Glossary E

eBPF is a Linux kernel technology that allows sandboxed programs to run in the kernel without modifying kernel source code or loading kernel modules. In cloud security, eBPF enables high-performance network policy enforcement, system call filtering for container isolation, runtime threat detection, and deep observability into application behavior — all with minimal overhead. Cilium and Falco use eBPF extensively for cloud-native security enforcement and detection.

Amazon EBS provides persistent block storage volumes for EC2 instances. EBS volumes are automatically replicated within their availability zone and offer multiple volume types optimized for different performance and cost tradeoffs (gp3 for general purpose, io2 for high IOPS databases, st1 for throughput-intensive workloads). EBS snapshots enable point-in-time backups stored in S3.

ECS and Fargate security covers the configuration, networking, and IAM controls required to run containerized workloads securely on AWS's container services. Key controls include applying task IAM roles with least privilege, using VPC endpoints to avoid public traffic, enabling CloudTrail logging for ECS API actions, scanning task definition images for vulnerabilities, and configuring security groups to restrict inter-service traffic. Fargate's serverless model eliminates host management but requires careful network and IAM policy design.

Edge computing processes data and runs workloads at locations physically close to end users — CDN edge nodes, ISP facilities, or on-premises edge servers — rather than centralizing computation in cloud data centers. This reduces latency for time-sensitive workloads, enables offline operation, and reduces data transfer costs. Cloudflare Workers, AWS Lambda@Edge, and Fastly Compute@Edge are cloud edge platforms.

EDR solutions continuously monitor endpoint devices (laptops, servers, workstations) for suspicious activity and provide tools for investigation and response. They record endpoint telemetry, detect behavioral anomalies, and enable security teams to isolate compromised devices, kill malicious processes, and collect forensic evidence remotely.

Egress refers to data leaving a cloud environment — from a cloud region to the internet, from one cloud provider to another, or between availability zones. Cloud providers charge for egress traffic, making it a critical cost driver for data-intensive architectures. Minimizing egress through CDN caching, data locality design, and regional processing is a key cloud cost optimization technique.

Egress filtering restricts outbound network traffic from cloud workloads to only authorized destinations, preventing compromised workloads from beaconing to command-and-control servers, exfiltrating data to attacker-controlled endpoints, or facilitating SSRF attacks against external services. Cloud egress controls include VPC security group outbound rules, NACLs, Network Firewall domain-based filtering, and Kubernetes network policies with egress rules. Egress filtering is a key defense against post-compromise data exfiltration.

EKS is AWS's managed Kubernetes service that runs the Kubernetes control plane across multiple availability zones, eliminating the operational burden of managing etcd and API servers. EKS integrates with AWS IAM for fine-grained access control, AWS Load Balancer Controller for ingress, and Karpenter for intelligent node provisioning. EKS on Fargate eliminates node management entirely.

An elastic IP address is a static, public IPv4 address in AWS that can be dynamically remapped between instances. Unlike regular public IP addresses that change when an instance is stopped, elastic IPs persist independently and can be reassigned rapidly during failover scenarios. AWS charges for elastic IPs that are allocated but not associated with a running instance to discourage address hoarding.

Amazon ElastiCache is a fully managed in-memory caching service supporting Redis and Memcached engines. It handles hardware provisioning, patching, failure detection, and recovery. ElastiCache for Redis supports clustering, replication, and persistence, making it suitable for session storage, real-time leaderboards, pub/sub messaging, and caching layers in front of relational databases.

ELT is a variant of ETL where raw data is loaded into the target data warehouse first, and transformations happen inside the warehouse using SQL. Cloud warehouses like BigQuery, Snowflake, and Redshift have made ELT practical by providing cheap storage and massively parallel query processing. dbt (data build tool) is the primary framework for managing ELT transformation logic as version-controlled SQL.

An embedding is a dense numerical vector representation of text, images, or other data that captures semantic meaning in a continuous vector space. Semantically similar items have similar embeddings, enabling operations like similarity search and clustering. Embedding models (such as OpenAI's text-embedding-3 or Sentence Transformers) are the foundation of retrieval-augmented generation and semantic search systems.

The encoder is the transformer component that converts input tokens into rich contextual representations using bidirectional self-attention. Each token's representation incorporates information from all other tokens in the sequence, unlike the masked attention in decoders. Encoder-only models like BERT excel at tasks requiring full-sequence understanding, such as classification and retrieval.

Encryption at rest protects stored data by encrypting it on disk so that physical access to storage media does not yield readable data. Cloud services typically offer default encryption using platform-managed keys, with options for customer-managed keys via KMS or HSM for regulatory requirements. It complements encryption in transit (TLS) to provide defense-in-depth for data protection.

Encryption in transit in cloud environments ensures that data moving between services, between users and cloud endpoints, and between cloud regions is protected using TLS or mutual TLS. Cloud services enforce encryption in transit through managed TLS termination at load balancers, VPC traffic encryption options, and minimum TLS version policies. Service mesh architectures automate mutual TLS between all microservices, providing encryption without application changes.

