown period is a configurable setting for your
Auto Scaling group that helps to ensure that Auto Scaling doesn’t launch or terminate
additional instances before the previous scaling activity takes effect.

Credentials   Also called access credentials or security credentials. In authentication and

authorization, a system uses credentials to identify who is making a call and whether to
allow the requested access. In AWS, these credentials are typically the Access Key ID (AKI)
and the Secret Access Key (SAK).

Cross-Region Replication   Enables automatic, asynchronous copying of new Amazon

Simple Storage Service (Amazon S3) objects from a source bucket in one region to a target
bucket in a different AWS region.
12  Glossary

Cross-Zone Load Balancing   Cross-zone load balancing distributes incoming requests

evenly across all back-end instances in its enabled Availability Zones. Cross-zone load
balancing reduces the need to maintain equivalent numbers of back-end Amazon EC2
instances in each enabled Availability Zone and improves your application’s ability to
handle the loss of one or more back-end Amazon EC2 instances.

Cryptographic Keys   A piece of information that determines the functional output of a

cryptographic algorithm.

Cryptosystem   A suite of cryptographic algorithms needed to implement a particular

security service, most commonly for achieving confidentiality.

Customer Gateway (CGW)   A router or software application on the customer side of a

VPN tunnel that is managed by Amazon VPC.

Customer Master Key (CMK)   The fundamental resources that AWS Key Management
Service (AWS KMS) manages. CMKs can be either customer-managed keys or AWS-
managed keys. They can be used inside of AWS KMS to encrypt or decrypt up to 4KB of
data directly. They can also be used to encrypt generated data keys that are then used to
encrypt or decrypt larger amounts of data outside of the service.

D
Data Key   Encrypt large data objects within your own application outside AWS Key
Management Service (AWS KMS).

Data Security Standard (DSS)   A worldwide information security standard assembled

and managed by the Payment Card Industry (PCI) Security Standards Council.

Data Warehouse   A central repository for data that can come from one or more sources.
Often a specialized type of relational database that can be used for reporting and analysis.

DB Instance   An isolated Amazon RDS database environment running in the cloud. A DB

Instance can contain multiple user-created databases.

DB Option Group   Used to configure additional features and database settings that apply
to one or more DB Instances.

DB Parameter Group   A container for database engine parameter values that apply to one
or more DB Instances.

DB Security Group   A method that controls access to the DB Instance. By default, network
access is turned off to DB Instances. After ingress is configured for a security group, the
same rules apply to all DB Instances associated with that group.

DB Snapshot   An automated or user-initiated point backup of a DB Instance. Can be used

to recover to a new DB Instance.
 Glossary  13

DB Subnet Group   A collection of Amazon Virtual Private Cloud (Amazon VPC) subnets
(typically private) designated for your DB Instances.

Defense in Depth   An information assurance concept in which multiple layers of security

controls are placed throughout an information technology system.

Detailed Monitoring   Amazon CloudWatch-provided monitoring of AWS-provided

metrics derived at a one-minute frequency.

Distribution   A link between an origin server (such as an Amazon Simple Storage Ser-
vice [Amazon S3] bucket) and a domain name, which Amazon CloudFront automatically
assigns. Through this link, Amazon CloudFront identifies the object you have stored in
your origin server.

Distribution Strategy   When creating a table, you can choose between one of three dis-
tribution styles—EVEN, KEY, or ALL—which affect how data is distributed across the
compute nodes.

Domain Name   A domain name is the human-friendly name that we are used to associat-
ing with an Internet resource. For instance, amazon.com is a domain name. Some people say
that the amazon portion is the domain, but you can generally refer to the combined form as
the domain name.

Domain Name Registrar   An organization or commercial entity that manages the

reservation of Internet domain names.

Domain Name System (DNS)   A distributed naming system that associates network
information with human-readable domain names on the Internet.

Domain Name System (DNS) Service   Amazon Route 53 is an authoritative DNS service
that routes Internet traffic to your website by translating human-friendly domain names
into IP addresses. When someone enters your domain name in a browser or sends you an
email, a DNS request is forwarded to the nearest Amazon Route 53 DNS server in a global
network of authoritative DNS servers. Amazon Route 53 responds with the IP address that
the person specified.

Domain Registration   Amazon Route 53 supports domain registration for a wide variety
of generic TLDs (such as .com, .org) and geographic TLDs (for example, .be and .us). For
a complete list of supported TLDs, refer to the Amazon Route 53 documentation.

Durability   The probability that data will remain intact over some defined time period,
usually specified as some number of nines.

Dynamic Host Configuration Protocol (DHCP) Option Set   A set of configuration param-
eters associated with an Amazon VPC that permit assignment of Domain Name System
(DNS) server names, domain names, Network Time Protocol (NTP) servers, NetBIOS name
servers, and NetBIOS node type.
14  Glossary

E
E Ink Display   Digital display technology displaying an image very close to paper used by
the Amazon Kindle.

