|
1 | 1 |
|
| 2 | +# Cloud / Kubernetes / Docker / Secure SDLC / Microservices / API / CI/CD — Engineering-Grade Glossary |
| 3 | + |
| 4 | +**What this is:** a comprehensive, practical glossary covering **cloud security**, **Kubernetes security**, **Docker/container security**, **Secure SDLC**, **microservices security**, **API security**, and **CI/CD attack & defense**. It’s written in American English for engineers and leads, with clear explanations and actionable comments grounded in real-world practice. |
| 5 | + |
| 6 | +**How it was compiled:** a synthesis of widely adopted frameworks and primary sources, including **NIST CSF 2.0**, **NIST SP 800-53/61/171**, **NIST SSDF (SP 800-218)**, **ISO/IEC 27001/27002**, **OWASP** (Top 10, **API Top 10**, **ASVS**, **SAMM**, **MASVS**), **MITRE ATT\&CK / D3FEND**, **CNCF** security papers, **Kubernetes** Pod Security Standards and NSA/CISA hardening guides, **CIS Benchmarks**, **SLSA** with **in-toto/Sigstore**, and major cloud/IaC guidance (AWS, Azure, GCP; Terraform/CloudFormation/Pulumi). |
| 7 | + |
| 8 | +**How to use it:** skim by section, then dive into the items relevant to your stack. Many entries include short implementation notes so you can turn definitions into controls and checks immediately. |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +## 1) Cloud Security Foundations |
| 13 | + |
| 14 | +1. **Shared Responsibility Model** — delineation of provider vs. customer duties that varies by **IaaS/PaaS/SaaS**; never assume the provider patches your apps or configures your IAM. |
| 15 | +2. **Well-Architected Framework** — cloud vendor pillars (security, reliability, cost, performance, sustainability) guiding design reviews. |
| 16 | +3. **Landing Zone** — vetted baseline for multi-account/subscription setups (guardrails, networking, identity, logging). |
| 17 | +4. **Guardrails** — preventive/detective controls enforced at org level (SCPs/Policies); “can’t do the wrong thing easily.” |
| 18 | +5. **Cloud Service Boundary** — blast radius limits via accounts/projects, VPCs, and per-service isolation. |
| 19 | + |
| 20 | +--- |
| 21 | + |
| 22 | +## 2) Cloud Identity & Access |
| 23 | + |
| 24 | +6. **IAM (Identity and Access Management)** — identities, roles/policies, permission boundaries, least privilege at scale. |
| 25 | +7. **Federation (SAML/OIDC)** — use enterprise IdP for SSO; avoid local cloud users/keys. |
| 26 | +8. **Workload Identity** — short-lived credentials for services (e.g., OIDC tokens for CI jobs) instead of long-lived secrets. |
| 27 | +9. **PIM/PAM (Privileged Identity/Access Management)** — just-in-time elevation, approval workflows, session recording. |
| 28 | +10. **ABAC/RBAC** — attribute- vs. role-based authorization; combine with resource tags/labels. |
| 29 | +11. **Key Rotation & Credential Hygiene** — automated rotation, no static access keys in code or CI vars. |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +## 3) Cloud Network & Perimeter |
| 34 | + |
| 35 | +12. **VPC/VNet** — virtual private cloud networking; subnets (public/private), route tables, egress control. |
| 36 | +13. **Security Groups / NSGs** — stateful allow-lists at instance/NIC level; prefer least-privilege ports. |
| 37 | +14. **NACLs / Firewall Rules** — stateless network ACLs; coarse-grained boundary filters. |
| 38 | +15. **Private Link/Endpoints** — keep data plane off the public Internet; replace public service endpoints. |
| 39 | +16. **Transit Gateway / Hub-and-Spoke** — centralized routing/inspection (NVA/NGFW) across environments. |
| 40 | +17. **WAF (Web Application Firewall)** — protect HTTP(S)/API; manage bots/OWASP Top 10; pair with CDN. |
| 41 | +18. **DDoS Protection** — autoscale/scrubbing/anycast; rate-limit and upstream mitigation. |
| 42 | +19. **mTLS (Mutual TLS)** — service-to-service trust with cert-based auth; enforce via mesh or gateway. |
| 43 | + |
| 44 | +--- |
| 45 | + |
| 46 | +## 4) Cloud Data Protection & Crypto |
| 47 | + |
