A plain-English glossary for cloud terms used throughout CloudPath. Search by keyword, filter by category, or jump directly by letter.
The 6 Rs are six migration strategies: rehost, replatform, repurchase, refactor, retire, and retain.
An Access Control List (ACL) is a set of rules that defines who or what is allowed or denied access to a resource. In networking, ACLs filter traffic at the subnet level. In storage and IAM, they control who can read or write data.
API Gateway is a managed service that creates, publishes, and secures HTTP or REST APIs at any scale.
AWS (Amazon Web Services) is Amazon's cloud platform, the largest in the world by market share. It offers over 200 services covering compute, storage, databases, networking, security, and more.
AWS Artifact is a self-service portal for accessing AWS compliance reports, certifications, and agreements.
AWS Budgets lets you set custom cost or usage thresholds and sends alerts when spending approaches or exceeds them.
AWS Migration Hub provides a central place to track application migrations across AWS and partner tools.
AWS Organizations is a service for centrally managing multiple AWS accounts with shared billing and governance controls.
An access key is the public identifier used with a secret key to make API calls from code or tools.
Agility is the ability to create, change, and experiment with infrastructure quickly instead of waiting through long hardware procurement cycles.
An alarm watches a metric and triggers an action when a threshold is crossed.
An AMI is a template used to launch virtual machines with a chosen operating system and software.
An ARN is a unique identifier format for AWS resources, including service, region, account, and resource path.
Amplify Hosting deploys static frontends and SPAs with built-in HTTPS, a global CDN, and optional custom domains.
Application Discovery Service gathers information about on-premises servers and dependencies to support migration planning.
Aurora is a managed relational database engine built for high performance and high availability.
An authorizer is an API Gateway feature that checks identity or permissions before a request reaches your backend.
Auto Scaling automatically adds or removes compute resources based on demand.
An Availability Zone is an isolated data center location inside a region.
Azure is Microsoft's cloud platform. It offers a broad range of services and is especially popular in enterprises already using Microsoft products like Windows Server, Active Directory, and Office 365.
BYOK (Bring Your Own Key) lets you supply your own encryption keys to a cloud service instead of using keys the provider manages on your behalf.
BYOL means Bring Your Own License, where you reuse existing software licenses on eligible cloud infrastructure.
A backup is a copy of data stored separately from the original so it can be restored if the original is lost, corrupted, or accidentally deleted. Backups are a core part of any disaster recovery strategy.
Block storage stores data in fixed-size blocks and is commonly used for virtual machine disks.
Broad network access means cloud services are reachable over networks from standard devices such as laptops, phones, and tablets.
A CIDR block defines a range of IP addresses using network prefix notation.
CORS is a browser security mechanism that controls which origins are allowed to make cross-origin HTTP requests.
CapEx means capital expenses, which are upfront costs for buying physical infrastructure.
Certificate Manager provisions, stores, and renews SSL/TLS certificates for supported AWS services.
The AWS Cloud Adoption Framework organizes migration guidance into six perspectives: Business, People, Governance, Platform, Security, and Operations.
The Cloud Development Kit lets you define cloud infrastructure in programming languages instead of manual console setup.
Cloud computing is the on-demand delivery of computing services over the internet with pay-for-use pricing.
Cloud infrastructure refers to the hardware and software components; servers, storage, networking, and virtualization; that underpin cloud computing services.
CloudFormation is a service for defining and deploying infrastructure with templates.
CloudFront is a content delivery network service that caches content near users for faster delivery.
CloudTrail records API activity in your account so you can audit who did what and when.
CloudWatch collects metrics, logs, and events so you can monitor applications and infrastructure.
Cognito provides user sign-up, sign-in, and token management for web and mobile applications.
AWS Config tracks the configuration of AWS resources and records how that configuration changed over time.
Connection pooling reuses open database connections so applications can respond faster and reduce overhead.
Consolidated billing lets an AWS Organizations management account receive a single bill that covers all member accounts, with aggregated volume discounts.
A container packages an application and its dependencies so it runs consistently across environments.
A CDN is a global network of cache servers that delivers content from locations closer to users.
A Cost & Usage Report is the most detailed AWS billing export, with line-item usage and charge data typically delivered to S3 for analysis.
