Inadequate Encryption Strength

Property
Languagehcl
Severitylow
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The SSL policy for your Google Cloud load balancer allows weak or outdated cipher suites or TLS versions, which do not provide strong encryption for data in transit. This configuration can expose sensitive data to interception or tampering.

Impact

If weak SSL/TLS settings are used, attackers could decrypt or manipulate traffic between users and your services, leading to data breaches, credential theft, or unauthorized access. This weakens the overall security of your application and may violate compliance requirements.

Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

The Cloud SQL database instance is not configured to require SSL for incoming connections. This means data sent to and from the database could be transmitted in plaintext over the network.

Impact

Without SSL enforcement, sensitive information—such as credentials and personal data—can be intercepted by attackers during transit, leading to data breaches, account compromise, and regulatory violations.

Inadequate Encryption Strength

Property
Languageterraform
Severitylow
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Google Cloud Load Balancer is configured to allow outdated versions of TLS, rather than enforcing at least TLS 1.2. This weakens the security of encrypted connections to your services.

Impact

Allowing insecure TLS versions exposes data in transit to interception or tampering by attackers, potentially leading to sensitive information leaks or man-in-the-middle attacks against users of your application.

Inadequate Encryption Strength

Property
Languagehcl
Severitylow
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Data Fusion instance is not configured to enable Stackdriver Monitoring, which means important operational and security metrics are not being collected or monitored.

Impact

Without Stackdriver Monitoring, issues such as performance bottlenecks, configuration errors, or potential security incidents may go undetected, making it harder to respond to problems or investigate suspicious activity. This could lead to prolonged outages or compromise of sensitive data.

Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

The DNSSEC configuration for Google Cloud DNS is set to use the RSASHA1 algorithm for signing keys, which is considered outdated and insecure. RSASHA1 is vulnerable to cryptographic attacks and should not be used for zone-signing or key-signing keys.

Impact

Using RSASHA1 allows attackers to potentially forge DNS records or tamper with DNS responses, putting your domains at risk of spoofing and compromising the integrity and confidentiality of your DNS data. This increases the likelihood of phishing, man-in-the-middle attacks, and unauthorized access to sensitive resources.

Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The CloudFront distribution is configured to allow outdated TLS versions (below 1.2), which are no longer secure. This makes it possible for attackers to exploit weaknesses in older encryption protocols when clients connect to your service.

Impact

Allowing insecure TLS versions can lead to sensitive data being intercepted or tampered with during transmission. Attackers could eavesdrop on user information, compromise data integrity, or downgrade connections to exploit known cryptographic vulnerabilities, putting both users and your organization at risk.

Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The DynamoDB table is not configured to use a customer-managed AWS KMS encryption key, relying only on the default AWS-managed key. This setup provides less control over key management and data protection.

Impact

Without a customer-managed KMS key, your ability to manage encryption, control access, and audit key usage is limited. If the default key is compromised or misconfigured, sensitive data in the table could be exposed, increasing the risk of data breaches and compliance violations.

Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The AWS Redshift parameter group is configured without enforcing SSL connections by omitting require_ssl = true. This means data sent to and from Redshift is not encrypted in transit.

Impact

Without SSL enforced, sensitive information (such as credentials or query results) can be intercepted or read by attackers on the network, potentially leading to data breaches or unauthorized access to your Redshift cluster.

Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The AWS KMS key is created without enabling automatic key rotation, which means the same encryption key is used indefinitely. This increases the risk that, if the key is ever compromised, attackers can decrypt sensitive data protected by it.

Impact

If key rotation is not enabled and a key is leaked or compromised, attackers could access all past and future data encrypted with that key. This could lead to unauthorized data exposure or loss of data confidentiality across your AWS environment.

Inadequate Encryption Strength

Property
Languagehcl
Severitylow
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The AWS SSM Document configuration does not enable encryption or logging for SSM logs, or uses unencrypted logs. This means sensitive operational data may be stored in plain text or not logged securely.

Impact

Without proper encryption and logging, attackers or unauthorized users could access or tamper with sensitive SSM logs, potentially exposing confidential information or masking malicious activity. This increases the risk of data breaches and makes incident response more difficult.