Edge Locations   A global network of sites that Amazon CloudFront uses to cache copies
of your content for faster delivery to users at any location.

Effect (in a Policy)   Defines whether a permission in a policy will Allow or Deny the
specified actions.

Elastic IP   A fixed (static) IP address that you have allocated in Amazon EC2 or
Amazon VPC and then attached to an instance. Elastic IP addresses are associated with
your account, not with a specific instance. They are elastic because you can easily allocate,
attach, detach, and free them as your needs change. Unlike traditional static IP addresses,
elastic IP addresses allow you to mask instance or Availability Zone failures by rapidly
remapping your public IP addresses to another instance.

Elastic IP (EIP) Address   A fixed (static) IP address that can be associated with an Amazon
EC2 instance or other AWS resources.

Elastic Load Balancing   A web service that improves an application’s availability by

distributing incoming traffic between multiple Amazon EC2 instances.

Elastic Load Balancing Load Balancer   An instance of a highly available virtual load
balancer created by the Elastic Load Balancing service.

Elastic Network Interface (ENI)   A virtual network interface that can be attached to an
instance in an Amazon VPC.

Elasticity   The ability to scale computing resources up and down with minimal friction.
One of the fundamental properties of cloud computing.

Encryption   The process of using a mathematical algorithm to make data unintelligible to

unauthorized users while allowing authorized users a method (such as a key or password) to
convert the altered data back to its original state.

Encryption Context   A set of key/value pairs that you can pass to AWS Key Management
Service (AWS KMS) when you call the Encrypt, Decrypt, ReEncrypt, GenerateDataKey,
and GenerateDataKeyWithoutPlaintext APIs.

Endpoint   Enables a private connection between your Amazon VPC and another AWS ser-
vice, like Amazon S3, without requiring access over the Internet or through a NAT instance
or NAT gateway, VPN connection, or AWS Direct Connect.

Enhanced Networking   An Amazon EC2 feature that provides higher performance

(Packets Per Second [PPS]), lower latency, and lower jitter through the use of Single Root
I/O Virtualization (SR-IOV).
 Glossary  15

Envelope Encryption   A cryptographic scheme where one cryptographic key, Key1, which
is typically used to encrypt data, is subsequently encrypted with a second key, Key2. In
order to decrypt the data, one must decrypt Key1 by providing Key2 to an algorithm run-
ning in decryption mode.

Environment   A specific running instance of an AWS Elastic Beanstalk application. The

application has a CNAME and includes an application version and a customizable configu-
ration (which is inherited from the default container type).

Environment Configuration   A collection of parameters and settings that define how an

AWS Elastic Beanstalk environment and its associated resources behave.

Ephemeral Storage  See instance store.

Event Notification   Messages that can be sent through Amazon Simple Notification Ser-
vice (Amazon SNS) or Amazon Simple Queue Service (Amazon SQS) or directly to AWS
Lambda in response to actions in Amazon Simple Storage Service (Amazon S3) like object
PUTs, POSTs, COPYs, or DELETEs.

Eventual Consistency   The method through which AWS products achieve high
availability, which involves replicating data across multiple servers in Amazon’s data
centers. When data is written or updated and “Success” is returned, all copies of the data
are updated. However, it takes time for the data to propagate to all storage locations. The
data will eventually be consistent, but an immediate read might not show the change. Con-
sistency is usually reached within seconds, but a high system load might increase this time.

Extract, Transform, Load (ETL)   Descriptive term for a common batch database process
that pulls data from a data source, transforms it, and pushes it to a new data source.

F
Federal Information Processing Standard (FIPS) Publication 140–2 (FIPS 140–2)  A US
government security standard that specifies the security requirements for cryptographic
modules protecting sensitive information.

Federal Information Security Management Act (FISMA)   Requires each federal agency
to develop, document, and implement an agency-wide program to provide information
security for the information and information systems that support the operations and
assets of the agency, including those provided or managed by another agency, contractor,
or other source.

Federal Risk and Authorization Management Program (FedRAMP)  A government-wide

program that provides a standardized approach to security assessment, authorization,
and continuous monitoring for cloud products and services. FedRAMP is mandatory for
federal agency cloud deployments and service models at the low and moderate risk impact
levels.
16  Glossary

Federated Identity Management   Allows individuals to sign in to different networks or

services, using the same group or personal credentials to access data across all networks.
With identity federation in AWS, external identities (federated users) are granted secure
access to resources in an AWS account without having to create AWS Identity and Access
Management (IAM) users. These external identities can come from a corporate identity
store (such as Lightweight Directory Access Protocol [LDAP] or Windows Active Directory)
or from a third party (such as Login with Amazon, Facebook, or Google). AWS federation
also supports Security Assertion Markup Language (SAML) 2.0.
Federation   Allows individuals to sign in to different networks or services using the same
group or personal credentials to access data across all networks. With identity federation
in AWS, external identities (federated users) are granted secure access to resources in an
AWS account without having to create IAM users. These external identities can come from
a corporate identity store (such as LDAP or Windows Active Directory) or from a third
party (such as Login with Amazon, Facebook, or Google). AWS federation also supports
SAML 2.0.

