Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The FSX ONTAP file system resource is not configured to use a customer-managed KMS key for encryption at rest. Without specifying a ‘kms_key_id’, you lose control over key management, including access and rotation policies.

Impact

If the file system is not encrypted with a customer-managed key, sensitive data stored within could be less secure, increasing the risk of unauthorized access or data exposure. You may also be unable to enforce your organization’s compliance requirements for encryption key control and auditing.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Kinesis stream resource is not configured to use a customer-managed KMS key (CMK) for encryption at rest. Without specifying a CMK, you lose control over the keys used to protect your data.

Impact

If the stream data is not encrypted with a customer-managed key, sensitive information stored in Kinesis could be exposed if AWS-managed keys are compromised or misused. This increases the risk of unauthorized access and reduces your ability to manage key rotation and access policies, potentially leading to data breaches or regulatory non-compliance.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Timestream database is not configured to use a customer-managed KMS encryption key (CMK) for data at rest. Without specifying a CMK, you have less control over key access and rotation, which weakens data protection.

Impact

If exploited, sensitive data stored in the Timestream database could be more vulnerable to unauthorized access or exposure. Attackers or malicious insiders may gain access to unencrypted or weakly protected data, risking compliance violations and data breaches.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The AWS Athena Workgroup resource is missing encryption settings, which means query results are stored unencrypted. This exposes sensitive data at rest and does not comply with security best practices.

Impact

Without encryption, anyone with access to Athena query outputs could read sensitive information, leading to data leaks or compliance violations. Attackers or unauthorized users may be able to access, steal, or manipulate confidential query results.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The EBS volume is encrypted, but it does not specify a customer-managed KMS key (CMK) for encryption. Relying on the default AWS-managed key limits your control over key rotation and access policies.

Impact

Without a customer-managed KMS key, you cannot enforce strict access controls or manage key rotation, increasing the risk that sensitive data could be accessed by unauthorized users or remain vulnerable if the default key is compromised.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The ImageBuilder component resource is missing a KMS Customer Master Key (CMK) for encryption at rest. Without specifying a KMS key, sensitive data stored by this component may not be properly protected.

Impact

If encryption with a KMS CMK is not enabled, attackers with access to the underlying storage could potentially read unencrypted data. This increases the risk of sensitive information exposure and reduces your control over key management, rotation, and access auditing.

Key Management Errors

Property
Languagehcl
Severitymedium
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The EBS snapshot is encrypted, but a specific AWS KMS Customer Master Key (CMK) is not set. Without specifying a CMK, you lose control over key management, access policies, and key rotation.

Impact

If a CMK is not specified, AWS manages the encryption keys, reducing your ability to enforce strict access control or respond to key compromise. This could expose sensitive data if unauthorized users gain access, and may also hinder compliance with regulatory requirements.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The AWS Backup vault resource is missing server-side encryption with a KMS key. This means backups stored in the vault are not protected at rest, leaving sensitive data unencrypted.

Impact

If an attacker gains access to the unencrypted backup vault, they could read or steal sensitive backup data. This exposes confidential information, increases the risk of data breaches, and may violate compliance requirements.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Kinesis video stream resource is not configured to use a KMS customer-managed key (CMK) for encryption at rest. This means video data stored in AWS may not be properly encrypted or controlled.

Impact

Without CMK encryption, sensitive video data could be exposed if AWS is compromised or misconfigured. Attackers or unauthorized users may be able to access or retrieve unencrypted video streams, leading to potential data breaches and loss of compliance.

Key Management Errors

Property
Languageterraform
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA2:2021 Cryptographic Failures
Confidence LevelLow
Impact LevelLow
Likelihood LevelMedium

Description

The OpenSearch Serverless resource is configured to use AWS-owned encryption keys instead of Customer Managed Keys (CMKs) for encrypting data at rest. This limits control over key management, such as access permissions and key rotation.

Impact

Without CMKs, your organization cannot control who can access or rotate the encryption keys, potentially exposing sensitive OpenSearch data if AWS keys are compromised or misused. This reduces compliance and may increase risk in regulated environments.