The template does not forward audit logs to Amazon CloudWatch for monitoring. This can allow malicious behavior to go undetected and lead to delayed incident response.

The template does not forward audit logs to Amazon CloudWatch for monitoring. This can allow malicious behavior to go undetected and lead to delayed incident response.

The template does not forward audit logs to Amazon CloudWatch for monitoring. This can allow malicious behavior to go undetected and lead to delayed incident response.

The Terraform configuration sets up a Virtual Machine subnet without specifying logging options. These logs contain valuable data for network monitoring, forensics, real-time security analysis, and expense optimization.

A short retention period reduces the amount of log information that the organization can consult in the event of an investigation. Industry standards recommend different retention periods depending on the type of data and the legal obligations required for the organization.

A short retention period reduces the amount of log information that the organization can consult in the event of an investigation. Industry standards recommend different retention periods depending on the type of data and the legal obligations required for the organization.

There are numerous risks associated with presence of directories with easy-to-guess names and locations. Through enumeration, attackers can fingerprint platforms and applications that are known to use specific directory names. These directories can also lead to exposure of sensitive information and privileged functionality. Predictable directory names and locations can expose admin interfaces, log files, configuration files, source code files and allow an attacker to add, remove, or modify files. Reconnaissance is a fundamental requirement for a successful attack. Predictable directory names and locations can make it very easy to map their target and obtain information essential for compromising the target.

A lack of audit records limits the ability to detect and respond to security related incidents and prevents forensic investigation.

Example 1: The following example template defines an Azure Monitor log profile that does not collect all Activity Log administrative events.

targetScope = 'subscription'

resource example 'microsoft.insights/logprofiles@2016-03-01' = {
    ...
    properties: {
        ...
        categories: [ 'Write' ]
    }
}

Use of unvetted dependencies can place an organization at risk of compromise.

Uncontrolled access to critical or sensitive resources can significantly impact an organization in various ways, including disclosure of or tampering with critical data.

DNSSEC prevents DNS spoofing by providing the ability to use digital signatures for DNS response validation. The DNSSEC of a Cloud DNS Domain is not enabled.

Example 1: The following example shows a Terraform configuration that disables DNSSEC on a Cloud DNS Domain by setting state to off in the dnssec_config block.

resource "google_dns_managed_zone" "zone-demo" {
...
  dnssec_config {
    state = "off"
    ...
  }
...
}

By default, a container cannot execute most system and network administration operations. The privileged mode removes such restrictions. This dramatically expands the attack surface of malicious jobs.

By default anonymous access to storage container data is not permitted and all requests to a container and its blobs require authentication. Unless public access is required, do not allow unauthenticated access to storage containers and their blob data.

Example 1:

  "allowBlobPublicAccess": true

Path manipulation errors occur when the following two conditions are met:

1. An attacker can specify a path used in an operation on the filesystem.
2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

If access restrictions are not implemented correctly, an attacker can modify the file name or extension in a specific manner to bypass them. The attacker can, for instance, change the extension from lower to upper case and bypass restrictions that fails to account for case sensitivity. This can lead to a sensitive information disclosure and the recovery of sensitive data such as application source code, database authentication credentials, etc.

By default CloudWatch Log Groups retain logs indefinitely. An unset value indicates that organizational data handling polices have not been consulted in order to set appropriate configurations. This might mean that the organization will incur unnecessary expenses in storing and managing logging events that are no longer relevant.

An attacker can launch a Denial of Wallet (DoW) attack by persistently prompting spurious event-logging over an extended period of time, which can impact the organization financially.

Example 1: The following example shows a template that fails to define a retention policy.

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MyLogGroup": {
            "Type": "AWS::Logs::LogGroup",
            "Properties": {
                "LogGroupName": "Service01LogGroup"
            }
        }
    }
}

Amazon Redshift clusters are by default not publicly accessible.

Enabling public access to a cluster results in a wider attack surface for the organization.

Example 1: The following example shows an Ansible task that explicitly enables public access to an Amazon Redshift cluster by setting the publicly_accessible parameter to yes.

- name: example1
  community.aws.redshift:
    identifier: mycluster
    command: create
    db_name: mydb
    node_type: ds1.xlarge
    username: "{{ username }}"
    password: "{{ password }}"
    publicly_accessible: yes

Any part of a message that is not signed has the potential to be intercepted and modified without the knowledge of the sender or the receiver. Without a signature, the receiver cannot cryptographically verify that the contents of a message really originated with the sender.

Any part of a message that is not signed has the potential to be intercepted and modified without the knowledge of the sender or the receiver. Without a signature, the receiver cannot cryptographically verify that the contents of a message really originated with the sender.

Any part of a message that is not signed has the potential to be intercepted and modified without the knowledge of the sender or the receiver. Without a signature, the receiver cannot cryptographically verify that the contents of a message really originated with the sender.

Cross-Origin Resource Sharing (CORS) is a technology that allows a domain to define a policy for its resources to be accessed by a web page hosted on a different domain. Historically, web browsers have restricted their domain resources from being accessed by scripts loaded from a different domain to abide by the same origin policy.
CORS provides a method for a domain to safelist other domains and allow them to access its resources.

Be careful when defining a CORS policy because an overly permissive policy configured at the server level for a domain or a directory on a domain can expose more content for cross-domain access than intended. CORS can enable a malicious application to communicate with a victim application inappropriately, leading to information disclosure, spoofing, data theft, relay, or other attacks.

Implementing CORS can increase an application's attack surface and should only be used when necessary.