1433 개 항목 찾음
취약점

AWS CloudFormation Misconfiguration: Reduced ElastiCache Availability

Abstract
구성이 서비스 가용성을 낮춥니다.
Explanation
클라우드 서비스는 원활한 서비스 확장을 지원하고 컨텐츠를 더욱 빠르게 제공하는 동시에 대규모 공격의 영향을 완화하기 위해 일반적으로 캐싱, 복제, 로드 밸런싱 등의 기술을 사용합니다. 가용성 기능을 비활성화하거나 잘못 구성하면 서비스 성능이 저하됩니다. 그런데 트래픽 급증, 하드웨어 오류 등의 심각한 상황이 발생할 때까지는 가용성 저하의 즉각적인 영향이 나타나지 않는 경우도 많습니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
desc.structural.iac.misconfiguration_reduced_availability.base
Abstract
구성이 서비스 가용성을 낮춥니다.
Explanation
클라우드 서비스는 원활한 서비스 확장을 지원하고 컨텐츠를 더욱 빠르게 제공하는 동시에 대규모 공격의 영향을 완화하기 위해 일반적으로 캐싱, 복제, 로드 밸런싱 등의 기술을 사용합니다. 가용성 기능을 비활성화하거나 잘못 구성하면 서비스 성능이 저하됩니다. 그런데 트래픽 급증, 하드웨어 오류 등의 심각한 상황이 발생할 때까지는 가용성 저하의 즉각적인 영향이 나타나지 않는 경우도 많습니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
desc.structural.iac.misconfiguration_reduced_availability.base

AWS CloudFormation Misconfiguration: Reduced Stack Availability

Abstract
구성이 서비스 가용성을 낮춥니다.
Explanation
클라우드 서비스는 원활한 서비스 확장을 지원하고 컨텐츠를 더욱 빠르게 제공하는 동시에 대규모 공격의 영향을 완화하기 위해 일반적으로 캐싱, 복제, 로드 밸런싱 등의 기술을 사용합니다. 가용성 기능을 비활성화하거나 잘못 구성하면 서비스 성능이 저하됩니다. 그런데 트래픽 급증, 하드웨어 오류 등의 심각한 상황이 발생할 때까지는 가용성 저하의 즉각적인 영향이 나타나지 않는 경우도 많습니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
desc.structural.iac.misconfiguration_reduced_availability.base
Abstract
구성이 서비스 가용성을 낮춥니다.
Explanation
클라우드 서비스는 원활한 서비스 확장을 지원하고 컨텐츠를 더욱 빠르게 제공하는 동시에 대규모 공격의 영향을 완화하기 위해 일반적으로 캐싱, 복제, 로드 밸런싱 등의 기술을 사용합니다. 가용성 기능을 비활성화하거나 잘못 구성하면 서비스 성능이 저하됩니다. 그런데 트래픽 급증, 하드웨어 오류 등의 심각한 상황이 발생할 때까지는 가용성 저하의 즉각적인 영향이 나타나지 않는 경우도 많습니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
desc.structural.iac.misconfiguration_reduced_availability.base

AWS CloudFormation Misconfiguration: Rekognition Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: S3 Backup Disabled

Abstract
구성이 백업 또는 데이터 복구 기능을 끕니다.
Explanation
백업 및 데이터 복구 통제 수단은 기업이 일상 작업을 계속 진행할 수 있도록 데이터를 보호하고 데이터 가용성을 보장합니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_backup_disabled.base
Abstract
구성이 백업 또는 데이터 복구 기능을 끕니다.
Explanation
백업 및 데이터 복구 통제 수단은 기업이 일상 작업을 계속 진행할 수 있도록 데이터를 보호하고 데이터 가용성을 보장합니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_backup_disabled.base

AWS CloudFormation Misconfiguration: SageMaker Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: SageMaker Network Isolation Disabled

Abstract
구성이 액세스 권한이 지나치게 광범위한 네트워크 규칙을 정의합니다.
Explanation
느슨한 액세스 구성은 시스템을 노출시키고 조직의 공격 표면을 확장합니다. 공개 상호 작용이 가능한 서비스는 일반적으로 악의적인 엔터티의 거의 지속적인 검색 및 조사에 노출됩니다.

