Key Management Errors

Property
Languagehcl
Severitymedium
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The EFS filesystem is encrypted at rest but does not use a customer-managed KMS key (CMK). Without a CMK, you cannot control key rotation or access policies for your data encryption.

Impact

If a customer-managed KMS key is not used, you lose granular control over who can access or manage the encryption keys. This increases the risk of unauthorized data access, limits your ability to meet compliance requirements, and may make it harder to respond to key compromise or rotation needs.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The FSX Windows file system is not configured to use a customer-managed KMS key for encryption at rest. This means you do not have full control over the encryption keys used to protect your data.

Impact

Without customer-managed keys, sensitive data stored in the FSX file system could be less secure, as you cannot manage key access or rotation. This increases the risk of unauthorized data access if AWS-managed keys are compromised or misused.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The EMR security configuration does not specify encryption at rest using a customer-managed KMS key (CMK). Without a CMK, you lack full control over data encryption and key management for your EMR clusters.

Impact

If EMR data is not encrypted with a CMK, sensitive information stored on the cluster could be exposed if the storage is accessed by unauthorized users or compromised. This increases the risk of data breaches and may lead to compliance violations, as you cannot enforce key rotation or restrict key access according to your organization’s security policies.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

S3 bucket objects are being created without specifying a customer-managed KMS key for encryption. This means data at rest may not be fully protected or controlled by your organization.

Impact

Without customer-managed KMS encryption, sensitive data stored in S3 could be more easily accessed if AWS defaults are compromised. This reduces control over key usage, access, and rotation, increasing the risk of unauthorized data exposure.

Key vault Secret should have a content type set

Property
Languageterraform
Severitylow
Servicekeyvault
ProviderAzure

Description

Key Vault secrets are created without specifying a content type, making it unclear how the secret data should be interpreted or used by clients and applications. This omission can lead to misinterpretation of secret values when retrieved.

Impact

Without a defined content type, applications and users may mishandle or incorrectly process secrets, increasing the risk of misconfiguration, operational errors, or accidental exposure of sensitive data due to misinterpretation.

Key Vault Secret should have an expiration date set

Property
Languageterraform
Severitylow
Servicekeyvault
ProviderAzure

Description

Key Vault secrets are being created without an expiration date, which allows them to remain valid indefinitely. This increases the risk of secrets being forgotten and unnecessarily exposed over time.

Impact

Secrets without expiration can be used indefinitely if compromised, increasing the window for attackers to exploit leaked credentials. This may lead to unauthorized access to sensitive resources and prolonged security exposure for the organization.

Key vault should have purge protection enabled

Property
Languageterraform
Severitymedium
Servicekeyvault
ProviderAzure
Vulnerability Typeomission

Description

The Key Vault resource is missing purge protection, allowing deleted keys and secrets to be permanently removed without the possibility of recovery. This configuration bypasses safeguards intended to prevent accidental or malicious data loss.

Impact

Without purge protection, attackers or unauthorized users with sufficient permissions could permanently delete cryptographic keys or secrets, leading to irreversible loss of access to encrypted resources, service outages, or compromise of critical business processes.

Key vault should have the network acl block specified

Property
Languageterraform
Severitycritical
Servicekeyvault
ProviderAzure
Vulnerability Typeomission

Description

The Azure Key Vault resource lacks a network ACL configuration, leaving it accessible from any network location. Without specifying network ACLs, unauthorized IPs can connect to the key vault without restriction.

Impact

If exploited, attackers could gain unrestricted network access to sensitive keys and secrets stored in the key vault, increasing the risk of data breaches, credential theft, or compromise of protected resources across the organization.

Kinesis stream is unencrypted.

Property
Languageterraform
Severityhigh
Servicekinesis
ProviderAWS
Vulnerability Typeomission

Description

The Kinesis stream is configured without server-side encryption, meaning data passing through the stream is not protected in transit. This allows sensitive information to be exposed if intercepted between producers, the stream, and consumers.

Impact

Without encryption, attackers with network access could read or tamper with data moving through the Kinesis stream, leading to potential data breaches or unauthorized access to confidential information.

KMS keys should be rotated at least every 90 days

Property
Languageterraform
Severityhigh
Servicekms
ProviderGoogle
Vulnerability Typemisconfiguration

Description

KMS cryptographic keys are configured with a rotation period longer than 90 days, increasing the window during which a compromised key can be abused. Regular rotation is not enforced, leaving keys active for extended durations.

Impact

If a key is compromised, attackers can use it for a longer time without detection or mitigation, potentially leading to unauthorized data access, persistent decryption of sensitive information, and prolonged exposure of critical resources.