By default, an EFS file system is not encrypted. This exposes the data to unauthorized access and potential theft.

Example 1: The following Ansible task sets up an EFS file system without data at rest encryption because the encrypt parameter is set to no.

- name: EFS provisioning
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: no
    targets:
      - subnet_id: subnet-12345678
        security_groups: [ "sg-87654321" ]

An unencrypted Amazon Kinesis stream storage layer exposes the data to unauthorized access and potential theft.

Example 1: The following Ansible task sets up a Kinesis stream without data at rest encryption because the encryption_state parameter is set to disabled.

- name: Set up Kinesis Stream with 10 shards and wait for the stream to become active
  community.aws.kinesis_stream:
    name: test-stream
    shards: 10
    wait: yes
    wait_timeout: 600
    encryption_state: disabled
  register: test_stream

By default, CloudWatch Log Groups retain logs indefinitely. An unset retention value indicates that organizational data handling policies have not been consulted in order to set appropriate configurations. This might result in unnecessary expenses for the organization to store and manage logging events.

An attacker can launch a Denial of Wallet (DoW) attack by persistently prompting spurious event-logging over an extended period of time, which can impact the organization financially.

Example 1: The following example shows an Ansible task that fails to define a retention policy.

- name: create a log_group in CloudWatchLogs
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
    tags: { "Name": "test-log-group", "Env" : "QA" }

By default, CloudTrail log file validation is disabled, which prevents investigators from confirming that there has been no external tampering with CloudTrail log files.

This enables an attacker with the necessary privileges to perform harmful configuration changes and hide them by modifying the CloudTrail logs.

Example 1: The following Ansible task sets up a CloudTrail configuration without log file integrity validation because the enable_log_file_validation parameter is missing.

- name: create a single region cloudtrail
  community.aws.cloudtrail:
    s3_bucket_name: mylogbucket
    s3_key_prefix: cloudtrail
    region: us-west-2

A publicly accessible Amazon RDS instance unnecessarily broadens an organization's attack surface. Services open to interaction with the public are subjected to almost continuous scanning and probing by attackers.

Example 1: The following Ansible task sets up an RDS instance with public access because publicly_accessible is set to true.

- name: createdb
  community.aws.rds_instance:
    db_instance_identifier: test-db
    engine: aurora
    instance_type: db.t2.small
    username: "{{ username }}"
    password: "{{ password }}"
    cluster_id: test-cluster
    publicly_accessible: true

Loose access configurations unnecessarily expose systems and broaden an organization's attack surface. Services open to interaction with the public are subjected to almost continuous scanning and probing by malicious entities.

This is especially problematic when a zero-day exploit for an exposed service is discovered and published (e.g Heartbleed). Attackers can actively pursue and search for unpatched and exposed systems to exploit.

"PSQLSecurityGroup": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
        "VpcId": {
            "Ref": "VpcId"
        },
        "GroupDescription": "Enable PSQL access via port 5432 to world",
        "SecurityGroupIngress": [
            {
                "CidrIp": "0.0.0.0/0",
                "FromPort": 5432,
                "IpProtocol": "tcp",
                "ToPort": 5432
            }
        ]
    }

Defining access keys for your AWS root user account places all your AWS resources at risk if this key is compromised.

Example 1: The following example template creates an access key for the root user account.

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "SecKeys": {
            "Type": "AWS::IAM::AccessKey",
            "Properties": {
            "UserName": "Root"
            }
        }
    }
}