1437 elementos encontrados

Debilidades

AWS Terraform Misconfiguration: Insecure SageMaker Storage

Abstract

Una configuración crea un recurso sin cifrado en reposo.

Explanation

El cifrado en reposo no está habilitado. Esto expone los datos a accesos no autorizados y posibles robos.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 311

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[3] Standards Mapping - FIPS200 MP

[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[9] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[10] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[11] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[12] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[25] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[26] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[49] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

desc.structural.iac.misconfiguration_insecure_storage.base

AWS Terraform Misconfiguration: Insecure SNS Storage

Abstract

Una configuración de Terraform crea un recurso de AWS sin cifrado en reposo.

Explanation

El cifrado en reposo no está habilitado. Esto expone los datos a accesos no autorizados y posibles robos.

References

[1] Amazon Web Services, Inc. or its affiliates AWS Well-Architected Framework Security Pillar

[2] Standards Mapping - Common Weakness Enumeration CWE ID 311

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475

[4] Standards Mapping - FIPS200 MP

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[10] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II

[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

desc.structural.hcl.iac.aws_misconfiguration_insecure_storage.base

AWS Terraform Misconfiguration: Insecure Supply Chain

Abstract

Una configuración de Terraform utiliza un módulo de una fuente que no es de confianza.

Explanation

Los módulos de software de cadenas de suministro de software que no son de confianza pueden no ser seguros. Los atacantes pueden aprovechar la debilidad de cualquier cadena de suministro mal administrada para insertar código malicioso.
Un módulo de Terraform es un conjunto prediseñado de archivos de configuración. Los módulos hacen que sea más fácil y rápido poner en funcionamiento los servicios en la nube. Muchas fuentes proporcionan módulos, incluidos, entre otros, Terraform Registry, directorios locales, repositorios de fuentes y sistemas de almacenamiento en la nube. Sin embargo, solo una fracción de los módulos publicados en Terraform Registry se verifican sistemática y continuamente entre todas las fuentes. Un módulo verificado que figura en Terraform Registry es un módulo que se encuentra en mantenimiento activo y cuya compatibilidad se ha probado, pero que no es necesariamente seguro por diseño.

References

[1] Terraform Modules

[2] HashCorp Terraform Registry

[3] xssfox Supply Chain Attack as Code

[4] Standards Mapping - Common Weakness Enumeration CWE ID 829

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001749, CCI-001764

[6] Standards Mapping - FIPS200 CM

[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), SA-12 Supply Chain Protection (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, CM-14 Signed Components, SR-3 Supply Chain Controls and Processes

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 10.2.3 Malicious Code Search (L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)

[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II

desc.structural.hcl.aws_terraform_misconfiguration_insecure_supply_chain

AWS Terraform Misconfiguration: Insufficient API Gateway Logging

Abstract

La plantilla define un servicio con registros de auditoría insuficientes.

Explanation

La ausencia de registros de auditoría limita la capacidad de detectar y responder a incidentes relacionados con la seguridad e impide la investigación forense.

Los valores de configuración que socavan las capacidades de registro incluyen, entre otros:
- deshabilitar deliberadamente el registro de auditoría
- excluir acciones de usuarios, grupos o procesos específicos del registro
- proteger inadecuadamente la integridad del registro
- no habilitar el registro de auditoría opcional
- reducir la frecuencia de muestreo del registro

References

[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet

[2] Standards Mapping - Common Weakness Enumeration CWE ID 778

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Terraform Misconfiguration: Insufficient Aurora Backup

Abstract

Una configuración establece un recurso sin configuraciones de copia de seguridad adecuadas.

Explanation

Las copias de seguridad son fundamentales para ofrecer protección contra la pérdida o corrupción de los datos. La configuración que socava las copias de seguridad incluye, entre otros:
- Deshabilitar la copia de seguridad de datos
- No realizar copias de seguridad de los datos con regularidad
- No comprobar periódicamente la integridad de las copias de seguridad
- Un período de retención de la copia de seguridad insuficiente

References

[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109

[3] Standards Mapping - FIPS200 CP

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup

[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)

[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 12.10.1

[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults

desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Terraform Misconfiguration: Insufficient Aurora Monitoring

Abstract

Una configuración establece un recurso que carece de supervisión.

Explanation

Cualquier respuesta tardía a las infracciones socava la capacidad de una organización para limitar el impacto de una infracción.

Los valores de configuración que socavan las capacidades de supervisión incluyen, entre otros:
- deshabilitar deliberadamente la supervisión
- no habilitar la supervisión opcional
- no especificar eventos relevantes para exportar a los servicios de supervisión
- excluir acciones de usuarios, grupos, procesos y regiones geográficas específicos de la supervisión

References

[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide

[2] Standards Mapping - Common Weakness Enumeration CWE ID 778

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[11] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II

desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Terraform Misconfiguration: Insufficient CloudFront Logging