Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The root block device for this AWS launch configuration is not encrypted. This means any data stored on the root volume is unprotected at rest, leaving sensitive information exposed if the storage is accessed by unauthorized parties.

Impact

If the underlying storage is compromised—such as through snapshot leaks, misconfigured permissions, or when decommissioned—an attacker could access unencrypted data, including credentials, application secrets, or user data. This can lead to data breaches, regulatory violations, and loss of trust.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

An SQS queue is being created in AWS CDK without enabling encryption at rest. This means any data stored in the queue is not protected and could be read in plaintext if accessed.

Impact

If the queue data is compromised, sensitive messages could be exposed to unauthorized users, leading to data breaches or leaks. Lack of encryption increases the risk of compliance violations and may allow attackers to access confidential information if AWS infrastructure is breached.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

The S3 Bucket is being created without enabling server-side encryption. This means data stored in the bucket is not automatically encrypted at rest, leaving it unprotected.

Impact

Without encryption, sensitive files in the bucket could be accessed in plaintext if the storage layer is compromised. This increases the risk of data breaches, regulatory violations, and unauthorized data exposure.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	High
Impact Level	Medium
Likelihood Level	Low

Description

The application is configured with ‘config.force_ssl = false’, which allows users to access it over unencrypted HTTP instead of HTTPS. This means sensitive data can be transmitted without encryption, making it vulnerable to interception.

Impact

Without enforcing HTTPS, attackers can intercept or modify data sent between users and the application, potentially exposing sensitive information like login credentials or session tokens. This can lead to data breaches, account compromise, and loss of user trust.

Property
Language
Severity
CWE	CWE-311: Missing Encryption of Sensitive Data
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

Sensitive data such as passwords, API keys, or secret tokens are being stored in UserDefaults, which does not provide adequate security for confidential information. Such data should be stored securely using the Keychain, not UserDefaults.

Impact

If exploited, attackers with access to the device or backup files could easily extract sensitive information from UserDefaults, potentially leading to account compromise, unauthorized API access, or exposure of confidential data. This puts both user security and organizational assets at significant risk.

Property
Language
Severity
Service	iam
Provider	AWS

Description

By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

Resolution

Create an IAM role with the necessary permissions to manage incidents with AWS Support.

Property
Language
Severity
Service	computing
Provider	Nifcloud
Vulnerability Type	omission

Description

Instances are being created without an associated security group, leaving them without defined network traffic controls. This configuration allows unrestricted access to and from the instance, violating basic security best practices.

Impact

Without a security group, instances are exposed to all inbound and outbound traffic, significantly increasing the risk of unauthorized access, data breaches, malware infection, or exploitation by attackers, potentially compromising the integrity and availability of services and data.

Property
Language
Severity
Service	network
Provider	Nifcloud
Vulnerability Type	omission

Description

The router resource is missing an associated security group, which means there are no network access controls governing inbound or outbound traffic to and from the router.

Impact

Without a security group, the router is exposed to unrestricted network traffic, increasing the risk of unauthorized access, data breaches, or service disruptions caused by malicious actors exploiting open network paths.

Property
Language
Severity
Service	network
Provider	Nifcloud
Vulnerability Type	omission

Description

The vpnGateway resource is missing an associated security group, resulting in no network traffic filtering for inbound or outbound connections. This omission exposes the vpnGateway to unrestricted network access.

Impact

Without a security group, attackers can potentially access, compromise, or disrupt the vpnGateway by exploiting open network ports or protocols, leading to unauthorized access, data breaches, or denial of service impacting the organization’s network security.

Property
Language	generic
Severity
CWE	CWE-353: Missing Support for Integrity Check
OWASP	A08:2021 - Software and Data Integrity Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

External or tags in your HTML are missing the ‘integrity’ attribute, which means browsers can’t verify that the files loaded from third-party sources haven’t been tampered with. Without this check, your site could unknowingly load malicious code if those external files are compromised.