Glossary

Definitions of the terms used throughout the GuardKite platform and docs.

A

Accepted risk

Admin

A user role with full access to findings, AWS accounts, users, and billing within a tenant. Admins can add, edit, and remove users; promote a member to admin; manage AWS accounts; and manage the subscription. See Users & roles.

Annotation

A small piece of extra context attached to a finding. Appears as a chip on the row and a banner in the detail drawer. The only annotation type in production today is cost impact.

Attack path

A chain of AWS resources connecting something publicly reachable (an entry node) to something sensitive (a target node). Attack paths help prioritize remediation by surfacing reachability, not just individual misconfigurations. See Attack Paths.

C

Chain

The sequence of resources that make up an attack path, from entry node through intermediate hops to the target node.

Closed

A finding state. The check is no longer failing — usually because the issue was remediated or the resource was deleted. See Severity levels and finding states.

Cost impact

An annotation that warns the recommended remediation will turn on a billable AWS service (e.g. enabling GuardDuty, Inspector, Macie). Includes the service that will start billing, a cost tier (low / medium / high), and the cost drivers.

E

Entry node

A resource reachable from outside your AWS account — the start of an attack path. Includes API Gateway, function URLs, load balancers, security groups open to the internet, public S3 bucket policies, and public S3 ACLs.

Escalation path

A technique an IAM identity could use to escalate its privileges further within the account. Shown in the identity drawer on the IAM Risk page.

External ID

A secret string unique to your GuardKite tenant, required on every call that assumes GuardKite's IAM role in your AWS account. Prevents the confused-deputy problem. See Cross-account IAM role.

F

Finding

A specific misconfiguration GuardKite has detected on one resource in one of your AWS accounts. Carries a severity, the affected resource, and remediation guidance. See Findings.

Fix

A specific change that would close one or more attack paths. Surfaced in the Attack Paths drawer and in the Fixes view, ranked by how many paths each fix would close.

H

Hop

An intermediate resource between the entry node and target node of an attack path. A path with three hops has four resources total: entry, two intermediate, and target.

M

Member

A user role with read-only access to findings-related data within a tenant. Can view findings, IAM Risk, attack paths, and events, but cannot add or remove users, manage AWS accounts, or change settings.

O

Open

A finding state. The check is currently failing for the resource and the finding appears on the Findings page. See Severity levels and finding states.

Operational weight

A rough indicator of how much effort it takes to apply a fix. Higher means more changes, or more invasive changes.

Overprivilege

The portion of an identity's granted permissions that go unused. Shown as a bar and percentage on the IAM Risk page. Higher is worse.

P

Path

See attack path.

Paths eliminated

The number of currently-detected attack paths a single fix would close. The primary sort key on the Fixes view.

Path snooze

A path marked as intentionally accepted (also called accepted risk). Snoozed paths are hidden from the default Attack Paths views and don't contribute to risk-score summaries. Permanent until un-snoozed. Every snooze carries a reason and the user who applied it.

Principal

An IAM user or IAM role. The unit of analysis on the IAM Risk page.

R

Reversibility

How recoverable a fix is if a downstream system depended on the current configuration. Additive / safe — no rollback risk. Narrowly destructive — removes something specific. Broadly destructive — removes something broad.

Risk score

A score on an attack path reflecting the severity of what would happen if the path were exploited. Shown with a band (Critical / High / Medium / Low).

S

Severity

The urgency level of a finding: Critical, High, Medium, or Low. Set on the check, not the individual resource. See Severity levels and finding states.

Stale identity

An IAM principal that hasn't been active in 90 or 180 days. Stale + admin is the highest-priority combination to clean up.

T

Target node

A resource an attacker would want to reach — the end of an attack path. Includes secrets, databases, private buckets, and sensitive roles.

Tenant

Your organization's GuardKite workspace. Each tenant has its own users, AWS accounts, findings, and subscription.

A​

Accepted risk​

Admin​

Annotation​

Attack path​

C​

Chain​

Closed​

Cost impact​

E​

Entry node​

Escalation path​

External ID​

F​

Finding​

Fix​

H​

Hop​

M​

Member​

O​

Open​

Operational weight​

Overprivilege​

P​

Path​

Paths eliminated​

Path snooze​

Principal​

R​

Reversibility​

Risk score​

S​

Severity​

Stale identity​

T​

Target node​

Tenant​

A