Cost Explorer visualizes and analyzes AWS spending patterns over time with filtering by service, region, and tags.
A cost allocation tag is a tag activated for billing so spending can be grouped or filtered by dimensions such as team, environment, or project.
DNS translates human-friendly domain names into IP addresses computers use for routing.
A data event tracks access to resource data, such as reading an object or invoking a function.
A data model defines how data is structured and organized in a database. The two most common are the relational model (tables with rows and columns, queried with SQL) and the flexible model used by NoSQL databases (documents, key-value pairs, etc.).
A database endpoint is the network address applications use to connect to a database service.
Debugging is the process of finding and fixing errors in code or configuration. In the cloud, debugging often means reading logs, tracing requests across services, and checking metrics to understand why something is behaving unexpectedly.
Decoupling means designing services so they do not depend directly on each other. Instead of service A calling service B directly, A publishes a message to a queue or topic and B processes it independently. This makes each service easier to scale, update, and replace without breaking others.
A Dedicated Host gives you an entire physical server for your EC2 instances, including visibility into sockets and cores for licensing needs.
Direct Connect provides a dedicated private network connection between an on-premises data center and AWS.
Disaster recovery is the plan and process to restore systems and data after major outages.
Docker is a platform and image format commonly used to build and run containers.
Durability measures how reliably storage keeps your data over long periods.
DynamoDB is a managed NoSQL database designed for low-latency access at large scale.
An EC2 instance is a virtual machine you launch in the cloud.
EMR is a managed cluster platform for running big-data frameworks such as Apache Spark and Apache Hadoop.
Economies of scale means a large provider can spread fixed costs across massive usage, reducing the cost per unit of compute, storage, or networking.
An edge location is a site where CDN content is cached closer to end users.
Elastic Beanstalk is a PaaS that deploys and manages web applications by handling capacity provisioning, load balancing, and health monitoring automatically.
EBS is persistent block storage for virtual machines.
ECS is a container orchestration service that runs and maintains a desired number of Docker container tasks in a cluster.
EFS is managed network file storage that can be mounted by multiple compute instances.
An Elastic IP is a static public IPv4 address that you can remap between resources.
Elasticity is the ability to quickly increase or decrease resources to match demand.
Emulation is the process of imitating one system using a different one. A virtual machine emulates physical hardware in software, letting you run an operating system without dedicated hardware. Cloud computing is built on emulation: physical servers are divided into many isolated virtual machines.
Encryption is the process of encoding data using a cryptographic algorithm so that only parties with the correct key can read it. It protects data from being read if intercepted or accessed without authorization.
Encryption at rest protects stored data by encrypting it on disk.
Encryption in transit protects data while it moves across networks, often using TLS.
An endpoint is a specific URL or network address that a service exposes so other systems can communicate with it.
Failover is the automatic process of switching to a backup system when the primary one fails. In cloud environments this happens without manual intervention; traffic is rerouted to a standby so users experience little to no downtime.
Fan-out is a messaging pattern where one message published to a topic is delivered to many subscribers simultaneously. It decouples the sender from the receivers: the publisher does not need to know how many consumers exist or what they do with the message. SNS uses fan-out to broadcast events to multiple services at once.
Fargate is a serverless compute engine for containers that removes the need to manage the underlying EC2 instances.
Fault tolerance means a system can continue operating even when one component fails.
Federation allows users from an external identity provider to access cloud resources without separate local accounts.
File storage organizes data in shared folders and files using a hierarchical path structure.
A firewall is a security barrier that monitors and controls network traffic based on rules. It decides which connections are allowed and which are blocked. In the cloud, security groups and network ACLs act as firewalls.
In cloud computing, a function is a self-contained block of code that runs in response to an event. Functions are the building block of serverless architecture; the cloud provider manages the runtime so you only write the logic.
GCP (Google Cloud Platform) is Google's cloud platform, known for its strengths in data analytics, machine learning, and global networking infrastructure.
A gateway is a network entry or exit point that connects two different networks or environments. In the cloud it controls how traffic moves between your private resources and the outside world.
Glacier is low-cost archival storage optimized for data rarely accessed.
GuardDuty is a threat-detection service that uses machine learning and threat intelligence to identify suspicious or malicious activity in an AWS account.