File Storage   Manages data at the operating system or Network Attached Storage (NAS)
level as a hierarchy of files and folders.

Flexible Single Master Operation Roles (FSMO)   A specialized Domain Controller (DC)
set of tasks that are used where standard data transfer and update methods are inadequate.

Fully Qualified Domain Name (FQDN)   An FQDN is called an absolute domain name.
Domains can be given relative to one another, and so they can be somewhat ambiguous. FQDN
is an absolute name that specifies its location in relation to the absolute root of the DNS.

G
Gateway-Cached Volume   A configuration of AWS Storage Gateway that copies all data
to Amazon Simple Storage Service (Amazon S3) while keeping frequently accessed data
cached locally on the iSCSI-exposed on-premises storage appliance.

Gateway-Stored Volume   A configuration of AWS Storage Gateway that keeps all data on
the iSCSI-exposed on-premises storage appliance, while asynchronously copying all data to
Amazon Simple Storage Service (Amazon S3).
Geo-Location   A capability of a Domain Name System (DNS) to resolve an IP address to a
geographic location, such as a country or city.
Global Secondary Index   Optional index with a partition and sort key that can be
different from those on the table.
Group Policy   A policy written in the scope of a single group and applied to members of
that group only. Group policies have a one-to-one relationship with a group and cannot be
applied to other groups.
 Glossary  17

H
Hadoop Distributed File System (HDFS)   Highly resilient data storage technology under-
lying a Hadoop cluster. Through the use of replication, it is designed to withstand the loss
of entire nodes without losing data.

Hardware Security Module (HSM)   A physical computing device that safeguards and
manages digital keys for strong authentication and provides cryptoprocessing.

Hash-Based Message Authentication Code (HMAC)   A specific construction for

calculating a message authentication code involving a cryptographic hash function
in combination with a secret key. You can use it to verify the data integrity and the
authenticity of a message at the same time. AWS calculates the HMAC using a standard
cryptographic hash algorithm, such as SHA-256.

Health Check (Elastic Load Balancing)   A health check is a test to discover the avail-
ability of your Amazon EC2 instances. Elastic Load Balancing periodically sends pings,
attempts connections, or sends requests to test the Amazon EC2 instances. The status of
the instances that are healthy at the time of the health check is InService. The status of any
instances that are unhealthy at the time of the health check is OutOfService. The load bal-
ancer performs health checks on all registered instances, whether the instance is in a healthy
state or an unhealthy state.

Health Check (Route 53)   Amazon Route 53 health checks monitor the health of your
resources, such as web servers and email servers. You can configure Amazon CloudWatch
alarms for your health checks so that you receive notification when a resource becomes
unavailable. You can also configure Amazon Route 53 to route Internet traffic away from
resources that are unavailable.

Health Insurance Portability and Accountability Act (HIPAA)   Requires the establish-
ment of national standards for electronic health care transactions and national identifiers
for providers, health insurance plans, and employers. HIPAA’s administrative simplification
provisions also address the security and privacy of health data. The standards are meant to
improve the efficiency and effectiveness of the nation’s health care system by encouraging
the widespread use of electronic data interchange.

High Availability   The ability of a system to ensure an agreed upon level of operational
performance for a higher than normal period.

Horizontal Scaling   Adjusting the capacity of a system by altering the number of

underlying resources instead of altering the size of underlying resources.

Host   Within a domain, the domain owner can define individual hosts, which refer to sep-
arate computers or services accessible through a domain. For instance, most domain owners
make their web servers accessible through the bare domain (example.com) and also through
the host definition www ( as in www.example.com).
18  Glossary

Hosted Zone   A collection of resource record sets hosted by Amazon Route 53. Like a
traditional DNS zone file, a hosted zone represents resource record sets that are managed
together under a single domain name. Each hosted zone has its own metadata and
configuration information.

I
IAM Administrator   An IAM user that has been assigned privileges to manipulate IAM
privileges for IAM users, typically through a policy allowing the action spec iam:*.

IAM Identity Provider   An AWS construct containing metadata that connects an external
Identity Provider (IdP) to AWS Services.

IAM Role   A tool for giving temporary access to AWS resources in your AWS account.

