CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
  • Join Community
Start Here
  • What is CodeAnt?
Setup
  • Github
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
      • Aws
        • Best practice
        • Correctness
        • Security
      • Azure
      • Gcp
      • Lang
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Aws

Security

aws-fsx-windows-encrypted-with-cmk

Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-kinesis-video-stream-encrypted-with-cmk

Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-network-acl-allows-all-ports

Ingress and/or egress is allowed for all ports in the network ACL rule. Ensure access to specific required ports is allowed, and nothing else.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A01:2021 - Broken Access Control

aws-documentdb-auditing-disabled

Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-778: Insufficient Logging
OWASP:
- A09:2021 - Security Logging and Monitoring Failures

aws-fsx-lustre-filesystem-encrypted-with-cmk

Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-codebuild-project-unencrypted

The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-sagemaker-domain-encrypted-with-cmk

Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-ebs-unencrypted

The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-imagebuilder-component-encrypted-with-cmk

Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-dynamodb-point-in-time-recovery-disabled

Point-in-time recovery is not enabled for the DynamoDB table. DynamoDB tables should be protected against accidental or malicious write/delete actions. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-221: Information Loss or Omission
OWASP:
- A09:2021 – Security Logging and Monitoring Failures

aws-emr-encrypted-with-cmk

Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-ec2-security-group-allows-public-ingress

The security group rule allows ingress from public internet. Opening up ports to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A01:2021 - Broken Access Control

aws-docdb-encrypted-with-cmk

Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-elasticsearch-insecure-tls-version

Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set “tls_security_policy” equal to “Policy-Min-TLS-1-2-2019-07”.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-glacier-vault-any-principal

Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:<identity>.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration

aws-insecure-redshift-ssl-configuration

Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your require_ssl to "true".
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-sqs-queue-policy-wildcard-action

Wildcard used in your SQS queue policy action. SQS queue policies should always grant least privilege - that is, only grant the permissions required to perform a specific task. Implementing least privilege is important to reducing security risks and reducing the effect of errors or malicious intent.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration

aws-ec2-has-public-ip

EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your associate_public_ip_address to "false".
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

aws-opensearchserverless-encrypted-with-cmk

Ensure opensearch serverless is encrypted at rest using AWS KMS (Key Management Service) CMK (Customer Managed Keys). CMKs give you control over the encryption key in terms of access and rotation.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A2:2021 Cryptographic Failures
- A5:2021 Security Misconfiguration

aws-network-acl-allows-public-ingress

The network ACL rule allows ingress from public internet. Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A01:2021 - Broken Access Control

aws-athena-client-can-disable-workgroup-encryption

The Athena workgroup configuration can be overriden by client-side settings. The client can make changes to disable encryption settings. Enforce the configuration to prevent client overrides.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-provisioner-exec

Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
- A01:2017 - Injection

aws-codebuild-artifacts-unencrypted

The CodeBuild project artifacts are unencrypted. All artifacts produced by your CodeBuild project pipeline should be encrypted to prevent them from being read if compromised.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-cloudtrail-encrypted-with-cmk

Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-fsx-ontapfs-encrypted-with-cmk

Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-provider-static-credentials

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-798: Use of Hard-coded Credentials
OWASP:
- A07:2021 - Identification and Authentication Failures

aws-config-aggregator-not-all-regions

The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-778: Insufficient Logging
OWASP:
- A09:2021 - Security Logging and Monitoring Failures

insecure-load-balancer-tls-version

Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your ssl_policy to "ELBSecurityPolicy-TLS13-1-2-2021-06", or include a default action to redirect to HTTPS.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-kinesis-stream-unencrypted

The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

wildcard-assume-role

Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:root.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-250: Execution with Unnecessary Privileges
OWASP:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration

aws-insecure-api-gateway-tls-version

Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set “security_policy” equal to “TLS_1_2”.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-timestream-database-encrypted-with-cmk

Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-rds-backup-no-retention

The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a backup_retention_period.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-codebuild-project-artifacts-unencrypted

The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-subnet-has-public-ip-address

Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set map_public_ip_on_launch to false so that resources are not publicly-accessible.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-284: Improper Access Control
OWASP:
- A01:2021 - Broken Access Control

aws-db-instance-no-logging

Database instance has no logging. Missing logs can cause missing important event information.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-insecure-cloudfront-distribution-tls-version

Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your minimum_protocol_version to "TLSv1.2_2018", "TLSv1.2_2019" or "TLSv1.2_2021".
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-workspaces-root-volume-unencrypted

