1433 見つかった項目

脆弱性

AWS CloudFormation Misconfiguration: Reduced ElastiCache Availability

JSON
YAML

Abstract

構成は、サービスの可用性を低下させます。

Explanation

クラウドサービスは通常、サービスのスケーラビリティを促進し、コンテンツをより速く配信し、ボリューム攻撃の影響を軽減するために、キャッシュ、レプリケーション、負荷分散などの技術を使用します。可用性機能が無効になっているか、誤って構成されていると、サービスのパフォーマンスが低下しますが、多くの場合、トラフィックの急増やハードウェア障害などの極端なイベントが発生するまで、すぐには影響が現れません。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

desc.structural.iac.misconfiguration_reduced_availability.base

Abstract

構成は、サービスの可用性を低下させます。

Explanation

クラウドサービスは通常、サービスのスケーラビリティを促進し、コンテンツをより速く配信し、ボリューム攻撃の影響を軽減するために、キャッシュ、レプリケーション、負荷分散などの技術を使用します。可用性機能が無効になっているか、誤って構成されていると、サービスのパフォーマンスが低下しますが、多くの場合、トラフィックの急増やハードウェア障害などの極端なイベントが発生するまで、すぐには影響が現れません。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

desc.structural.iac.misconfiguration_reduced_availability.base

AWS CloudFormation Misconfiguration: Reduced Stack Availability

JSON
YAML

Abstract

構成は、サービスの可用性を低下させます。

Explanation

クラウドサービスは通常、サービスのスケーラビリティを促進し、コンテンツをより速く配信し、ボリューム攻撃の影響を軽減するために、キャッシュ、レプリケーション、負荷分散などの技術を使用します。可用性機能が無効になっているか、誤って構成されていると、サービスのパフォーマンスが低下しますが、多くの場合、トラフィックの急増やハードウェア障害などの極端なイベントが発生するまで、すぐには影響が現れません。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

desc.structural.iac.misconfiguration_reduced_availability.base

Abstract

構成は、サービスの可用性を低下させます。

Explanation

クラウドサービスは通常、サービスのスケーラビリティを促進し、コンテンツをより速く配信し、ボリューム攻撃の影響を軽減するために、キャッシュ、レプリケーション、負荷分散などの技術を使用します。可用性機能が無効になっているか、誤って構成されていると、サービスのパフォーマンスが低下しますが、多くの場合、トラフィックの急増やハードウェア障害などの極端なイベントが発生するまで、すぐには影響が現れません。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

desc.structural.iac.misconfiguration_reduced_availability.base

AWS CloudFormation Misconfiguration: Rekognition Missing Customer-Managed Encryption Key

JSON
YAML

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: S3 Backup Disabled

JSON
YAML

Abstract

構成は、バックアップまたはデータ回復機能をオフにします。

Explanation

バックアップとデータ回復の制御によりデータが保護され、その可用性が確保されるため、ビジネスは日常業務を維持できます。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation

[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

desc.structural.iac.misconfiguration_backup_disabled.base

Abstract

構成は、バックアップまたはデータ回復機能をオフにします。

Explanation

バックアップとデータ回復の制御によりデータが保護され、その可用性が確保されるため、ビジネスは日常業務を維持できます。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation

[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

desc.structural.iac.misconfiguration_backup_disabled.base

AWS CloudFormation Misconfiguration: SageMaker Missing Customer-Managed Encryption Key

JSON
YAML

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: SageMaker Network Isolation Disabled

JSON

Abstract

構成は、アクセス権限が過度に緩いネットワークルールを定義します。

Explanation

アクセス設定が緩いと、システムが公開され、組織の攻撃対象領域が広がる可能性があります。一般に公開されているサービスは、通常、悪意のあるエンティティによるほぼ継続的なスキャンとプロービングの対象になります。

これは、公開されたサービスのゼロデイエクスプロイトが発見され、公表された場合 (Heartbleed など) に、特に問題になります。攻撃者は、パッチが適用されていない、公開されたシステムを積極的に追跡、検索して、それを悪用できます。

References

[1] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - Common Weakness Enumeration CWE ID 749

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.iac.misconfiguration_improper_network_access_control.base

AWS CloudFormation Misconfiguration: SecretsManager Missing Customer-Managed Encryption Key

JSON
YAML

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Serverless Denial of Service

JSON
YAML

Abstract

構成は、無制限のリソース消費を許可します。

Explanation

過剰使用によるリソースへのアクセスの拒否は、システムリソースを使い果たし、請求コストを押し上げるために使用される、一般的な攻撃パターンです。

References

[1] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - Common Weakness Enumeration CWE ID 778