Idempotent   An idempotent operation is completed no more than one time. The term idem-
potent is used to describe an operation that will produce the same results if executed once
or multiple times. To illustrate, for a binary operation, an idempotent element (or simply an
“idempotent”) for the operation is a value for which the operation, when given that value
for both of its operands, yields that value as the result. For example, the number 1 is an
idempotent of multiplication: 1 × 1 = 1.

Identity Provider (IdP)   A trusted external identity service that can be used to authenticate
users to other systems. IdPs can be internal, such as Active Directory or LDAP, or external,
such as Amazon, Facebook, or Google.

Idle Connection Timeout   Elastic Load Balancing manages an idle timeout for the connec-
tion between itself and an Amazon EC2 instance that is triggered when no data is sent over
the connection for a specified time period. If no data has been sent or received by the time
that the idle timeout period elapses, the load balancer closes the connection.

Instance Metadata   Data about an Amazon EC2 instance that the instance can retrieve to
determine things about itself, such as the instance type, the IP address, and so forth.

Instance Store   Disk storage that is physically attached to the host computer for an
Amazon EC2 instance and therefore has the same lifespan as the instance. When the
instance terminates, you lose any data in the instance store.

Instances   A copy of an AMI running as a virtual server on the AWS Cloud.

Internal Load Balancer   An internal load balancer does not have a publicly resolvable
DNS name, so it can only route requests from clients with access to the Virtual Private
Cloud (VPC) for the load balancer.

International Organization for Standardization (ISO) 9001   AWS ISO 9001 certifica-
tion directly supports customers who develop, migrate, and operate their quality-controlled
 Glossary  19

IT systems on the AWS Cloud. Customers can leverage AWS compliance reports as evi-
dence for their own ISO 9001 programs and industry-specific quality programs, such as
Good Laboratory, Clinical, or Manufacturing Practices (GxP) in life sciences, ISO 13485 in
medical devices, AS9100 in aerospace, and ISO Technical Specification (ISO/TS) 16949 in
the automotive industry. AWS customers who don’t have quality system requirements will still
benefit from the additional assurance and transparency that an ISO 9001 certification provides.

International Standards for Assurance Engagements No. 3402 (ISAE 3402)  The inter-
national standard on assurance engagements. It was put forth by the International Auditing
and Assurance Standards Board (IAASB), a standard-setting board within the International
Federation of Accountants (IFAC). ISAE 3402 is now the new globally recognized standard
for assurance reporting on service organizations.

International Traffic in Arms Regulations (ITAR)   ITAR is a set of US government regu-

lations that control the export and import of defense-related articles and services on the
United States Munitions List (USML). Government agencies and contractors must comply
with ITAR and restrict access to protected data.

Internet Gateway (IGW)   Connects an Amazon VPC network to the Internet.

Internet of Things (IoT)   A network of physical objects—devices, vehicles, buildings, and

other items—embedded with electronics, software, sensors, and network connectivity that
enables these objects to collect and exchange data.

Internet Protocol (IP) Address   An IP address is a network addressable location. Each IP

address must be unique within its network. For public websites, this network is the entire
Internet.

Internet-Facing Load Balancer   An Internet-facing load balancer has a publicly resolvable

Domain Name System (DNS) name, so it can route requests from clients over the Internet to
the Amazon EC2 instances that are registered with the load balancer.

IOPS   I/O per second. The rate at which blocks can be transferred to or from a storage device.

ISO 27001   ISO/IEC 27001 is an Information Security Management System (ISMS)

standard published by the International Organization for Standardization (ISO) and
the International Electrotechnical Commission (IEC). ISO 27001 formally specifies a
management system that is intended to bring information security under explicit manage-
ment control. Being a formal specification means that it mandates specific requirements.
Organizations that claim to have adopted ISO 27001 can therefore be audited and certified
as being compliant with the standard.

K
Keep-Alive   Keep-alive, when enabled, enables Elastic Load Balancing to reuse
connections to your back-end instance, which reduces the CPU utilization.
20  Glossary

Key   The unique identifier for an object in a bucket. Every object in a bucket has exactly
one key. Because a bucket and key together uniquely identify each object, you can think of
Amazon Simple Storage Service (Amazon S3) as a basic data map between the bucket, key,
and the object itself.

Key Pair   A set of security credentials you use to prove your identity electronically. A key
pair consists of a private key and a public key.

Key Rotation   A method used to increase security by changing the AWS access key ID.
This method enables you to retire an old key at your discretion. This is recommended
behavior for all types of keys (encryption keys, access keys, and so forth).

L
Launch Configuration   A set of descriptive parameters used to create new Amazon EC2
instances in an Auto Scaling activity.

Listener   A listener is a process that checks for connection requests. It is configured with a
protocol and a port for front-end (client to load balancer) connections and a protocol and a
port for back-end (load balancer to back-end instance) connections.