The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-s3-bucket-object-encrypted-with-cmk

Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-redshift-cluster-encrypted-with-cmk

Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

aws-iam-admin-policy-ssoadmin

Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration

aws-sqs-queue-policy-wildcard-principal

Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration

aws-elb-access-logs-not-enabled

ELB has no logging. Missing logs can cause missing important event information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-ecr-mutable-image-tags

The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting image_tag_mutability to IMMUTABLE.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-345: Insufficient Verification of Data Authenticity
OWASP:
- A08:2021 - Software and Data Integrity Failures

aws-workspaces-user-volume-unencrypted

The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-kms-no-rotation

The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a enable_key_rotation.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-lambda-x-ray-tracing-not-active

The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-778: Insufficient Logging
OWASP:
- A09:2021 Security Logging and Monitoring Failures

aws-s3-object-copy-encrypted-with-cmk

Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-kinesis-stream-encrypted-with-cmk

Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-kms-key-wildcard-principal

Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration

missing-athena-workgroup-encryption

The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: encryption_configuration { encryption_option = "SSE_KMS" kms_key_arn = aws_kms_key.example.arn } within result_configuration { } in your resource block, where encryption_option is your chosen encryption method and kms_key_arn is your KMS key ARN.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-fsx-lustre-filesystem-encrypted-with-cmk

Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control

aws-cloudwatch-log-group-unencrypted

By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it’s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A02:2021 - Cryptographic Failures

aws-ebs-volume-unencrypted

The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-cloudwatch-log-group-no-retention

The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-ebs-snapshot-encrypted-with-cmk

Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-lambda-permission-unrestricted-source-arn

The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration

aws-sns-topic-unencrypted

The AWS SNS topic is unencrypted. The SNS topic messages could be read if compromised. The AWS KMS encryption key protects topic contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-ec2-launch-configuration-ebs-block-device-unencrypted

The AWS launch configuration EBS block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-documentdb-storage-unencrypted

The AWS DocumentDB cluster is unencrypted. The data could be read if the underlying disks are compromised. You should enable storage encryption.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-dynamodb-table-unencrypted

By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it’s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-sqs-queue-unencrypted

The AWS SQS queue contents are unencrypted. The data could be read if compromised. Enable server-side encryption for your queue using SQS-managed encryption keys (SSE-SQS), or using your own AWS KMS key (SSE-KMS).
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-athena-workgroup-unencrypted

The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-efs-filesystem-encrypted-with-cmk

Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-ebs-volume-encrypted-with-cmk

Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-ssm-document-logging-issues

The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-transfer-server-is-public

Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your endpoint_type to "VPC".
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

aws-ecr-image-scanning-disabled

The ECR repository has image scans disabled. Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-223: Omission of Security-relevant Information
OWASP:
- A09:2021 - Security Logging and Monitoring Failures

aws-lambda-environment-unencrypted

By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it’s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-ec2-security-group-rule-missing-description

The AWS security group rule is missing a description, or its description is empty or the default value. Security groups rules should include a meaningful description in order to simplify auditing, debugging, and managing security groups.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-223: Omission of Security-relevant Information
OWASP:
- A09:2021 - Security Logging and Monitoring Failures

aws-lambda-environment-credentials

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-athena-database-unencrypted

The Athena database is unencrypted at rest. These databases are generally derived from data in S3 buckets and should have the same level of at rest protection. The AWS KMS encryption key protects database contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-ecr-repository-wildcard-principal

Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration

unrestricted-github-oidc-policy

$POLICY is missing a condition block which scopes users of this policy to specific GitHub repositories. Without this, $POLICY is open to all users on GitHub. Add a condition block on the variable token.actions.githubusercontent.com:sub which scopes it to prevent this.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Sensitive Data Exposure
- A01:2021 - Broken Access Control

aws-ec2-launch-configuration-root-block-device-unencrypted

The AWS launch configuration root block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design

aws-secretsmanager-secret-unencrypted

By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it’s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-elasticsearch-nodetonode-encryption-not-enabled

Ensure all Elasticsearch has node-to-node encryption enabled.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

aws-ec2-launch-template-metadata-service-v1-enabled

The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1390: Weak Authentication
OWASP:
- A07:2021 - Identification and Authentication Failures

aws-backup-vault-unencrypted

The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure

aws-iam-admin-policy

Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
CorrectnessBest practice
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.