aws-fsx-windows-encrypted-with-cmk
aws-fsx-windows-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-kinesis-video-stream-encrypted-with-cmk
aws-kinesis-video-stream-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-network-acl-allows-all-ports
aws-network-acl-allows-all-ports
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A01:2021 - Broken Access Control
aws-documentdb-auditing-disabled
aws-documentdb-auditing-disabled
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-778: Insufficient Logging
OWASP:
- A09:2021 - Security Logging and Monitoring Failures
aws-fsx-lustre-filesystem-encrypted-with-cmk
aws-fsx-lustre-filesystem-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-codebuild-project-unencrypted
aws-codebuild-project-unencrypted
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-sagemaker-domain-encrypted-with-cmk
aws-sagemaker-domain-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-ebs-unencrypted
aws-ebs-unencrypted
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-imagebuilder-component-encrypted-with-cmk
aws-imagebuilder-component-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-dynamodb-point-in-time-recovery-disabled
aws-dynamodb-point-in-time-recovery-disabled
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-221: Information Loss or Omission
OWASP:
- A09:2021 – Security Logging and Monitoring Failures
aws-emr-encrypted-with-cmk
aws-emr-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-ec2-security-group-allows-public-ingress
aws-ec2-security-group-allows-public-ingress
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A01:2021 - Broken Access Control
aws-docdb-encrypted-with-cmk
aws-docdb-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-elasticsearch-insecure-tls-version
aws-elasticsearch-insecure-tls-version
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-glacier-vault-any-principal
aws-glacier-vault-any-principal
arn:aws:iam::<account_id>:<identity>
.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
aws-insecure-redshift-ssl-configuration
aws-insecure-redshift-ssl-configuration
require_ssl
to "true"
.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-sqs-queue-policy-wildcard-action
aws-sqs-queue-policy-wildcard-action
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
aws-ec2-has-public-ip
aws-ec2-has-public-ip
associate_public_ip_address
to "false"
.Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
aws-opensearchserverless-encrypted-with-cmk
aws-opensearchserverless-encrypted-with-cmk
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A2:2021 Cryptographic Failures
- A5:2021 Security Misconfiguration
aws-network-acl-allows-public-ingress
aws-network-acl-allows-public-ingress
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A01:2021 - Broken Access Control
aws-athena-client-can-disable-workgroup-encryption
aws-athena-client-can-disable-workgroup-encryption
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-provisioner-exec
aws-provisioner-exec
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
- A01:2017 - Injection
aws-codebuild-artifacts-unencrypted
aws-codebuild-artifacts-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-cloudtrail-encrypted-with-cmk
aws-cloudtrail-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-fsx-ontapfs-encrypted-with-cmk
aws-fsx-ontapfs-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-provider-static-credentials
aws-provider-static-credentials
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-798: Use of Hard-coded Credentials
OWASP:
- A07:2021 - Identification and Authentication Failures
aws-config-aggregator-not-all-regions
aws-config-aggregator-not-all-regions
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-778: Insufficient Logging
OWASP:
- A09:2021 - Security Logging and Monitoring Failures
insecure-load-balancer-tls-version
insecure-load-balancer-tls-version
ssl_policy
to "ELBSecurityPolicy-TLS13-1-2-2021-06"
, or include a default action to redirect to HTTPS.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-kinesis-stream-unencrypted
aws-kinesis-stream-unencrypted
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
wildcard-assume-role
wildcard-assume-role
arn:aws:iam::<account_id>:root
.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-250: Execution with Unnecessary Privileges
OWASP:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
aws-insecure-api-gateway-tls-version
aws-insecure-api-gateway-tls-version
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-timestream-database-encrypted-with-cmk
aws-timestream-database-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-rds-backup-no-retention
aws-rds-backup-no-retention
backup_retention_period
.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-codebuild-project-artifacts-unencrypted
aws-codebuild-project-artifacts-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-subnet-has-public-ip-address
aws-subnet-has-public-ip-address
map_public_ip_on_launch
to false so that resources are not publicly-accessible.Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-284: Improper Access Control
OWASP:
- A01:2021 - Broken Access Control
aws-db-instance-no-logging
aws-db-instance-no-logging
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-insecure-cloudfront-distribution-tls-version
aws-insecure-cloudfront-distribution-tls-version
minimum_protocol_version
to "TLSv1.2_2018", "TLSv1.2_2019" or "TLSv1.2_2021"
.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-workspaces-root-volume-unencrypted
aws-workspaces-root-volume-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-s3-bucket-object-encrypted-with-cmk
aws-s3-bucket-object-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-redshift-cluster-encrypted-with-cmk
aws-redshift-cluster-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
