Reino: Security Features
La seguridad de un software no es un software de seguridad. Nos preocupamos de cuestiones como la autenticación, el control de acceso, la confidencialidad, la criptografía y la gestión de privilegios.
AWS CloudFormation Misconfiguration: Insufficient Redshift Logging
Abstract
La plantilla define un clúster de Amazon Redshift sin registro de auditoría.
Explanation
De forma predeterminada, los clústeres de Amazon Redshift no capturan registros de auditoría. Esto puede permitir que el comportamiento malintencionado no sea detectado y se inhiba el análisis forense en caso de infracción.
Ejemplo 1: La siguiente plantilla de ejemplo define un clúster de Amazon Redshift sin registro de auditoría.
Ejemplo 1: La siguiente plantilla de ejemplo define un clúster de Amazon Redshift sin registro de auditoría.
"Resources": {
"RedshiftClusterTest": {
"Properties": {
"NodeType": "dc1.large",
"Port": 5439,
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
"ClusterType": "single-node"
"MasterUserPassword": "MasterUserPassword",
"MasterUsername": "MasterUsername",
"DBName": "${DatabaseName}",
"IamRoles": ["RawDataBucketAccessRole.Arn"],
"PubliclyAccessible": true
},
"Type": "AWS::Redshift::Cluster"
}
References
[1] Ron Bennatan Security for Amazon Redshift
[2] Amazon Web Services Database Audit Logging
[3] Amazon Web Services AWS Documentation: AWS::Redshift::Cluster LoggingProperties
[4] Standards Mapping - Common Weakness Enumeration CWE ID 778
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.aws_cloudformation_misconfiguration_insufficient_redshift_logging.base
Abstract
La plantilla define un clúster de Amazon Redshift sin registro de auditoría.
Explanation
De forma predeterminada, los clústeres de Amazon Redshift no capturan registros de auditoría. Esto puede permitir que el comportamiento malintencionado no sea detectado y se inhiba el análisis forense en caso de infracción.
Ejemplo 1: La siguiente plantilla de ejemplo define un clúster de Amazon Redshift sin registro de auditoría.
Ejemplo 1: La siguiente plantilla de ejemplo define un clúster de Amazon Redshift sin registro de auditoría.
Resources:
RedshiftClusterTest:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: single-node
NumberOfNodes: !Ref RedshiftNodeCount
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}
References
[1] Ron Bennatan Security for Amazon Redshift
[2] Amazon Web Services Database Audit Logging
[3] Amazon Web Services AWS Documentation: AWS::Redshift::Cluster LoggingProperties
[4] Standards Mapping - Common Weakness Enumeration CWE ID 778
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.yaml.aws_cloudformation_misconfiguration_insufficient_redshift_logging.base