Local Secondary Index   Optional index with the same partition key attribute as the pri-
mary key of the table, but a different sort key. There can only be one local secondary index.

Loosely Coupled   A system in which each components has, or makes use of, little or no
knowledge of the definitions of other separate components.

M
Managed Policy   A standalone IAM policy that you can attach to multiple users, groups,
and roles in your IAM account. Managed policies can either be AWS-managed policies
(which are created and managed by AWS) or customer-managed policies (which you create
and manage in your AWS account).

Memcached   An open source, high-performance, distributed memory object caching sys-

tem. In-memory key/value store for small chunks of arbitrary data.

Metadata   A set of name/value pairs that describe an Amazon S3 object. These include
default metadata such as the date last modified and standard HTTP metadata such as
­Content-Type. Users can also specify custom metadata at the time they store an object.

MFA Delete   Prevent accidental or malicious deletion of sensitive data stored in Amazon
S3 by requiring a one-time password from a Multi-Factor Authentication (MFA) device in
addition to normal credentials.

Microsoft Active Directory   A directory service that Microsoft developed for Windows
domain networks.
 Glossary  21

Multi-AZ   An architectural pattern to distribute applications across two or more Availability

Zones to achieve higher availability, such as with an Elastic Load Balancer or RDS database.

Multi-Factor Authentication (MFA)   An optional AWS account security feature. After

you enable MFA, you must provide a six-digit, single-use code in addition to your sign-in
credentials whenever you access secure AWS website pages or the AWS Management
Console. You get this single-use code from an authentication device that you keep in your
physical possession.

Multipart Upload   Allows large files to be uploaded to Amazon Simple Storage Service
(Amazon S3) or Amazon Glacier in parts.

N
Name Server   A name server is a computer designated to translate domain names into IP
addresses. These servers do most of the work in DNS. Because the total number of domain
translations is too much for any one server, each server may redirect requests to other name
servers or delegate responsibility for a subset of subdomains for which they are responsible.

National Institute of Standards and Technology (NIST)   Sets detailed security standards
as needed by industry or government programs. Compliance with FISMA requires agencies
to adhere to NIST standards.

Network Access Control List (ACL)   An optional layer of security that acts as a firewall
for controlling traffic in and out of a subnet. You can associate multiple subnets with a
single network ACL, but a subnet can be associated with only one network ACL at a time.

Network Address Translation (NAT) Gateway   An AWS-managed service that is con-

figured to perform network address translation in an Amazon VPC, allowing instances in
private subnets to initiate Internet-bound traffic without being directly reachable from the
Internet.

Network Address Translation (NAT) Instance   An Amazon EC2 instance that is config-
ured to perform network address translation in an Amazon VPC, allowing other instances
in private subnets to initiate Internet-bound traffic without being directly reachable from
the Internet.

NoSQL Database   NoSQL or non-relational databases like Amazon DynamoDB are flexi-
ble key/value or document stores. NoSQL architectures typically spread a table across many
partitions to scale horizontally and achieve very high levels of scale and performance.

O
Object   The fundamental entity type stored in Amazon Simple Storage Service (Amazon
S3). Objects consist of object data and metadata. The data portion is opaque to Amazon S3.
22  Glossary

Object Lifecycle Management   A form of automated storage tiering, where configurable

policies automatically migrate objects to the most appropriate Amazon S3 storage class.

Object Storage   Manages data as objects instead of as blocks or files.

On-Demand Instance   An Amazon EC2 pricing option that charges you for compute
capacity by the hour with no long-term commitment.

Online Analytical Processing (OLAP)   Refers to analytical processing typical of data

warehouses and refers to reporting or analyzing large datasets.

Online Transaction Processing (OLTP)   Refers to transaction-oriented applications like

data-entry or e-commerce applications that are frequently writing and changing data.

Open System Interconnection (OSI)   The OSI defines a model framework for implement-
ing a standard format for communication, called a protocol, in seven layers. Each layer
provides a specific communication function. The control over the communication function
is passed from one layer to the next, in sequence.

Origin Access Identity (OAI)   A virtual identity you use when giving your distribution
permission to fetch a private object from an Amazon Simple Storage Service (Amazon S3)
bucket used as an origin server.

Origin Server   The Amazon Simple Storage Service (Amazon S3) bucket or HTTP server
containing the definitive original version of the content you deliver through the Amazon
CloudFront Content Delivery Network (CDN).

P
Parallelization   A form of computing in which several computations or workloads are
executing during overlapping time periods—concurrently—instead of sequentially.

Password Policy   A password policy gives administrators the ability to define constraints
to make passwords more secure. These constraints can include rules such as mandatory
characters (uppercase, numbers, special characters, and so on), and automatic expiration
periods.

