Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The service is configured with a writable root filesystem, allowing applications inside the container to modify or add files. This increases the risk of unauthorized changes or the installation of malicious software if the container is compromised.

Impact

If exploited, an attacker could alter application files, persist malicious code, or abuse the writable filesystem to escalate their access. This could lead to data breaches, service disruption, or facilitate lateral movement within your infrastructure.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The service is missing the ’no-new-privileges:true’ option in its ‘security_opt’ settings, which means processes inside the container could gain extra privileges using setuid or setgid binaries. This makes it easier for attackers to escalate their access within the container.

Impact

If exploited, an attacker could gain higher privileges inside the container, potentially allowing them to access sensitive data, alter system files, or compromise other services. This increases the risk of a full container breakout or lateral movement within your infrastructure.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The IAM policy grants full administrative access (‘Action’: ‘’ and/or ‘Resource’: ‘’), allowing anyone with this policy to perform any action on any AWS resource. This overly broad permission violates the principle of least privilege.

Impact

If exploited, an attacker or unauthorized user could take complete control of your AWS environment, including reading, modifying, or deleting resources and data. This could lead to data breaches, service disruptions, or full compromise of your cloud infrastructure.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A02:2021 - Cryptographic Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The AWS CloudWatch Log Group resource is not configured to use a customer-managed KMS key for encryption. Relying solely on default AWS-managed keys provides less control over log data security.

Impact

Without a customer-managed KMS key, sensitive log data is at greater risk if AWS-managed keys are compromised or misused. Attackers or unauthorized users may gain access to log contents, leading to data exposure or compliance violations.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The Glacier Vault access policy is configured with a wildcard principal, allowing any AWS user or identity to access the vault. This overly broad permission means unauthorized users could perform actions on your Glacier resources.

Impact

If exploited, unauthorized users could read, modify, or delete sensitive data stored in the Glacier Vault. This exposes your organization to data breaches, loss of critical backups, and potential regulatory non-compliance.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The SQS queue policy uses a wildcard (’*’) for the Principal, which allows any user—including anonymous or unauthenticated users—to access the queue. This effectively makes your SQS queue public and exposes it to anyone on the internet.

Impact

If exploited, attackers could send, receive, or delete messages from your SQS queue without restriction. This could lead to data loss, unauthorized access to sensitive information, abuse of your AWS resources, and potential disruption of your application’s messaging workflow.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The SQS queue policy grants permissions using a wildcard (’’ or ‘sqs:’) in the Action field, allowing all possible actions instead of only those required. This does not follow the principle of least privilege and exposes the queue to unnecessary risks.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The ECR repository policy is granting access to all users by using a wildcard (’*’) as the principal. This makes the repository publicly accessible, exposing images to anyone on the internet.

Impact

If exploited, unauthorized users could pull, push, or delete container images in your repository. This could lead to data leaks, service disruptions, or compromise of your application supply chain.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

The Lambda permission grants access to an AWS service principal without restricting which resource can invoke the function (missing ‘source_arn’). This means any resource from that service, in any AWS account, could potentially invoke your Lambda function.

Impact

If exploited, unauthorized users could use their own AWS resources to trigger your Lambda function, leading to unexpected execution, data leaks, or increased costs. This broad access increases the risk of abuse or compromise of your application’s functionality.

Property
Language
Severity
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The KMS key policy grants wildcard (’*’) access to all principals, allowing anyone to perform any action on the key. This overly permissive configuration exposes the key to unauthorized access and misuse.

Impact

If exploited, attackers could gain full administrative control over your KMS key, enabling them to decrypt sensitive data, delete or rotate keys, and disrupt critical encryption operations. This can lead to data breaches, loss of confidentiality, and compromise of all data protected by the key.