Property
Language
Severity
Service	ecs
Provider	AWS
Vulnerability Type	misconfiguration

Description

ECS task definitions using EFS volumes are missing in-transit encryption, allowing data to be transmitted between ECS containers and EFS without protection. This exposes sensitive information to interception during network transit.

Impact

Without in-transit encryption, attackers with network access could intercept and read or manipulate data exchanged between ECS tasks and EFS, leading to data breaches, information leakage, or unauthorized data tampering.

Property
Language
Severity
Service	efs
Provider	AWS
Vulnerability Type	omission

Description

The AWS EFS file system is configured without encryption at rest, which means data and metadata stored on the file system are not protected by server-side encryption. This leaves the stored information unencrypted on disk.

Impact

If the EFS is compromised, an attacker could access and read sensitive data directly from the file system. This increases the risk of data breaches and may result in non-compliance with regulatory or organizational security requirements.

Property
Language
Severity
Service	eks
Provider	AWS
Vulnerability Type	misconfiguration

Description

The EKS cluster configuration allows public access from all IP addresses (0.0.0.0/0), exposing the Kubernetes API endpoint to the entire internet. This overly broad CIDR range makes the cluster openly accessible and vulnerable to unauthorized access attempts.

Impact

If exploited, attackers anywhere on the internet could attempt to access or compromise the EKS cluster, potentially leading to data breaches, unauthorized control over workloads, or disruption of services. This exposure significantly increases the risk of cluster takeover and organizational impact.

Property
Language
Severity
Service	eks
Provider	AWS
Vulnerability Type	omission

Description

The EKS cluster configuration does not enable control plane logging for critical components such as API, audit, authenticator, controller manager, and scheduler. Without these logs, important activity within the cluster control plane is not captured.

Impact

Lack of control plane logging makes it difficult to detect, investigate, and respond to unauthorized access or misconfigurations, increasing the risk of undetected security incidents and compliance violations within the Kubernetes environment.

Property
Language
Severity
Service	eks
Provider	AWS
Vulnerability Type	misconfiguration

Description

The EKS cluster is configured with public access enabled, exposing the cluster endpoint to the internet. This allows unauthenticated network traffic to reach the cluster API from outside the VPC, increasing the attack surface.

Impact

If public access is enabled, attackers on the internet may attempt to discover, target, and exploit the EKS cluster API. This can lead to unauthorized access, data breaches, or compromise of workloads running within the cluster, significantly impacting organizational security.

Property
Language
Severity
Service	eks
Provider	AWS
Vulnerability Type	omission

Description

The EKS cluster is configured without enabling encryption for Kubernetes secrets using a customer-managed KMS key. This leaves sensitive data stored as secrets in the cluster unprotected at rest.

Impact

If secret encryption is not enabled, anyone who gains unauthorized access to the underlying storage or etcd can read sensitive secrets in plaintext, potentially exposing credentials, API keys, or other confidential information and leading to data breaches or privilege escalation.

Property
Language
Severity
Service	elasticache
Provider	AWS
Vulnerability Type	omission

Description

The ElastiCache replication group is configured without at-rest encryption, meaning data stored on disk is not protected. This allows sensitive information in the cache to be stored in plaintext on the underlying storage.

Impact

If the underlying storage is accessed by an unauthorized party—due to compromise, misconfiguration, or insider threat—unencrypted data could be read directly. This exposes confidential information such as user data, application secrets, or session details, increasing the risk of data breaches and regulatory violations.

Property
Language
Severity
Service	elasticache
Provider	AWS
Vulnerability Type	omission

Description

The ElastiCache replication group is configured to use unencrypted (plaintext) traffic between nodes, exposing sensitive data transmitted within the cluster. Without in-transit encryption, data can be intercepted and read by unauthorized parties.

Impact

If exploited, attackers with access to the network could capture and view sensitive information moving between ElastiCache nodes, leading to data breaches or exposure of confidential application data. This undermines data privacy and compliance, increasing the risk of regulatory violations.

Property
Language
Severity
Service	elastic-search
Provider	AWS
Vulnerability Type	omission

Description

Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

Resolution

Enforce the use of HTTPS for ElasticSearch

Property
Language
Severity
Service	elastic-search
Provider	AWS
Vulnerability Type	omission

Description

Using outdated TLS policies for Elasticsearch domain endpoints can expose traffic to weak cryptographic algorithms, making it easier for attackers to decrypt or tamper with data.

Impact

Outdated TLS policies increase the risk of man-in-the-middle attacks, data interception, and compromise of sensitive information.

Resolution

Use the most modern TLS/SSL policies available