A health check is an automated test that periodically pings a service to verify it is running and responding correctly. Load balancers use health checks to stop sending traffic to unhealthy instances. Route 53 uses them to trigger DNS failover.
High availability is designing systems to stay up and reachable with minimal downtime.
Hybrid cloud combines on-premises infrastructure with public cloud services.
An IAM Group is a collection of users that share permissions through attached policies.
An IAM Policy is a JSON document that defines allowed or denied actions on resources.
An IAM Role is an identity with permissions that trusted users or services can assume temporarily.
An IAM User is a long-term identity for a person or system in one account.
An IP address is a unique numerical label assigned to every device on a network, used to identify and locate it for routing traffic.
IPv4 is the fourth version of the Internet Protocol, using 32-bit addresses written as four decimal numbers (e.g. 192.168.1.1). It supports about 4 billion unique addresses; a limit that drove the creation of IPv6.
IPv6 is the sixth version of the Internet Protocol, using 128-bit addresses written in hexadecimal (e.g. 2001:0db8::1). It provides a vastly larger address space than IPv4 to support the growing number of internet-connected devices.
An identifier is a unique string used to reference a specific resource, user, or object; such as an account ID, resource ID, or ARN.
IAM is the system used to control who can access which cloud resources and what actions they can perform.
An identity-based policy is attached to users, groups, or roles to define what they can do.
Inbound traffic is data coming into your cloud environment from outside; for example, a user's browser making a request to your web server, or an external API sending data to your application.
Infrastructure refers to the foundational computing resources; servers, networking, storage, and software; that applications run on. In the cloud, infrastructure is provisioned on demand rather than owned physically.
Infrastructure as Code means managing cloud resources using versioned configuration files.
IaaS is a cloud model where the provider supplies infrastructure building blocks such as virtual machines and networking while you manage more of the software stack.
Inspector scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities and unintended network exposure.
An instance type defines the CPU, memory, storage, and network capacity of a virtual machine.
An internet gateway lets resources in a VPC send and receive traffic from the public internet.
Isolated means separated from other environments, accounts, or customers so that activity in one cannot affect another. Cloud providers isolate customers from each other using virtual networks, separate storage, and strict access controls.
A JWT is a signed token that carries identity claims and is verified by the recipient without calling back to the issuer.
A KMS key is a managed encryption key used to protect data across many cloud services.
Kubernetes is a platform for deploying and scaling containerized applications across clusters.
A Lambda function is code that runs on demand without managing servers.
Latency is the time delay between sending a request and receiving a response. Low latency means near-instant responses and a fast experience. High latency means noticeable delays, often caused by long network distances, overloaded servers, or inefficient queries.
A lifecycle policy automatically moves or expires stored data based on rules and age.
Lightsail is a simplified compute platform that bundles instances, storage, databases, and networking into easy-to-manage packages.
A load balancer distributes incoming traffic across multiple targets for reliability and performance.
A Local Zone extends a region into a metro area so workloads can run closer to users with lower latency.
A log is a recorded line of output from a running application or service. It captures what happened, when it happened, and often why. Logs are your primary tool for understanding what your system is doing and diagnosing problems after the fact.
A log group is a container for related log streams in CloudWatch Logs.
A log stream is a sequence of log events from one source inside a log group.
MFA adds a second verification step beyond a password to improve account security.
Macie uses machine learning to discover, classify, and protect sensitive data stored in S3 buckets.
A management event records control-plane activity such as creating or modifying resources.
Measured service means cloud usage is metered, monitored, and often billed according to consumption.
Metadata is data that describes other data. For a file stored in S3, metadata might include its content type, size, and creation date. For a cloud resource, metadata includes tags and configuration details. It provides context without being the content itself.
A metric is a numerical measurement tracked over time, like CPU utilization.
Monitoring is continuously observing system health and performance using metrics, logs, and alerts.
Multi-AZ deployment keeps a standby copy in another Availability Zone for fast failover.
Multi-cloud means using services from more than one cloud provider.
A NAT gateway lets private resources access the internet for outbound traffic without being publicly reachable.
Neptune is a managed graph database service optimized for storing and querying highly connected datasets.
A network is the infrastructure that connects computers and services so they can communicate and share data. In the cloud, your network is virtual: you define IP ranges, subnets, routing rules, and access controls through software.
A network ACL is a stateless firewall that controls traffic at the subnet level.
Network file storage is a shared file system accessible over a network, allowing multiple machines to read and write files using standard file paths as if the storage were local.
NoSQL databases use flexible data models and are often optimized for large-scale distributed workloads.
In cloud storage, an object is a file plus its metadata stored as a single unit. In programming, an object is an instance of a class that bundles data and behavior together. Both uses share the idea of a self-contained, identifiable unit of data.
Object storage saves data as objects with metadata and unique keys in flat namespaces.
An on-demand instance is pay-by-the-hour or second capacity with no long-term commitment.
On-demand self-service means you can provision or remove resources yourself without waiting for manual approval from the provider.
On-premises means running infrastructure in your own facilities instead of in a cloud provider's data centers.
OpEx means operational expenses, which are ongoing costs like usage-based cloud bills.
An organizational unit is a logical container inside AWS Organizations used to group accounts and apply policies together.
Origin Access Control lets CloudFront authenticate to a private S3 origin so the bucket stays private while content is served through the CDN.
Outbound traffic is data leaving your cloud environment: for example, a server sending a response to a user, or a private resource downloading an update from the internet.
Patching is the process of applying updates to software or operating systems to fix bugs, close security vulnerabilities, or add improvements. Managed cloud services like RDS handle patching automatically so you do not have to.
Pay-as-you-go pricing means you pay only for what you use instead of buying fixed capacity upfront.
Persistence means data is saved to durable storage and survives beyond the lifetime of a process, container, or session. Without persistence, data is lost when the runtime stops.
PaaS is a cloud model where the provider manages much of the underlying platform so you can focus more on application code and deployment.
A presigned URL grants temporary access to a specific object without exposing account credentials.
The primary database is the main database instance that handles all write operations. Read replicas and standby instances receive copies of its data but the primary is the single source of truth for writes.
A primary key uniquely identifies a record in a database table or item collection.
This principle says identities should get only the minimum permissions needed to do their tasks.
Private resources are cloud components, like databases or backend servers; that are not directly reachable from the public internet. They live in private subnets and can only be accessed from within the same network or through a controlled gateway.
A public cloud is a computing environment owned and operated by a third-party provider (such as AWS, Azure, or GCP) where resources are shared across many customers and accessed over the internet.
RDS is a managed relational database service that handles backups, patching, and infrastructure tasks.
Rapid elasticity means resources can scale out or in quickly as demand rises or falls.
A read replica is a copy of a database used to offload read traffic from the primary database.
Redshift is a fully managed data warehouse for running SQL analytics and BI reporting on large curated datasets.
A region is a geographic area containing multiple isolated Availability Zones.
A relational database stores structured data in tables with defined relationships.
In a relational database, relationships are the links between tables defined by matching values in key columns. For example, an orders table can reference a customers table so each order is tied to a specific customer. This structure is what makes SQL databases relational.
A request is a message sent from a client to a server asking for data or an action. Every time a browser loads a page, an app fetches data, or one service calls another, it sends a request. The server processes it and returns a response.
A reserved instance offers discounted compute pricing in exchange for a one- or three-year commitment.
A resource is any cloud component you provision and use, such as a server, database, storage bucket, or network. Resources are created, configured, and billed individually, and are identified by unique IDs or ARNs.
Resource pooling means a provider serves many customers from shared infrastructure while keeping their workloads logically isolated.
A resource-based policy is attached directly to a resource to control who can access it.
The root account is the original account identity with full unrestricted permissions.
Route 53 is a managed DNS service for domain registration, routing, and health checks.
A route table defines where network traffic should go based on destination address ranges.
Routing is the process of determining the path that network traffic takes from a source to a destination across interconnected networks.
A runtime is the environment in which code executes. It provides the interpreter, language libraries, and operating system dependencies your application needs to run. Cloud functions like Lambda let you choose a runtime such as Node.js, Python, or Java.
S3 is a highly durable object storage service for files, backups, media, and logs.
An S3 bucket is a top-level container that stores objects in S3.
An S3 object is a file plus metadata stored inside an S3 bucket.
An SLA is a service-level agreement that defines uptime and support commitments.