| 48 | +20. **KMS/HSM (Key Management/Hardware Security Module)** — envelope encryption, key separation of duties, audit of key use. |
| 49 | +21. **At-Rest / In-Transit Encryption** — enable everywhere; verify customer-managed keys where required. |
| 50 | +22. **Tokenization** — reversible substitution to reduce compliance scope; distinct from hashing. |
| 51 | +23. **Data Classification & Residency** — label sensitivity, restrict cross-border transfers, pin regions. |
| 52 | +24. **Immutable Storage / Object Lock** — write-once retention to resist ransomware. |
| 53 | + |
| 54 | +--- |
| 55 | + |
| 56 | +## 5) Cloud Posture & Workload Protection |
| 57 | + |
| 58 | +25. **CSPM (Cloud Security Posture Management)** — detect misconfig (public buckets, wildcards), drift, and policy violations. |
| 59 | +26. **CWPP (Cloud Workload Protection Platform)** — agented/agentless runtime protection for VMs/containers. |
| 60 | +27. **CNAPP (Cloud-Native Application Protection Platform)** — unifies CSPM+CWPP+CI/CD+IaC scanning and exposure mgmt. |
| 61 | +28. **SSPM (SaaS Security Posture Management)** — harden SaaS tenants (SSO-only, role scope, audit logs). |
| 62 | +29. **Attack Surface Management (ASM)** — discover Internet-exposed assets (DNS, IPs, APIs) continuously. |
| 63 | + |
| 64 | +--- |
| 65 | + |
| 66 | +## 6) Kubernetes Security (K8s) |
| 67 | + |
| 68 | +30. **RBAC (Role-Based Access Control)** — least privilege for users and service accounts; avoid `cluster-admin`. |
| 69 | +31. **Namespace Multi-Tenancy** — tenant isolation via namespaces + network policies + quotas. |
| 70 | +32. **Network Policies** — pod-to-pod allow-lists; default-deny ingress/egress where feasible. |
| 71 | +33. **Pod Security (Baseline/Restricted)** — admission policy to block privileged pods, hostPath, unsafe capabilities. |
| 72 | +34. **Admission Controllers** — **OPA Gatekeeper/Kyverno** to enforce policies (image signing, labels, seccomp). |
| 73 | +35. **Service Mesh (mTLS)** — per-request identity, encryption, and authz (Istio/Linkerd). |
| 74 | +36. **Secrets Management** — external secret stores (KMS/Vault/ESO); avoid plain-text `Secret`. |
| 75 | +37. **Image Provenance** — **Cosign** signatures + **in-toto** attestations; verify in admission. |
| 76 | +38. **Runtime Security (eBPF/Falco)** — detect escapes, crypto-miners, suspicious syscalls. |
| 77 | +39. **etcd Hardening** — mTLS, encryption at rest, access isolation; backup + key protection. |
| 78 | +40. **Node Hardening** — CIS baseline, minimal OS, disable unused services; kubelet authn/authz, rotate creds. |
| 79 | +41. **Resource Quotas/LimitRanges** — prevent noisy-neighbor and DoS via resource exhaustion. |
| 80 | +42. **HPA/VPA** — autoscaling with sane limits; couple with PDBs (Pod Disruption Budgets) for availability. |
| 81 | + |
| 82 | +--- |
| 83 | + |
| 84 | +## 7) Docker/Container Security |
| 85 | + |
| 86 | +43. **Minimal Base Images** — distroless/alpine when appropriate; cut attack surface. |
| 87 | +44. **Non-Root Containers** — run as non-root UID/GID; drop Linux capabilities (`NET_RAW`, `SYS_ADMIN`). |
| 88 | +45. **Read-Only RootFS** — mutable volumes only when necessary; immutable containers reduce tampering. |
| 89 | +46. **Multi-Stage Builds** — exclude build tools from runtime image. |
| 90 | +47. **Image Scanning** — CVE and misconfig scanning in CI; fail on criticals. |
| 91 | +48. **Registry Security** — private registry, RBAC, signed images, network isolation. |
| 92 | +49. **Docker Socket Protection** — never mount `/var/run/docker.sock` into workloads. |
| 93 | + |
| 94 | +--- |
| 95 | + |
| 96 | +## 8) Microservices Security |
| 97 | + |
| 98 | +50. **Zero Trust for Services** — strong identity (SPIFFE/SPIRE), **mTLS**, least-privilege scopes. |
| 99 | +51. **API Gateway** — central authn/authz, rate limiting, schema validation, JWT verification. |
| 100 | +52. **Service-to-Service Authorization** — claims-based authz (OIDC scopes/claims), explicit allow-lists. |
| 101 | +53. **Backpressure & Timeouts** — protect upstreams; avoid resource starvation (circuit breakers). |
| 102 | +54. **Secrets & Config** — separate secrets from configs; rotation via sidecars/operators. |
| 103 | +55. **Multi-Tenant Isolation** — tenant IDs, data scoping, per-tenant keys, noisy-neighbor controls. |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +## 9) API Security (Web & Internal) |
| 108 | + |
| 109 | +56. **OWASP API Security Top 10** — focus on **BOLA/IDOR**, authz, excessive data, mass assignment. |
| 110 | +57. **Schema-First (OpenAPI)** — strong contracts; generate validators and tests; reject unknown fields. |
| 111 | +58. **JWT** — validate signature/`iss`/`aud`/expiry; avoid `alg=none`; rotate keys; use short TTL. |
| 112 | +59. **mTLS for Internal APIs** — pair with OPA/ABAC for fine-grained decisions. |
| 113 | +60. **Rate Limiting & Quotas** — per-client/user/IP; protect billing and availability. |
| 114 | +61. **CORS Policy** — least-privilege origins; no wildcard with credentials. |
| 115 | +62. **Input Validation / Output Encoding** — whitelist validation; prevent injection/XSS. |
| 116 | +63. **Secrets in Headers** — never in URLs; avoid logging tokens; use token binding where possible. |
| 117 | + |
| 118 | +--- |
| 119 | + |
| 120 | +## 10) Secure SDLC & Supply Chain |
| 121 | + |
| 122 | +64. **SSDF (NIST SP 800-218)** — plan, protect, produce, respond — security tasks across dev lifecycle. |
| 123 | +65. **OWASP ASVS** — verification requirements for web apps; map to controls and tests. |
| 124 | +66. **SAST/DAST/IAST/RASP** — static, dynamic, interactive testing; runtime protection. |
| 125 | +67. **Threat Modeling (STRIDE)** — model abuse cases; prioritize mitigations; keep ADRs for decisions. |
| 126 | +68. **SCA (Software Composition Analysis)** — third-party deps, CVEs, and licenses. |
| 127 | +69. **SBOM (SPDX/CycloneDX)** — machine-readable component inventory; deliver with releases. |
| 128 | +70. **SLSA** — supply-chain maturity; hermetic builds, provenance, two-person control. |
| 129 | +71. **in-toto Attestations** — cryptographic evidence of who/what/when for build steps. |
| 130 | +72. **Code Signing / Commit Signing** — GPG/SSH or **Sigstore** keyless with OIDC identity. |
| 131 | +73. **Secrets Scanning** — pre-commit and CI; block merges on findings. |
| 132 | +74. **Security Unit/Integration Tests** — assert authz rules, input constraints, crypto invariants. |
| 133 | + |
| 134 | +--- |
| 135 | + |
| 136 | +## 11) CI/CD Security & Attack Paths |
| 137 | + |
| 138 | +75. **Ephemeral Runners** — one-shot CI workers; no persistence for attackers. |
| 139 | +76. **OIDC-to-Cloud** — short-lived cloud creds issued to CI jobs; no stored access keys. |
| 140 | +77. **Pipeline as Code** — reviewed PRs for pipeline changes; protect from injection. |
| 141 | +78. **Policy as Code (OPA/Conftest)** — enforce org security (no `0.0.0.0/0`, no public buckets) in CI. |
| 142 | +79. **Artifact Signing (Cosign)** — sign images/bundles; verify at deploy/admission. |
| 143 | +80. **Secrets Management** — KMS/Vault; avoid plaintext env vars and PR logs. |
| 144 | +81. **Dependency Confusion / Typosquatting** — prefer private registries, scoped namespaces; pin sources. |
| 145 | +82. **Poisoned Pull Request** — attacker-controlled forks running untrusted workflows; restrict secrets on forks. |
| 146 | +83. **Self-Hosted Runner Abuse** — isolate with least network/host perms; auto-reimage runners. |
| 147 | +84. **Cache/Artifact Pollution** — attest integrity; separate namespaces; checksum verification. |
| 148 | +85. **Build Provenance** — capture source digest, builder identity, parameters; publish attestations. |
| 149 | + |
| 150 | +--- |
| 151 | + |
| 152 | +## 12) Cloud Attack Techniques (examples) & Defenses |
| 153 | + |
| 154 | +86. **SSRF to Metadata (IMDSv1)** — steal credentials via metadata endpoint; enforce **IMDSv2** / hop detection / WAF SSRF rules. |
| 155 | +87. **Over-Privileged IAM Roles** — wildcards in policies → privilege escalation; use **least privilege** + `Condition` constraints. |
