Property
Language
Severity
Service	networking
Provider	OpenStack
Vulnerability Type	omission

Description

Network security groups are defined without a description, making it difficult to identify their purpose and intent in the infrastructure as code. This omission hinders the ability to audit, debug, and manage security group configurations effectively.

Impact

Lack of descriptive context can lead to misconfiguration, accidental exposure of resources, and challenges in incident response. Security teams may overlook unnecessary or overly permissive rules, increasing the risk of unauthorized access or compliance violations.

Property
Language
Severity
Service	computing
Provider	Nifcloud

Description

The security group resource is missing a meaningful description, which reduces clarity about the purpose or intent of the firewall rule. This omission makes it harder to audit, manage, and understand security group configurations.

Impact

Without descriptive context, administrators may struggle to identify the purpose of security groups, increasing the risk of misconfiguration, accidental exposure, or difficulty in incident response and compliance audits.

Property
Language
Severity
Service	elasticache
Provider	AWS

Description

Security groups or security group rules are missing descriptive text, making it unclear what each rule is intended for. This lack of documentation complicates management and auditing of firewall configurations.

Impact

Without descriptions, it becomes difficult to understand the purpose of security rules, increasing the risk of accidental misconfiguration, overlooked vulnerabilities, and slower incident response during audits or troubleshooting.

Property
Language
Severity
Service	redshift
Provider	AWS

Description

Security groups or their rules are missing descriptions, making it unclear why specific firewall rules exist. This lack of context complicates auditing, troubleshooting, and maintaining security configurations.

Impact

Without descriptions, it becomes difficult to track the purpose of each security group or rule, increasing the risk of accidental misconfiguration, overly permissive access, or unintentional exposure of resources. This can hinder incident response and lead to potential security gaps.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The AWS Elasticsearch domain resource is missing encryption at rest, meaning that data stored in the cluster is not protected on disk. Without this setting, sensitive information could be exposed if the storage is accessed directly.

Impact

If encryption at rest is not enabled, attackers or unauthorized users who gain access to the underlying storage could read sensitive data, leading to data breaches and compliance violations. This can result in financial loss, reputational damage, and legal consequences for the organization.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Google Compute Engine disks are being created without specifying a customer-supplied encryption key (CSEK), meaning data is only protected by default Google-managed keys. This may not provide sufficient control over disk encryption for sensitive workloads.

Impact

Without customer-managed encryption, sensitive data on VM disks could be more easily accessed if Google’s default encryption keys are compromised or mismanaged. Attackers or unauthorized insiders could potentially access unencrypted data, putting confidential information at risk and potentially violating compliance requirements.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The VM boot disk is not configured to use customer-supplied encryption keys (CSEK) or a customer-managed KMS key, leaving sensitive data on the disk encrypted only with default Google-managed keys. This means you have less control over how your data is protected at rest.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The AWS SNS topic is not configured to use encryption, meaning messages published to the topic are stored in plaintext. Without a KMS key, sensitive data sent through SNS could be exposed if the topic is accessed by unauthorized users.

Impact

If the SNS topic is compromised, attackers could read all messages sent to it, leading to potential data leaks of confidential information, regulatory violations, or exposure of internal communications. Lack of encryption increases the risk of unauthorized data access within your AWS environment.