Envelope encryption is a key management pattern where a data encryption key (DEK) encrypts the actual data, and a separate key encryption key (KEK) — stored in a KMS — encrypts the DEK. Only the encrypted DEK is stored with the data; the KEK never leaves the KMS. This pattern allows efficient re-keying (only the DEK needs re-encryption), supports large datasets, and keeps master keys isolated in hardware-protected KMS systems.

Environment promotion is the process of advancing a tested artifact through a sequence of environments (dev, staging, production) before reaching end users. Each environment gate applies additional validation — integration tests, performance tests, security scans — increasing confidence that the change is safe to deploy. GitOps pipelines automate promotion by updating environment-specific configuration in Git.

Envoy is a high-performance, open-source edge and service proxy designed for cloud-native applications. Originally built at Lyft, Envoy serves as the data plane for Istio, Contour, and other service meshes and ingress controllers. It supports advanced load balancing, circuit breaking, retries, observability, and WebSocket/gRPC proxying, making it the de facto standard proxy in Kubernetes environments.

EPSS is a data-driven model that estimates the probability a given CVE will be exploited in the wild within the next 30 days. Published daily by FIRST, EPSS scores help security teams prioritize remediation beyond CVSS severity alone — a high-CVSS vulnerability with low EPSS may be less urgent than a medium-CVSS one actively being exploited. EPSS complements KEV for prioritization.

Eradication is the incident response phase where the root cause of a compromise is removed from the environment — including deleting malware, closing exploited vulnerabilities, removing attacker persistence mechanisms, and revoking compromised credentials. Eradication must be thorough before recovery begins; incomplete eradication leads to re-compromise. It follows Containment and precedes Recovery in the NIST IR lifecycle.

An error budget is the allowable amount of unreliability in a service derived from its SLO — if a service targets 99.9% availability, the error budget is 0.1% (about 8.7 hours per year). When the error budget is consumed, feature development slows and reliability work is prioritized. Error budgets create a shared incentive between product and engineering teams to balance velocity with stability.

ETL is a data integration process that extracts data from source systems, transforms it into the target schema and quality standards, and loads it into a data warehouse or destination. Traditional ETL processes data in batches. Tools like dbt, Apache Spark, and Fivetran implement ETL pipelines. ETL is the foundational pattern for populating analytics warehouses from operational databases.

LLM evaluation encompasses the methods and metrics used to measure model quality across dimensions including accuracy, safety, instruction following, and reasoning. Evaluation combines automated benchmarks (MMLU, HumanEval), reference-based metrics (BLEU, ROUGE), model-based judging (LLM-as-judge), and human preference studies. Robust evaluation is essential for guiding training decisions and detecting capability regressions.

An event bus is a communication backbone that allows services to publish and subscribe to events without direct coupling. It acts as a mediator that routes events from producers to all interested consumers. In-process event buses (like EventEmitter) handle within-application communication; distributed event buses (Kafka, EventBridge) coordinate across services and systems.

Event sourcing stores application state as an append-only log of domain events rather than mutable records. The current state is derived by replaying events from the beginning or from a snapshot. This approach provides a complete audit trail, enables temporal queries, and supports CQRS projections. It introduces complexity around event schema evolution and projection rebuilding.

Event streaming is an architectural pattern where changes in system state are published as a continuous stream of immutable events to a durable log. Consumers read from the log at their own pace, enabling decoupled, replay-capable integrations. Kafka, AWS Kinesis, and Google Pub/Sub are the leading event streaming platforms, enabling use cases from real-time analytics to event-driven microservices.

Event-driven architecture decouples producers and consumers of information by having components communicate through events published to a message bus. Services react to events asynchronously rather than calling each other directly, improving resilience and scalability. This pattern is central to real-time systems, microservices choreography, and event sourcing implementations.

Amazon EventBridge is a serverless event bus that routes events from AWS services, SaaS partners, and custom applications to target services like Lambda, Step Functions, and SQS. It supports event filtering via content-based rules, schema registry for event discovery, and pipes for point-to-point integrations. EventBridge enables loosely coupled, event-driven architectures across AWS services.

An exploit is code or a technique that takes advantage of a software vulnerability to cause unintended behavior, typically gaining unauthorized access or executing arbitrary commands. Exploits range from proof-of-concept demonstrations to weaponized payloads deployed by attackers. The existence of a public exploit for a vulnerability dramatically increases the urgency for patching, as reflected in the KEV catalog and EPSS scores.

External Secrets Operator (ESO) is a Kubernetes operator that synchronizes secrets from external secret management systems (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, GCP Secret Manager) into Kubernetes Secrets. This enables applications to consume secrets through the standard Kubernetes Secret API while the actual secret material is managed centrally with rotation, auditing, and access control in a dedicated secrets management platform.