Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelLow

Description

Sensitive AWS credentials are hard-coded directly into Lambda environment variables within your Terraform code. This exposes secrets in source control and increases the risk of accidental leaks.

Impact

If these credentials are exposed, attackers could gain unauthorized access to your AWS resources, potentially leading to data theft, service disruption, or significant financial loss. Compromised secrets can be exploited to escalate privileges or launch further attacks on your cloud infrastructure.

Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The load balancer is configured to allow insecure TLS versions (less than 1.2) or permits unencrypted HTTP traffic without forcing HTTPS redirection. This exposes sensitive data to potential interception during transmission.

Impact

Attackers could intercept, read, or modify data sent between clients and your service, leading to data breaches, credential theft, or manipulation of traffic. This compromises user privacy and can violate compliance requirements.

Inadequate Encryption Strength

Property
Languagehcl
Severitylow
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The AWS WorkSpaces root volume is not encrypted, meaning data stored on it is left unprotected at rest. This exposes sensitive information if the storage is accessed by unauthorized users.

Impact

Without encryption, attackers or insiders who gain access to the underlying storage could read, copy, or steal sensitive data from the root volume. This increases the risk of data breaches and may lead to regulatory non-compliance.

Inadequate Encryption Strength

Property
Languagehcl
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

Node-to-node encryption is not enabled for your AWS Elasticsearch cluster, which means data transmitted between cluster nodes is not protected. This leaves internal traffic vulnerable to interception within your AWS environment.

Impact

Without node-to-node encryption, sensitive data sent between Elasticsearch nodes can be exposed to attackers with network access, potentially leading to data breaches, unauthorized access, or compliance violations.

Inadequate Encryption Strength

Property
Languageterraform
Severityhigh
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelMedium

Description

The AWS Elasticsearch domain is configured to allow TLS 1.0 connections, which uses outdated encryption algorithms that are no longer considered secure. This increases the risk of attackers intercepting or tampering with data in transit.

Impact

If exploited, attackers could decrypt or modify sensitive data transmitted between clients and the Elasticsearch service, potentially leading to data breaches or unauthorized access. This weakens the overall security of your cloud infrastructure and may violate compliance requirements.

Inadequate Encryption Strength

Property
Languagehcl
Severitylow
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The AWS Elastic Load Balancer (ELB) resource is configured without access logging enabled. Without logging, you won’t have records of traffic or activity passing through the load balancer.

Impact

Without access logs, you lose visibility into requests and potential security incidents, making it difficult to audit activity, troubleshoot issues, or investigate breaches. This could allow malicious actions to go undetected and hinder compliance efforts.

Inadequate Encryption Strength

Property
Languageterraform
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The API Gateway domain is configured to use an outdated or insecure version of TLS instead of TLS 1.2. This weakens the encryption used to protect data transmitted between clients and your API.

Impact

Using older TLS versions exposes sensitive data to interception or tampering by attackers, as these versions have known vulnerabilities. This could lead to data breaches, loss of confidentiality, and non-compliance with security standards.

Inadequate Encryption Strength

Property
Languagehcl
Severitylow
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The AWS Secrets Manager secret is not explicitly configured to use a customer-managed KMS key for encryption. Relying only on the default AWS-managed key reduces control over how your secrets are protected.

Impact

If an attacker compromises the default AWS-managed key or if stricter compliance is required, your secrets could be more easily accessed or not meet security standards. This could lead to unauthorized disclosure of sensitive information managed in Secrets Manager.

Inadequate Encryption Strength

Property
Languagegeneric
Severityhigh
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelMedium

Description

The configuration allows insecure SSL/TLS versions (older than TLS 1.2), which are outdated and have known security weaknesses. Only TLS 1.2 or 1.3 should be enabled to ensure secure encrypted connections.

Impact

If insecure SSL/TLS versions are allowed, attackers could exploit known vulnerabilities to intercept or manipulate sensitive data, potentially leading to data breaches or compromised user information. This weakens the overall security of your application and exposes users to significant risk.

Inadequate Encryption Strength

Property
Languagegeneric
Severitymedium
CWECWE-326: Inadequate Encryption Strength
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

The server configuration is missing the ‘ssl_protocols’ directive, which means outdated and insecure TLS versions (like TLSv1 and TLSv1.1) may be enabled by default. This exposes encrypted traffic to known vulnerabilities.

Impact

Attackers could exploit weak encryption protocols to intercept or decrypt sensitive data transmitted between clients and the server. This can lead to data breaches, credential theft, or unauthorized access to confidential information.