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

desc.structural.iac.misconfiguration_denial_of_service.base

Abstract

構成は、無制限のリソース消費を許可します。

Explanation

過剰使用によるリソースへのアクセスの拒否は、システムリソースを使い果たし、請求コストを押し上げるために使用される、一般的な攻撃パターンです。

References

[1] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - Common Weakness Enumeration CWE ID 778

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

desc.structural.iac.misconfiguration_denial_of_service.base

AWS CloudFormation Misconfiguration: SQS Missing Customer-Managed Encryption Key

JSON
YAML

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Timestream Missing Customer-Managed Encryption Key

JSON
YAML

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Weak API Gateway Authentication

JSON
YAML

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak Certificate Manager Authentication

JSON
YAML

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak IAM Authentication

JSON
YAML

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak Lambda Authentication

JSON
YAML

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak RDS Authentication

JSON
YAML

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

Abstract

構成は、脆弱な認証メカニズムを使用します。

Explanation

脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-8 Identification and Authentication (Non-Organizational Users)

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak SecretsManager Generated Password

JSON

Abstract

構成は、脆弱なパスワードを許可します。

Explanation

認証はセキュリティの重要な側面です。認証プロセスの信頼性は、ログイン資格情報の安全性と強度によって決まります。ユーザーが強力なパスワードを作成できるようにするパスワードポリシーは、安全な Web サイトを展開するために重要です。パスワードの強度は、推測やブルートフォース攻撃に対するパスワードの有効性の尺度となります。パスワードの強度の定義に役立つ要素には、パスワードの長さ、複雑さ、ランダム性などの特性が含まれます。

References

[1] National Institute of Standards and Technology (NIST) NIST Special Publication 800-63B: Digital Identity Guidelines

[2] Open Web Application Security Project (OWASP) Authentication Cheat Sheet

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 521

[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287

[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000192, CCI-000193, CCI-000194, CCI-000205, CCI-001619

[16] Standards Mapping - FIPS200 IA

[17] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1)

[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management

[20] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[21] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[22] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[23] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[24] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[25] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[27] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[28] Standards Mapping - OWASP Mobile 2023 M3 Insecure Authentication/Authorization

[29] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 8.5.10, Requirement 8.5.11

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 8.5.10, Requirement 8.5.11

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 8.5.10, Requirement 8.5.11

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 8.2.3

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 8.2.3

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 8.2.3

[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 8.2.3

[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 8.3.6

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.1 - Web Software Access Controls, Control Objective C.2.1.2 - Web Software Access Controls

[41] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 307

[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II, APSC-DV-001760 CAT II, APSC-DV-001770 CAT II, APSC-DV-001780 CAT II, APSC-DV-001790 CAT II

[63] Standards Mapping - Web Application Security Consortium Version 2.00 Brute Force (WASC-11)

[64] Standards Mapping - Web Application Security Consortium 24 + 2 Brute Force

desc.structural.iac.misconfiguration_weak_password_policy.base

AWS Terraform Misconfiguration: AMI Missing Customer-Managed Encryption Key

HCL

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: API Gateway Publicly Accessible

HCL

Abstract

Terraform 構成は、パブリックアクセスが可能な AWS リソースを作成します。

Explanation

パブリックアクセスが可能なリソースは、DDoS (distributed denial of service) 攻撃の影響を受けやすく、データが不正アクセスや盗難の可能性にさらされます。

References

[1] Amazon Web Services, Inc. or its affiliates Enforce access control

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 749

[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[12] Standards Mapping - FIPS200 AC

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.hcl.iac.aws_misconfiguration_publicly_accessible.base

AWS Terraform Misconfiguration: Aurora Auto-Upgrade Disabled

HCL

Abstract

構成は、ソフトウェアの自動アップグレードをオフにします。

Explanation

既知のソフトウェアの脆弱性にタイムリーにパッチを適用するソフトウェア自動アップグレードは無効になっています。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation

[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

desc.structural.iac.misconfiguration_auto_upgrade_disabled.base

AWS Terraform Misconfiguration: Aurora Missing Customer-Managed Encryption Key

HCL

Abstract

構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。

Explanation

カスタマーマネージドキーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージドキーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージドキーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。

References

[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475

[10] Standards Mapping - FIPS200 MP

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II

desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

<
8
9
10
11
12
13
14
15
16
17
18
>