| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | elastic-search |
| Provider | AWS |
| Vulnerability Type | omission |
You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.
Enable ElasticSearch domain encryption
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | elastic-search |
| Provider | AWS |
| Vulnerability Type | omission |
Elasticsearch domains should use encrypted communication between nodes to ensure the confidentiality and integrity of data as it is transmitted. Using plaintext traffic exposes the communication to interception.
Plaintext communication between Elasticsearch nodes exposes sensitive data to potential eavesdropping, leading to unauthorized access or data breaches.
Enable encrypted node to node communication
| Property | |
|---|---|
| Language | |
| Severity |  |
| Service | cloudtrail |
| Provider | AWS |
| Vulnerability Type | omission |
The CloudTrail configuration only logs activity in selected regions, leaving other regions unmonitored. This partial logging occurs because the ‘is_multi_region_trail’ setting is not enabled in Terraform, unlike the default in the AWS Console.
Malicious or unauthorized activity in unmonitored AWS regions could go undetected, allowing attackers to perform actions without audit trails. This weakens incident detection and response, increasing the risk of unnoticed breaches or compliance failures.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | athena |
| Provider | AWS |
| Vulnerability Type | omission |
Athena databases and workgroup result sets are being created without encryption at rest, leaving stored data unprotected. This configuration does not secure sensitive query results or metadata derived from S3 buckets.
If the Athena database or workgroup is compromised, unencrypted data can be accessed and read by unauthorized parties, leading to potential exposure of sensitive information and regulatory non-compliance.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | emr |
| Provider | AWS |
| Vulnerability Type | misconfiguration |
The EMR cluster is configured without at-rest encryption, meaning data stored on local disks and in S3 is not protected using encryption. This leaves sensitive data vulnerable to unauthorized access if the storage is compromised.
Without at-rest encryption, an attacker who gains access to the EMR cluster’s storage or associated S3 buckets could read sensitive data directly. This can lead to data breaches, regulatory non-compliance, and exposure of confidential information.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | sql |
| Provider | |
| Vulnerability Type | omission |
Automated backups are not enabled for Google Cloud SQL instances, leaving databases without a way to recover from accidental data loss or corruption. The Terraform configuration sets ‘backup_configuration.enabled’ to false or omits it entirely, resulting in no backup snapshots being created.
Without automated backups, any data loss, corruption, or malicious deletion is irreversible, potentially leading to permanent loss of critical business data and service downtime. The inability to restore data can severely impact business continuity and violate data retention policies.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | compute |
| Provider | Azure |
| Vulnerability Type | misconfiguration |
Managed disks are being provisioned without encryption at rest enabled. This means data stored on these disks is not protected from unauthorized access at the storage level.
If the disk or underlying storage is compromised, sensitive data can be read in plaintext by attackers. This exposes the organization to risks such as data breaches, regulatory violations, and potential loss of confidential information.
| Property | |
|---|---|
| Language | |
| Severity |  |
| Service | accessanalyzer |
| Provider | AWS |
AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | emr |
| Provider | AWS |
| Vulnerability Type | misconfiguration |
The EMR cluster is not configured to use in-transit encryption, meaning data moving between nodes or services within the cluster is sent in plaintext. This exposes sensitive information to potential interception during transmission.
Without in-transit encryption, attackers who gain network access can eavesdrop on or tamper with data exchanged within the EMR cluster. This can lead to unauthorized disclosure of sensitive data, data breaches, or manipulation of processing results, posing significant risks to data privacy and integrity.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | emr |
| Provider | AWS |
| Vulnerability Type | misconfiguration |
The EMR cluster is not configured to encrypt data stored on its local disks, leaving sensitive information at rest unprotected. Without local-disk encryption, data on EMR instance storage remains readable to anyone with access to the underlying hardware or snapshots.
If exploited, attackers or unauthorized individuals with access to the EMR cluster’s storage could retrieve unencrypted sensitive data, leading to data breaches, regulatory violations, and potential compromise of confidential business or customer information.