| 156 | +88. **Public Object Storage** — accidental exposure; enforce org policies; block public ACLs at account level. |
| 157 | +89. **Exposed Keys/Secrets** — leaks via repos/logs; rotate immediately; adopt keyless auth. |
| 158 | +90. **Shadow Admins** — indirect privileges via policy chaining; continuous permission graph analysis (CIEM). |
| 159 | +91. **Misconfigured Security Groups** — open 0.0.0.0/0; auto-remediation via CSPM/PaC. |
| 160 | +92. **Serverless Data Exfil** — overly permissive functions; restrict egress (VPC + egress proxy), least-privilege IAM. |
| 161 | +93. **K8s PrivEsc** — privileged pods/host mounts; enforce Restricted policy; disallow hostPath. |
| 162 | +94. **Container Escape** — kernel/Cgroups/namespace exploits; apply patches, seccomp/AppArmor/SELinux, drop caps. |
| 163 | +95. **Credential Harvesting via Instance Profiles** — instance metadata theft; bind roles to specific conditions, use IMDS hop checks. |
| 164 | +96. **Supply-Chain Injection** — compromised dependency builds; adopt SLSA, signed attestations, reproducible builds. |
| 165 | + |
| 166 | +--- |
| 167 | + |
| 168 | +## 13) Observability, Telemetry & IR Readiness |
| 169 | + |
| 170 | +97. **Structured/Audit Logging** — consistent fields (user/req-id/tenant/outcome); exclude secrets; tamper-evident storage. |
| 171 | +98. **Centralized Log Ingestion** — ship cloud/K8s/app logs to SIEM/XDR; retain with legal holds. |
| 172 | +99. **Distributed Tracing (W3C)** — propagate context across services; correlate with security events. |
| 173 | +100. **Detection Engineering** — ATT\&CK-mapped rules (e.g., anomalous STS token use, K8s exec into pods). |
| 174 | +101. **Backup & DR (3-2-1)** — immutable snapshots, cross-region replication, restore drills. |
| 175 | +102. **Tabletop Exercises (TTX)** — simulate cloud creds theft, pipeline compromise, registry breach. |
| 176 | + |
| 177 | +--- |
| 178 | + |
| 179 | +## 14) Governance, Compliance & Risk (Cloud/App) |
| 180 | + |
| 181 | +103. **ISMS (ISO/IEC 27001)** — management system for policies, risks, and continual improvement. |
| 182 | +104. **SOC 2 (AICPA TSC)** — Security/Availability/PI/Confidentiality/Privacy; Type I/II evidence from cloud/K8s controls. |
| 183 | +105. **PCI DSS in Cloud** — CDE segmentation, key custody, strong access control; scope reduction via tokenization. |
| 184 | +106. **Privacy by Design** — data minimization, purpose limitation, default encryption and retention controls. |
| 185 | +107. **Risk Register & Exceptions** — time-boxed risk acceptances with compensating controls and owners. |
| 186 | + |
| 187 | +--- |
| 188 | + |
| 189 | +## 15) Handy Mini-Examples |
| 190 | + |
| 191 | +108. **Policy Gate Example** — “Block merge if Terraform opens `0.0.0.0/0` on SSH/RDP or S3 lacks bucket policy; require Cosign signature.” |
| 192 | +109. **JWT Hardening** — “Reject `alg=none`, verify `iss/aud`, use short TTL and key rotation; store tokens in HttpOnly cookies.” |
| 193 | +110. **K8s Admission** — “Deny pods with `privileged: true`, hostPath mounts, or unsigned images; enforce `runAsNonRoot`.” |
| 194 | +111. **CI OIDC** — “Issue 15-minute scoped cloud creds to jobs; forbid static keys and personal PATs.” |
| 195 | +112. **SSRF Defense** — “Block metadata IPs at app layer; use IMDSv2; add WAF SSRF rules on egress URLs.” |
| 196 | + |
| 197 | +--- |
| 198 | + |
| 199 | +## 16) Abbreviation Quick Table (selected) |
| 200 | + |
| 201 | +**ABAC, ADR, API, ASM, ASVS, ATT\&CK, CI/CD, CIEM, CISA, CIS Benchmarks, CNAPP, CORS, Cosign, CSPM, CWPP, DAST, DDoS, DFD, DLP, eBPF, HPA/VPA, HSM/KMS, IaC, IAST, IAM/IdP/SSO/MFA, IMDSv2, in-toto, IR, JWT, K8s, KDF, Kyverno/OPA, MASVS, MTTR/MTTD, NACL/NSG/SG, NIST SSDF, OIDC/OAuth2/SAML, OWASP API Top 10, PaC, PDB, PFS, PKI, RBAC, RASP, RPO/RTO, S3/Object Lock, SAMM/BSIMM, SBOM (SPDX/CycloneDX), SCA, SCP (org policies), SLSA, SOC 2, SOAR/SIEM/XDR, SPIFFE/SPIRE, SSRF, STRIDE, TLS/mTLS, VEX, VPC/VNet, WAF, Zero Trust.** |
| 202 | + |
| 203 | +--- |
0 commit comments