Payment Card Industry (PCI)   The PCI Security Standards Council is an independent
council originally formed by American Express, Discover Financial Services, JCB, Master-
Card Worldwide, and Visa International with the goal of managing the ongoing evolution
of the PCI DSS.

Peering   A networking connection between two Amazon VPCs that enables routing traffic
between them using private IP addresses.

Persistent Cluster   An Amazon Elastic MapReduce (Amazon EMR) cluster that is left
running continuously over a long period of time.
 Glossary  23

Placement Group   A logical grouping of instances within a single Availability Zone

enabling applications to participate in a low-latency, 10 Gbps network.

Policy   A document defining permissions that apply to a user, group, or role; the
permissions in turn determine what users can do in AWS. A policy typically allows access to
specific actions and can optionally grant that the actions are allowed for specific resources,
like Amazon EC2 instances, Amazon S3 buckets, and so on. Policies can also explicitly
deny access.

Prefix and Delimiter   A mechanism to organize and navigate the contents of an Amazon
S3 bucket hierarchically, using pseudo-folders delimited by a slash or backslash.

Pre-Signed URL   Allows controlled sharing and content protection by granting time-
limited permission to download Amazon Simple Storage Service (Amazon S3) objects.

Proxy Protocol   Proxy Protocol is an Internet protocol used to carry connection informa-
tion from the source requesting the connection to the destination for which the connection
was requested.

Q
Qualified Security Assessor (QSA)   The PCI QSA designation is given by the PCI
Security Standards Council to organizations that meet specific qualification requirements
and are authorized to perform PCI compliance assessments.

R
Range GET   Allows downloading only a portion of an Amazon Simple Storage Service
(Amazon S3) object or Amazon Glacier archive.

Read Replica   An active copy of another DB Instance. Any updates to the data on the
source DB Instance are replicated to the read replica DB Instance.

Record Types   Each zone file contains records. In its simplest form, a record is a single
mapping between a resource and a name. These can map a domain name to an IP address
or define resources for the domain, such as name servers or mail servers. Record types
include A (address), AAAA (IPv6 address), Canonical Name (CNAME), Mail Exchange
(MX), Name Server (NS), Pointer (PTR), Start of Authority (SOA), Sender Policy
Framework (SPF), Service Locator (SRV), and Text (TXT).

Recovery Period Objective (RPO)   The maximum period of data loss that is acceptable in
the event of a failure or incident.

Recovery Time Objective (RTO)   The maximum amount of downtime that is permitted to
recover from backup and to resume processing.
24  Glossary

Redis   An open source, in-memory data structure store used as a database, cache, and
message broker.
Redis Replication Group   Create multiple read replicas with Amazon ElastiCache clusters
running Redis. Multiple clusters can be joined into a Redis replication group to replicate
asynchronously.
Redundancy   The duplication of critical components or functions of a system with the
intention of increasing reliability of the system, usually in the form of a backup or fail-safe.
Relational Database   Contains structured data in one or more tables organized into
rows and columns of different data types. A relational database allows for a variety of
workloads, including complex searches. It is the most common type of database used in
organizations today.
Remote Authentication Dial-In User Service (RADIUS)   A networking protocol that
provides centralized Authentication, Authorization, and Accounting (AAA or Triple A)
management for users who connect and use a network service.
Reserved Instance   A pricing option that allows you to reserve Amazon EC2 computing
capacity for one or three years, in exchange for a significant discount (up to 75 percent)
compared to On-Demand Instance pricing.
Resource (in a Policy)   Defines the specific resources for which the permission in a policy
applies. If the permission is intended to apply to all resources within a service, the resource
would be *.
REST   A type of HTTP-based request interface that generally uses only the GET or POST
HTTP method and a query string with parameters. Sometimes known as Query. In some
implementations of a REST interface, other HTTP verbs besides GET and POST are used.
REST (Representational State Transfer) Application Program Interface (API)   A type of
HTTP-based request interface that uses any HTTP method (GET, DELETE, POST, and so on),
a resource, HTTP headers, and possibly a query string with parameters.

Root User   Authentication information associated with the AWS account owner.

Route Table   A set of routing rules that controls the traffic leaving any subnet that is
associated with the route table.

Routing Policy   When you create a resource record set, you choose a routing policy, which
determines how Amazon Route 53 responds to queries. Routing policies can be simple,
weighted, latency-based, failover, and geolocation.

