Property
Language
Severity
Service	sam
Provider	AWS
Vulnerability Type	misconfiguration

Description

The SAM API domain is configured to use outdated or insecure SSL/TLS protocols instead of enforcing TLS v1.2 or higher. This allows encrypted connections to use legacy cryptographic standards with known weaknesses.

Impact

Attackers could exploit vulnerabilities in obsolete TLS versions to intercept, decrypt, or manipulate sensitive data transmitted to and from the API. This exposes the application to risks such as data breaches, man-in-the-middle attacks, and regulatory non-compliance.

Property
Language
Severity
Service	sam
Provider	AWS
Vulnerability Type	misconfiguration

Description

The SAM API configuration does not enable cache data encryption, leaving cached method response data stored in plaintext. This increases the risk of sensitive information exposure if the cache is accessed by unauthorized parties.

Impact

Unencrypted cached data can be intercepted or accessed by attackers, potentially exposing sensitive user or application information and increasing the risk of data breaches or regulatory non-compliance.

Property
Language
Severity
Service	sam
Provider	AWS

Description

The SAM API is deployed without AWS X-Ray tracing enabled, which prevents capturing end-to-end request data for API Gateway calls. This limits visibility into API execution and hinders effective debugging and monitoring.

Impact

Without X-Ray tracing, it becomes challenging to trace and diagnose issues across distributed components, making it harder to investigate performance bottlenecks or errors. This lack of insight can delay incident response and obscure the root cause of operational or security issues in production APIs.

Property
Language
Severity
Service	sam
Provider	AWS
Vulnerability Type	misconfiguration

Description

API Gateway stages in AWS SAM are missing access logging configuration, which means requests to these APIs are not being tracked. Without the access log settings block, important details about API usage and access are not recorded.

Impact

Lack of access logging makes it difficult to detect unauthorized access, troubleshoot issues, or investigate security incidents. This can lead to undetected malicious activity, compliance violations, and reduced visibility into API operations.

Property
Language
Severity
Service	sam
Provider	AWS

Description

The SAM function is deployed without AWS X-Ray tracing enabled, preventing comprehensive tracking of requests and events through the function. This limits visibility into the function’s behavior and hinders debugging and performance analysis.

Impact

Without X-Ray tracing, identifying issues, bottlenecks, or suspicious activity within the function becomes difficult, increasing the risk of undetected failures or security incidents and complicating incident response efforts.

Property
Language
Severity
Service	sam
Provider	AWS
Vulnerability Type	misconfiguration

Description

API Gateway stages for AWS SAM HTTP APIs are missing access log settings, resulting in a lack of visibility into requests and responses at each stage. Without access logging enabled, critical access details are not recorded for monitoring or auditing.

Impact

The absence of access logs can hinder incident response, forensics, and compliance efforts, making it difficult to detect unauthorized access or misuse. Attackers may exploit this gap to perform malicious actions without detection, increasing the risk of data breaches or service abuse.

Property
Language
Severity
Service	sam
Provider	AWS
Vulnerability Type	misconfiguration

Description

The AWS SAM SimpleTable resource is configured without server-side encryption, meaning data stored in the table is not automatically encrypted at rest. This leaves sensitive information unprotected if the storage medium is accessed by unauthorized parties.

Impact

Without server-side encryption, data in the table can be read directly if compromised, increasing the risk of data breaches and exposure of confidential or regulated information. Attackers gaining access to the storage backend could retrieve unencrypted data, impacting data privacy and compliance.

Property
Language
Severity
Service	sam
Provider	AWS

Description

The AWS SAM state machine is configured without logging enabled, preventing the capture of execution details and activity traces. This lack of logging makes it difficult to monitor or debug state machine operations.

Impact

Without logging, suspicious or unauthorized activities within the state machine may go undetected, making incident investigation and compliance auditing challenging and increasing the risk of undetected security breaches.

Property
Language
Severity
Service	sam
Provider	AWS

Description

The AWS SAM State Machine is configured without X-Ray tracing enabled, preventing comprehensive tracing and visibility into the execution flow of state machine activities. This limits the ability to debug and analyze distributed workflows.

Impact

Without X-Ray tracing, failures and performance issues within the state machine are difficult to track and diagnose, leading to longer incident response times and increased operational risk. This lack of observability can hinder troubleshooting and may allow issues or malicious activity to go undetected.

Property
Language
Severity
Vulnerability Type	omission

Description

Containers are running without a Seccomp profile, allowing processes inside the container to bypass kernel syscall restrictions. This configuration weakens container isolation and security controls.

Impact

Attackers who gain access to the container can execute unrestricted system calls, increasing the risk of container escapes, privilege escalation, and compromise of the underlying host or other workloads.

Resolution

Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards