Insufficiently protected data communication channels can put critical organizational data at risk of theft, tampering, or disclosure.

By default, Amazon Redshift clusters are not encrypted. This exposes the data to unauthorized access and potential theft.

An Amazon S3 bucket is created without server-side encryption. Encryption mitigates data breaches by making data unreadable to anyone without the proper credentials. Encryption at rest can help satisfy some industrial and government compliance requirements such as GDPR, HIPAA, and PCI.

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

By default, CloudTrail records events and delivers log files but logging is deliberately disabled. This can allow malicious behavior to go undetected and inhibit forensic analysis in the event of a breach.

Example 1: The following Ansible task sets up a CloudTrail with logging disabled because enable_logging is set to false.

- name: create a single region cloudtrail
  community.aws.cloudtrail:
    s3_bucket_name: mylogbucket
    s3_key_prefix: cloudtrail
    region: us-west-2
    enable_logging: false

By default, CloudWatch Log Groups retain logs indefinitely. An unset retention value indicates that organizational data handling policies have not been consulted in order to set appropriate configurations. This might result in unnecessary expenses for the organization to store and manage logging events.

An attacker can launch a Denial of Wallet (DoW) attack by persistently prompting spurious event-logging over an extended period of time, which can impact the organization financially.

Example 1: The following example shows an Ansible task that fails to define a retention policy.

- name: create a log_group in CloudWatchLogs
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
    tags: { "Name": "test-log-group", "Env" : "QA" }