이는 노출된 서비스에 대한 제로데이 익스플로이트가 검색되어 게시되는 경우(예: Heartbleed) 특히 문제가 됩니다. 공격자는 패치되지 않고 노출된 시스템을 적극적으로 추적하고 검색하여 악용할 수 있습니다.
References
[1] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - Common Weakness Enumeration CWE ID 749
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.misconfiguration_improper_network_access_control.base

AWS CloudFormation Misconfiguration: SecretsManager Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Serverless Denial of Service

Abstract
구성이 무제한 리소스 사용을 허용합니다.
Explanation
리소스를 과도하게 사용하여 리소스 액세스가 거부되도록 하는 방식은 시스템 리소스를 고갈시켜 청구 요금을 증가시키는 데 흔히 사용되는 공격 패턴입니다.
References
[1] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_denial_of_service.base
Abstract
구성이 무제한 리소스 사용을 허용합니다.
Explanation
리소스를 과도하게 사용하여 리소스 액세스가 거부되도록 하는 방식은 시스템 리소스를 고갈시켜 청구 요금을 증가시키는 데 흔히 사용되는 공격 패턴입니다.
References
[1] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_denial_of_service.base

AWS CloudFormation Misconfiguration: SQS Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Timestream Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Weak API Gateway Authentication

Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak Certificate Manager Authentication

Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak IAM Authentication

Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak Lambda Authentication

Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak RDS Authentication

Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
구성이 취약한 인증 메커니즘을 사용합니다.
Explanation
취약한 인증 메커니즘을 사용하는 조직은 무단 액세스 위험에 노출됩니다.

인증 메커니즘은 다음과 같은 다양한 이유로 실패할 수 있습니다.
- 취약한 비밀번호
- 부적절한 유효성 검사
- 취약한 자격 증명 관리 기능
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak SecretsManager Generated Password

Abstract
구성이 취약한 비밀번호를 허용합니다.
Explanation
보안을 유지하려면 반드시 인증을 진행해야 합니다. 인증 프로세스의 신뢰성은 로그인 자격 증명의 안전성과 강도에 따라 달라집니다. 안전한 웹 사이트를 배포하려면 사용자가 강력한 비밀번호를 생성할 수 있도록 하는 비밀번호 정책을 적용해야 합니다. 비밀번호 강도란 해당 비밀번호가 추측 및 무차별 대입 공격을 방지하는 효율성을 측정한 값입니다. 비밀번호 길이, 복잡도, 무작위성과 같은 비밀번호 특성을 매개 변수로 활용하여 비밀번호 강도를 정의할 수 있습니다.
References
[1] National Institute of Standards and Technology (NIST) NIST Special Publication 800-63B: Digital Identity Guidelines
[2] Open Web Application Security Project (OWASP) Authentication Cheat Sheet
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - Common Weakness Enumeration CWE ID 521
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000192, CCI-000193, CCI-000194, CCI-000205, CCI-001619
[16] Standards Mapping - FIPS200 IA
[17] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management
[20] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[21] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[22] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[23] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[24] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[25] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[28] Standards Mapping - OWASP Mobile 2023 M3 Insecure Authentication/Authorization
[29] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 8.5.10, Requirement 8.5.11
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 8.5.10, Requirement 8.5.11
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 8.5.10, Requirement 8.5.11
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 8.2.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 8.2.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 8.2.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 8.2.3
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 8.3.6
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.1 - Web Software Access Controls, Control Objective C.2.1.2 - Web Software Access Controls
[41] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 307
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II, APSC-DV-001760 CAT II, APSC-DV-001770 CAT II, APSC-DV-001780 CAT II, APSC-DV-001790 CAT II
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Brute Force (WASC-11)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Brute Force
desc.structural.iac.misconfiguration_weak_password_policy.base

AWS Terraform Misconfiguration: AMI Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: API Gateway Publicly Accessible

Abstract
Terraform 구성이 공개적으로 액세스 가능한 AWS 리소스를 생성합니다.
Explanation
공개적으로 액세스할 수 있는 리소스는 배포된 서비스 거부(DDoS) 공격에 취약하므로 데이터가 무단 액세스 및 도난 위험에 노출됩니다.
References
[1] Amazon Web Services, Inc. or its affiliates Enforce access control
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 749
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[12] Standards Mapping - FIPS200 AC
[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.hcl.iac.aws_misconfiguration_publicly_accessible.base

AWS Terraform Misconfiguration: Aurora Auto-Upgrade Disabled

Abstract
구성이 자동 소프트웨어 업그레이드를 끕니다.
Explanation
알려진 소프트웨어 취약성을 해결하는 패치를 적시에 적용하는 자동 소프트웨어 업그레이드가 비활성화되어 있습니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_auto_upgrade_disabled.base

AWS Terraform Misconfiguration: Aurora Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base