CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
        • Aws
          • Best practice
          • Correctness
          • Security
        • Azure
        • Gcp
        • Lang
      • Typescript
      • Yaml
    Aws

    Security

    Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ingress and/or egress is allowed for all ports in the network ACL rule. Ensure access to specific required ports is allowed, and nothing else.
    Likelihood: MEDIUM
    Confidence: LOW
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A01:2021 - Broken Access Control

    Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-778: Insufficient Logging
    OWASP:
    - A09:2021 - Security Logging and Monitoring Failures

    Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Point-in-time recovery is not enabled for the DynamoDB table. DynamoDB tables should be protected against accidental or malicious write/delete actions. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-221: Information Loss or Omission
    OWASP:
    - A09:2021 – Security Logging and Monitoring Failures

    Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    The security group rule allows ingress from public internet. Opening up ports to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range.
    Likelihood: MEDIUM
    Confidence: LOW
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A01:2021 - Broken Access Control

    Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set “tls_security_policy” equal to “Policy-Min-TLS-1-2-2019-07”.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:<identity>.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration

    Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your require_ssl to "true".
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Wildcard used in your SQS queue policy action. SQS queue policies should always grant least privilege - that is, only grant the permissions required to perform a specific task. Implementing least privilege is important to reducing security risks and reducing the effect of errors or malicious intent.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration

    EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your associate_public_ip_address to "false".
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A05:2017 - Broken Access Control
    - A01:2021 - Broken Access Control

    Ensure opensearch serverless is encrypted at rest using AWS KMS (Key Management Service) CMK (Customer Managed Keys). CMKs give you control over the encryption key in terms of access and rotation.
    Likelihood: MEDIUM
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A2:2021 Cryptographic Failures
    - A5:2021 Security Misconfiguration

    The network ACL rule allows ingress from public internet. Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range.
    Likelihood: MEDIUM
    Confidence: LOW
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A01:2021 - Broken Access Control

    The Athena workgroup configuration can be overriden by client-side settings. The client can make changes to disable encryption settings. Enforce the configuration to prevent client overrides.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
    Likelihood: HIGH
    Confidence: HIGH
    CWE:
    - CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
    - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
    OWASP:
    - A03:2021 - Injection
    - A01:2017 - Injection

    The CodeBuild project artifacts are unencrypted. All artifacts produced by your CodeBuild project pipeline should be encrypted to prevent them from being read if compromised.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-798: Use of Hard-coded Credentials
    OWASP:
    - A07:2021 - Identification and Authentication Failures

    The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.
    Likelihood: LOW
    Confidence: HIGH
    CWE:
    - CWE-778: Insufficient Logging
    OWASP:
    - A09:2021 - Security Logging and Monitoring Failures

    Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your ssl_policy to "ELBSecurityPolicy-TLS13-1-2-2021-06", or include a default action to redirect to HTTPS.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:root.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-250: Execution with Unnecessary Privileges
    OWASP:
    - A06:2017 - Security Misconfiguration
    - A05:2021 - Security Misconfiguration

    Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set “security_policy” equal to “TLS_1_2”.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a backup_retention_period.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set map_public_ip_on_launch to false so that resources are not publicly-accessible.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A01:2021 - Broken Access Control

    Database instance has no logging. Missing logs can cause missing important event information.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your minimum_protocol_version to "TLSv1.2_2018", "TLSv1.2_2019" or "TLSv1.2_2021".
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A05:2017 - Broken Access Control
    - A01:2021 - Broken Access Control

    Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration

    Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration

    ELB has no logging. Missing logs can cause missing important event information.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting image_tag_mutability to IMMUTABLE.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-345: Insufficient Verification of Data Authenticity
    OWASP:
    - A08:2021 - Software and Data Integrity Failures

    The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a enable_key_rotation.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-778: Insufficient Logging
    OWASP:
    - A09:2021 Security Logging and Monitoring Failures

    Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration

    The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: encryption_configuration { encryption_option = "SSE_KMS" kms_key_arn = aws_kms_key.example.arn } within result_configuration { } in your resource block, where encryption_option is your chosen encryption method and kms_key_arn is your KMS key ARN.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it’s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A02:2021 - Cryptographic Failures

    The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration

    The AWS SNS topic is unencrypted. The SNS topic messages could be read if compromised. The AWS KMS encryption key protects topic contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    The AWS launch configuration EBS block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    The AWS DocumentDB cluster is unencrypted. The data could be read if the underlying disks are compromised. You should enable storage encryption.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it’s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The AWS SQS queue contents are unencrypted. The data could be read if compromised. Enable server-side encryption for your queue using SQS-managed encryption keys (SSE-SQS), or using your own AWS KMS key (SSE-KMS).
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your endpoint_type to "VPC".
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A05:2017 - Broken Access Control
    - A01:2021 - Broken Access Control

    The ECR repository has image scans disabled. Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.
    Likelihood: MEDIUM
    Confidence: LOW
    CWE:
    - CWE-223: Omission of Security-relevant Information
    OWASP:
    - A09:2021 - Security Logging and Monitoring Failures

    By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it’s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    The AWS security group rule is missing a description, or its description is empty or the default value. Security groups rules should include a meaningful description in order to simplify auditing, debugging, and managing security groups.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-223: Omission of Security-relevant Information
    OWASP:
    - A09:2021 - Security Logging and Monitoring Failures

    A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The Athena database is unencrypted at rest. These databases are generally derived from data in S3 buckets and should have the same level of at rest protection. The AWS KMS encryption key protects database contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration

    $POLICY is missing a condition block which scopes users of this policy to specific GitHub repositories. Without this, $POLICY is open to all users on GitHub. Add a condition block on the variable token.actions.githubusercontent.com:sub which scopes it to prevent this.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A05:2017 - Sensitive Data Exposure
    - A01:2021 - Broken Access Control

    The AWS launch configuration root block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-311: Missing Encryption of Sensitive Data
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A04:2021 - Insecure Design

    By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it’s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Ensure all Elasticsearch has node-to-node encryption enabled.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-1390: Weak Authentication
    OWASP:
    - A07:2021 - Identification and Authentication Failures

    The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-320: CWE CATEGORY: Key Management Errors
    OWASP:
    - A03:2017 - Sensitive Data Exposure

    Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration

    CorrectnessBest practice
    twitterlinkedin
    Powered by Mintlify