S
Scaling Policy   A policy used by Auto Scaling that uses CloudWatch alarms to deter-
mine when your Auto Scaling group should scale out or scale in. Each CloudWatch alarm
 Glossary  25

watches a single metric and sends messages to Auto Scaling when the metric breaches a
threshold that you specify in your policy.
Secret Access Key (SAK)   A key that is used in conjunction with the Access Key ID (AKI)
to cryptographically sign programmatic AWS requests. Signing a request identifies the
sender and prevents the request from being altered. You can generate SAKs for your
AWS account, individual IAM users, and temporary sessions.
Secure Hash Algorithm (SHA)   SHA-1 is an earlier version of the algorithm; which AWS
has deprecated in favor of SHA-256.
Secure Sockets Layer (SSL)   A standard security technology for establishing an encrypted
link between a web server and a browser. This link ensures that all data passed between the
web server and browsers remain private and integral.
Security Group   A named set of allowed inbound network connections for an instance
(security groups in Amazon VPC also include support for outbound connections). Each
security group consists of a list of protocols, ports, and IP address ranges. A security group
can apply to multiple instances, and multiple groups can regulate a single instance.
Server Name Indication (SNI)   SNI is an extension to the TLS computer networking pro-
tocol by which a client indicates which host name it is attempting to connect to at the start
of the handshaking process.
Server-Side Encryption (SSE)   The encrypting of data at the server level. Amazon Simple
Storage Service (Amazon S3) supports three modes of server-side encryption: SSE-S3, in
which Amazon S3 manages the keys; SSE-C, in which the customer manages the keys; and
SSE-KMS, in which AWS Key Management Service (AWS KMS) manages the keys.
Service (in a Policy)   The specific service for which a permission applies.

Service Organization Controls 1 (SOC 1)   The SOC 1, Type II report, formerly SAS 70:
Service Organizations report (formerly referred to as the Statement on Standards for Attes-
tation Engagements No. 16 [SSAE 16] report) is a widely recognized auditing standard
developed by the AICPA. The international standard is referenced as ISAE 3402.
Service Organization Controls 2 (SOC 2)   SOC 2 reports are intended to meet the needs
of a broad range of users who need to understand internal control at a service organization
as it relates to security, availability, processing integrity, confidentiality, and privacy. These
reports are performed using the AICPA guide, Reporting on Controls at a Service Organiza-
tion Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, and
are intended for use by stakeholders (for example, customers, regulators, business partners,
suppliers, and directors) of the service organization who have a thorough understanding of
the service organization and its internal controls.

Service Organization Controls 3 (SOC 3)   SOC 3 reports are designed to meet the needs
of users who want assurance on the controls at a service organization related to security,
availability, processing integrity, confidentiality, or privacy but do not have the need for or
26  Glossary

the knowledge necessary to make effective use of a SOC 2 report. These reports are pre-
pared using the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services
Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Con-
fidentiality, and Privacy. Because they are general-use reports, SOC 3 reports can be freely
distributed or posted on a website as a seal.

Session Token   An additional piece of identifying data used when using a temporary
security token. API calls made via a temporary security token must include not only the
two-part access key, but also the security token obtained when the temporary token was
requested.

Shard   The base throughput unit of an Amazon Kinesis stream. One shard provides a
capacity of 1MB/sec data input and 2MB/sec data output. One shard can support up to
1,000 PUT records per second. You will specify the number of shards needed when you
create a stream.

Signature Version 4   Protocol for authenticating inbound API requests to AWS Cloud
services in all AWS regions.

Snapshot   Backup of an Amazon ElastiCache cluster running Redis. Used to persist

data from in-memory to disk and durably store in Amazon Simple Storage Service
(Amazon S3).

Spot Instance   A pricing option that allows you to obtain unused Amazon EC2 capacity
by bidding the price you are willing to pay for that capacity.

Stateless Application   An application that needs no knowledge of previous interactions

and stores no session information. Stateless applications are better suited for horizontal
scaling.

Statement on Auditing Standards (SAS 70) No. 70   SAS 70: Service Organizations is
an auditing statement issued by the Auditing Standards Board of the American Institute of
Certified Public Accountants (AICPA). SAS 70 provides guidance to service auditors when
assessing the internal controls of a service organization (such as AWS) and issuing a service
auditor’s report. SAS 70 also provides guidance to auditors of financial statements of an
entity that uses one or more service organizations. The SAS 70 report has been replaced by
the Service Organization Controls (SOC) 1 report.

Statement on Standards for Attestation Engagements No. 16 (SSAE 16)

(Deprecated)   An attestation standard published by the Auditing Standards Board (ASB)
of AICPA. The standard addresses engagements undertaken by a service auditor for report-
ing on controls at organizations that provide services to user entities, for which a service
organization’s controls are probably relevant to a user entity’s internal control over financial
reporting. SSAE 16 effectively replaces SAS 70 for service auditor’s reporting periods ending
on or after June 15, 2011.

Static Website   A website in which all web pages are delivered to the user exactly as
stored, instead of dynamically generated by a web application.
 Glossary  27

Sticky Session   A sticky session enables Elastic Load Balancing to bind a user’s session to
a specific instance. This ensures that all requests from the user during the session are sent to
the same Amazon EC2 instance.
Storage Classes   A range of storage types designed for different storage use cases.
Amazon Simple Storage Service (Amazon S3) Standard is designed for general-purpose stor-
age of frequently accessed data. Amazon S3 Standard-Infrequent Access (IA) is designed for
long-lived, but less frequently accessed data. Amazon Reduced Redundancy Storage (RRS)
is designed for easily replicated data that does not need high durability. Amazon Glacier is
designed for long-term archive.

Streaming   The ability to play a media file in real time as it is transmitted in a steady
stream from a server without first downloading and storing the whole file locally.
Structured Query Language (SQL)   A common interface and standardized set of
commands that allows users to read and write from a relational database.

Subdomain   DNS works in a hierarchy and includes subdomains, which are any domains
that are part of a larger domain. TLDs can have many subdomains under them. For
instance, google.com and ubuntu.com are subdomains of the .com TLD (although they are
typically just called domains). The ubuntu or google portion can be referred to as a Second-
Level Domain (SLD).
Subject Alternative Name (SAN)   SAN is an extension to an X.509 certification that
allows various names to be associated with a security certificate.

Subnet   A segment of the IP address range of an Amazon VPC contained with an

Availability Zone.

Supported Record Types   Amazon Route 53 supports the DNS resource record types A,
AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, and TXT.

Symmetric Key Algorithm   Algorithms for cryptography that use the same cryptographic
keys for both encryption of plaintext and decryption of ciphertext.

T
Table (Amazon DynamoDB)   Basic unit of provisioning for Amazon DynamoDB that
defines available read and write processing capacity. Each table contains items with at
least a unique primary key and optional additional attributes. Tables may have secondary
indexes for fast querying.

Tenancy   The relationship and mapping of instances to the underlying physical host. For
example, Dedicated Instances run on hosts with only instances from the same customer.

Termination Protection   Controls whether the instance can be terminated using the
AWS Management Console, Command-Line Interface (CLI), or Application Programming
Interface (API).
28  Glossary

Time to Live (TTL)   Sets how long items remain in the Amazon CloudFront cache before
expiring.

Top-Level Domain (TLD)   A TLD is the most general part of the domain. The TLD is the
furthest portion to the right (as separated by a dot). Common TLDs are .com, .net, .org,
.gov, .edu, and .io.

Trail   A configuration that enables you to log the AWS API activity and related events in
your account.

Transient Cluster   An Amazon Elastic MapReduce (Amazon EMR) cluster that is brought
up for a short period of time to execute a specific job, then terminated.

Transmission Control Protocol (TCP)   A standard that defines how two hosts can
establish and maintain a network conversation and exchange data over an Internet Protocol
(IP) network.

Transparent Data Encryption (TDE)   Some DB engines support encryption at rest using
TDE.

Transport Layer Security (TLS)   A cryptographic protocol that provides security for
communication over the Internet. Its predecessor is Secure Sockets Layer (SSL).

U
User Policy   A policy written within the scope of a single user and applied to that user
only. User policies have a one-to-one relationship with a user and cannot be applied to other
users.

V
Vault   A container for Amazon Glacier archives.

Vault Lock   An immutable policy, such as Write-Once, Read-Many (WORM), that can be
applied to an Amazon Glacier vault to meet compliance controls.

Versioning   Keeps multiple variants of an object in the same bucket to allow recovery after
unintended deletion.

Vertical Scaling   Adjusting the capacity of a system by altering the size of underlying
resources instead of by altering the number of underlying resources.

Virtual Private Gateway (VPG)   The AWS side of a VPN connection whose internal
interfaces connect to an Amazon VPC via the VPN attachment and the external interfaces
connect to the VPN connection, which leads to the Customer Gateway (CGW).
 Glossary  29

Virtual Private Network (VPN)   The Internet Protocol Security (IPsec) connection
between an Amazon VPC and some other network, such as a corporate data center, home
network, or colocation facility.

Virtual Tape Library (VTL)   A VTL is analogous to a physical tape library available on-
premises with robotic arms and tape drives, including the collection of virtual tapes stored
within the library.

W
Web Server Tier   An AWS Elastic Beanstalk environment whose web application
processes web requests.

Worker Tier   An AWS Elastic Beanstalk environment tier whose application runs
background jobs.

X
X.509 Certificate   A digital document that uses the X.509 Public Key Infrastructure (PKI)
standard to verify that a public key belongs to the entity described in the certificate.

Z
Zone File   A simple text file that contains the mappings between domain names and IP
addresses. This is how DNS finally identifies which IP address should be contacted when a
user requests a certain domain name.