| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The DocDB cluster is not configured to use a customer-managed KMS key for encryption at rest. Without specifying a KMS key, you lose granular control over who can access and rotate the encryption keys protecting your data.
If the cluster’s data is not encrypted with a customer-managed key, sensitive information could be exposed if AWS’s default keys are compromised or improperly rotated. This increases the risk of unauthorized data access and makes it harder to meet compliance and security requirements.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The CloudTrail resource is not configured to encrypt logs at rest using a customer-managed KMS key (CMK). This means sensitive log data is stored without strong, customizable encryption controls.
If CloudTrail logs are not encrypted with a customer-managed KMS key, unauthorized users with access to the storage location could potentially read sensitive activity logs. This increases the risk of data exposure and limits your ability to control key rotation, access, and auditing, potentially leading to compliance issues.
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
An AWS CloudWatch Log Group is defined without specifying a ‘retention_in_days’ value, which means logs are kept indefinitely. This can lead to unnecessary accumulation of sensitive log data.
Without a log retention policy, sensitive information may be stored longer than necessary, increasing the risk of data exposure if the logs are accessed by unauthorized users or in the event of a breach. This can also lead to higher storage costs and compliance issues.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The AWS SageMaker domain resource is missing encryption with a customer-managed KMS key. Without specifying ‘kms_key_id’, data stored at rest is not protected with a key you control.
If exploited, sensitive data in SageMaker domains could be accessed by unauthorized users or AWS personnel, and you lose the ability to manage key rotation or revoke access. This increases the risk of data exposure and weakens compliance with security policies.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
The AWS EBS (Elastic Block Store) volume encryption is disabled, which means data stored on these volumes is not protected at rest. This leaves sensitive data vulnerable if the storage is accessed without authorization.
If an attacker gains access to the underlying storage, they could read unencrypted data, leading to possible exposure of confidential information such as customer records or application secrets. This could result in data breaches, regulatory violations, and loss of trust.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The AWS Lambda function is configured with environment variables but does not specify a custom KMS encryption key. This means sensitive environment data relies only on default AWS-managed encryption, which may not meet stricter security requirements.
Without a dedicated KMS key, attackers with certain AWS privileges could potentially access or decrypt sensitive environment variables if the default managed key is compromised. This could lead to exposure of secrets such as API keys, database credentials, or other confidential information.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
The AWS CodeBuild project is not configured to use an encryption key, meaning build artifacts and sensitive project data are stored unencrypted. This leaves the data vulnerable to unauthorized access.
If exploited, attackers or unauthorized users could access sensitive build information, source code, or secrets stored in the project, potentially leading to data leaks, intellectual property theft, or further compromise of your AWS environment.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
The AWS RDS resource is configured with ‘backup_retention_period = 0’, which means automated backups are disabled. Without backups, you cannot recover lost or corrupted database data.
If data loss or corruption occurs, there will be no backups to restore from, leading to permanent loss of critical application or customer data. This can cause significant downtime, disrupt business operations, and result in compliance or reputational issues.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
S3 objects copied using the aws_s3_object_copy resource are not being encrypted with a customer-managed KMS key (CMK). Without specifying a KMS key, the copied data may rely on default encryption, reducing control over key management and access.
If a KMS CMK is not used, sensitive data in S3 may be less protected, increasing the risk of unauthorized access or insufficient auditability. Attackers or unauthorized users could potentially access or decrypt data if default keys are compromised or not properly managed.