aws-iam-admin-policy-ssoadmin
aws-iam-admin-policy-ssoadmin
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
aws-sqs-queue-policy-wildcard-principal
aws-sqs-queue-policy-wildcard-principal
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
aws-elb-access-logs-not-enabled
aws-elb-access-logs-not-enabled
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-ecr-mutable-image-tags
aws-ecr-mutable-image-tags
aws-workspaces-user-volume-unencrypted
aws-workspaces-user-volume-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-kms-no-rotation
aws-kms-no-rotation
enable_key_rotation
.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-lambda-x-ray-tracing-not-active
aws-lambda-x-ray-tracing-not-active
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-778: Insufficient Logging
OWASP:
- A09:2021 Security Logging and Monitoring Failures
aws-s3-object-copy-encrypted-with-cmk
aws-s3-object-copy-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-kinesis-stream-encrypted-with-cmk
aws-kinesis-stream-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-kms-key-wildcard-principal
aws-kms-key-wildcard-principal
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
missing-athena-workgroup-encryption
missing-athena-workgroup-encryption
encryption_configuration { encryption_option = "SSE_KMS" kms_key_arn = aws_kms_key.example.arn }
within result_configuration { }
in your resource block, where encryption_option
is your chosen encryption method and kms_key_arn
is your KMS key ARN.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-fsx-lustre-filesystem-encrypted-with-cmk
aws-fsx-lustre-filesystem-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control
aws-cloudwatch-log-group-unencrypted
aws-cloudwatch-log-group-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A02:2021 - Cryptographic Failures
aws-ebs-volume-unencrypted
aws-ebs-volume-unencrypted
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-cloudwatch-log-group-no-retention
aws-cloudwatch-log-group-no-retention
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-ebs-snapshot-encrypted-with-cmk
aws-ebs-snapshot-encrypted-with-cmk
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-lambda-permission-unrestricted-source-arn
aws-lambda-permission-unrestricted-source-arn
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
aws-sns-topic-unencrypted
aws-sns-topic-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-ec2-launch-configuration-ebs-block-device-unencrypted
aws-ec2-launch-configuration-ebs-block-device-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-documentdb-storage-unencrypted
aws-documentdb-storage-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-dynamodb-table-unencrypted
aws-dynamodb-table-unencrypted
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-sqs-queue-unencrypted
aws-sqs-queue-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-athena-workgroup-unencrypted
aws-athena-workgroup-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-efs-filesystem-encrypted-with-cmk
aws-efs-filesystem-encrypted-with-cmk
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-ebs-volume-encrypted-with-cmk
aws-ebs-volume-encrypted-with-cmk
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-ssm-document-logging-issues
aws-ssm-document-logging-issues
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-transfer-server-is-public
aws-transfer-server-is-public
endpoint_type
to "VPC"
.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
aws-ecr-image-scanning-disabled
aws-ecr-image-scanning-disabled
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-223: Omission of Security-relevant Information
OWASP:
- A09:2021 - Security Logging and Monitoring Failures
aws-lambda-environment-unencrypted
aws-lambda-environment-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-ec2-security-group-rule-missing-description
aws-ec2-security-group-rule-missing-description
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-223: Omission of Security-relevant Information
OWASP:
- A09:2021 - Security Logging and Monitoring Failures
aws-lambda-environment-credentials
aws-lambda-environment-credentials
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-athena-database-unencrypted
aws-athena-database-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-ecr-repository-wildcard-principal
aws-ecr-repository-wildcard-principal
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
unrestricted-github-oidc-policy
unrestricted-github-oidc-policy
$POLICY
is missing a condition
block which scopes users of this policy to specific GitHub repositories. Without this, $POLICY
is open to all users on GitHub. Add a condition
block on the variable token.actions.githubusercontent.com:sub
which scopes it to prevent this.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Sensitive Data Exposure
- A01:2021 - Broken Access Control
aws-ec2-launch-configuration-root-block-device-unencrypted
aws-ec2-launch-configuration-root-block-device-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
aws-secretsmanager-secret-unencrypted
aws-secretsmanager-secret-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-elasticsearch-nodetonode-encryption-not-enabled
aws-elasticsearch-nodetonode-encryption-not-enabled
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
aws-ec2-launch-template-metadata-service-v1-enabled
aws-ec2-launch-template-metadata-service-v1-enabled
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1390: Weak Authentication
OWASP:
- A07:2021 - Identification and Authentication Failures
aws-backup-vault-unencrypted
aws-backup-vault-unencrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
aws-iam-admin-policy
aws-iam-admin-policy
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration