Missing Encryption of Sensitive Data

Property
Languagehcl
Severitylow
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

This code defines an AWS SQS queue in Terraform without enabling server-side encryption. As a result, messages stored in the queue are not protected and can be read in plain text if accessed.

Impact

If the SQS queue is compromised, sensitive data could be exposed to unauthorized users or attackers. This may lead to data breaches, leakage of confidential information, and violation of compliance requirements such as GDPR or HIPAA.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severitylow
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The AWS Athena database resource is configured without at-rest encryption. This means sensitive data stored in Athena is not protected by AWS KMS or any encryption key.

Impact

If the database is breached or accessed by unauthorized users, unencrypted data could be exposed, leading to potential data leaks or regulatory violations. Attackers or malicious insiders could read sensitive information stored in Athena without needing to bypass encryption.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severitymedium
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelLow

Description

The AWS Kinesis stream resource is not configured to encrypt data at rest. This means any data stored in the stream is unprotected and could be accessed in plain text if the underlying storage is compromised.

Impact

If an attacker gains access to the Kinesis stream storage layer, they could read sensitive or confidential data directly. This exposes your organization to data breaches, regulatory violations, and potential reputational damage due to unprotected information.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severitylow
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The Athena workgroup is configured to allow client-side overrides, meaning users can disable required encryption settings. This undermines enforced security controls and exposes sensitive query results to potential risks.

Impact

If exploited, clients could run queries without encryption, leading to unprotected storage or transmission of sensitive data. This increases the risk of data breaches, regulatory non-compliance, and unauthorized access to confidential information.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severitymedium
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The EBS block device in this AWS launch configuration is not encrypted, meaning data stored on it is not protected at rest. This leaves sensitive information vulnerable if the storage is compromised.

Impact

If an attacker gains access to the unencrypted EBS volume, they could read all stored data, including confidential files or credentials. This could lead to data breaches, regulatory violations, and increased risk of unauthorized data exposure.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severitylow
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The AWS Athena Workgroup resource is missing encryption for its query results. Without configuring ’encryption_configuration’, data stored in Athena may be saved in plaintext and is not protected by AWS KMS.

Impact

If encryption is not enabled, sensitive query results could be exposed if the storage location is compromised. Attackers or unauthorized users might gain access to confidential data, leading to data breaches, regulatory non-compliance, and reputational damage.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severityhigh
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

The AWS EBS volume is created without encryption enabled, meaning any data stored on the volume is not protected at rest. This exposes sensitive information if the underlying storage or snapshots are accessed by unauthorized parties.

Impact

If the EBS volume or its snapshots are compromised, attackers could read unencrypted data, leading to potential data breaches, regulatory violations, and loss of sensitive information. This can seriously harm the organization’s reputation and security posture.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severitylow
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The artifacts produced by this AWS CodeBuild project are not encrypted, meaning files generated during builds could be stored in plain text. This exposes sensitive build outputs to anyone with access to the storage location.

Impact

If unencrypted artifacts are accessed by unauthorized users—such as through a misconfigured bucket or compromised AWS credentials—they could view or steal sensitive source code, configuration files, or secrets. This can lead to data leaks, intellectual property theft, or further compromise of your cloud environment.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severitymedium
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The AWS DocumentDB cluster is configured without storage encryption enabled. This means data stored in the cluster is not protected at rest, making it vulnerable if the underlying storage is compromised.

Impact

If storage encryption is not enabled, attackers who gain access to the physical disks or backups could read sensitive database data. This exposes confidential information and could lead to data breaches, regulatory violations, and loss of trust.

Missing Encryption of Sensitive Data

Property
Languagehcl
Severitymedium
CWECWE-311: Missing Encryption of Sensitive Data
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelLow
Likelihood LevelMedium

Description

The AWS RDS database instance is not configured to export logs to CloudWatch. Without logging enabled, important database events and activities are not recorded for monitoring or auditing.

Impact

If logs are missing, it becomes difficult to detect suspicious activity, troubleshoot issues, or meet compliance requirements. Attackers or malicious insiders could perform unauthorized actions without leaving an audit trail, increasing the risk of unnoticed data breaches or operational problems.