SQL (Structured Query Language) is the standard language for querying and managing relational databases. You use it to read, write, update, and delete data stored in tables. Most traditional databases, like PostgreSQL, MySQL, and Amazon RDS; use SQL.
SSL (Secure Sockets Layer) is the predecessor to TLS. SSL was the original protocol for encrypting traffic between a browser and a server. It has since been replaced by TLS, but the term SSL is still widely used to refer to encrypted web connections in general. When someone says SSL, they almost always mean TLS.
Savings Plans offer lower prices in exchange for a commitment to a consistent amount of compute usage (measured in dollars per hour) for one or three years.
Scalability is a system's ability to handle more load by adding resources efficiently.
A secret key is the private credential paired with an access key and must be kept confidential.
Secrets Manager stores, encrypts, and rotates sensitive values such as passwords, API keys, and tokens.
Security Hub aggregates and prioritizes security findings from AWS services and partner tools in one place.
A security group is a stateful virtual firewall that controls inbound and outbound traffic for resources.
Serverless is a model where the cloud provider manages servers while you focus on code and business logic.
A service control policy sets permission boundaries for accounts in an organization.
The shared responsibility model explains which security tasks are handled by the cloud provider and which are handled by the customer.
Shield provides managed DDoS protection for AWS resources, with a Standard tier included at no extra cost and an Advanced tier for enhanced detection.
SNS is a messaging service for sending notifications and fan-out messages to multiple subscribers.
SQS is a managed message queue service that decouples components for more reliable processing.
Single Sign-On lets users access multiple applications using one authenticated login session.
SaaS is a cloud model where you consume a finished application that runs in the provider's environment instead of managing the platform yourself.
A spot instance uses spare cloud capacity at lower cost but can be interrupted.
Stateful means a system remembers context between requests. A stateful service tracks things like session data, open connections, or previous actions. Security groups are stateful: if you allow inbound traffic, the response is automatically allowed out.
Stateless means a system does not remember anything between requests; each request is treated independently with no stored context. Stateless design makes services easier to scale because any instance can handle any request.
Storage is the component of cloud infrastructure that holds data persistently. Cloud providers offer multiple storage types; block, file, and object; each suited to different access patterns and workloads.
A storage class defines availability, access speed, and price for stored objects.
A subnet is a smaller network segment inside a VPC.
A TAM is a designated AWS support engineer assigned to Enterprise Support customers who provides proactive guidance and coordinates incident response.
A threshold is the value a metric must cross to trigger an alarm or scaling action.
TCO compares the full cost of running infrastructure on-premises (hardware, staff, facilities) versus in the cloud (service fees, data transfer).
Tracing follows a request across multiple services to reveal latency and errors in distributed systems.
Traffic refers to data moving across a network; requests coming in, responses going out, and communication between services. Managing traffic well affects performance, security, and cost.
A trail is a CloudTrail configuration that decides which events are captured and where they are stored.
Transit Gateway is a hub that connects multiple VPCs and on-premises networks through a single gateway.
TLS encrypts network connections so data cannot be easily read or modified in transit.
Trusted Advisor inspects your AWS environment and recommends improvements across cost optimization, performance, security, fault tolerance, and service limits.
VPC peering is a one-to-one connection between two VPCs that routes traffic privately using AWS internal networking.
Versioning keeps multiple versions of an object so deletions and overwrites can be recovered.
Virtual means something emulated by software rather than existing as dedicated physical hardware. Virtual machines, virtual networks, and virtual storage all run on shared physical infrastructure but behave as if they are isolated and independent.
A virtual machine is software that emulates a physical computer with its own operating system.
A virtual network is a network defined entirely in software rather than physical cables and hardware. It behaves like a traditional network but runs on shared infrastructure inside a cloud provider. A VPC is the most common example of a virtual network in the cloud.
A VPC is a logically isolated virtual network where you launch cloud resources.
WAF is a web application firewall that filters incoming HTTP requests based on rules you define, such as IP allowlists or SQL injection patterns.
A Wavelength Zone places AWS infrastructure inside telecom networks to support ultra-low-latency applications for 5G devices.
The Well-Architected Framework provides best-practice guidance across six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability.
X-Ray helps analyze and debug distributed applications by visualizing request traces.
Zero Trust is a security model that continuously verifies identity and access rather than assuming internal traffic is safe.