182 개 항목 찾음
취약점

AWS CloudFormation Misconfiguration: Insufficient ECR Monitoring

Abstract
구성이 모니터링되지 않는 리소스를 설정합니다.
Explanation
위반 상황에 신속하게 대응하지 않는 조직은 위반의 영향 범위를 제한하기가 어렵습니다.

모니터링 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 모니터링 비활성화
- 선택적 모니터링 미활성화
- 모니터링 서비스로 내보낼 관련 이벤트 미지정
- 특정 사용자, 그룹, 프로세스 및 지역의 작업을 모니터링에서 제외
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base
Abstract
구성이 모니터링되지 않는 리소스를 설정합니다.
Explanation
위반 상황에 신속하게 대응하지 않는 조직은 위반의 영향 범위를 제한하기가 어렵습니다.

모니터링 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 모니터링 비활성화
- 선택적 모니터링 미활성화
- 모니터링 서비스로 내보낼 관련 이벤트 미지정
- 특정 사용자, 그룹, 프로세스 및 지역의 작업을 모니터링에서 제외
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS CloudFormation Misconfiguration: Insufficient ElasticLoadBalancing Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient Elasticsearch Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient ELB Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient GuardDuty Monitoring

Abstract
구성이 모니터링되지 않는 리소스를 설정합니다.
Explanation
위반 상황에 신속하게 대응하지 않는 조직은 위반의 영향 범위를 제한하기가 어렵습니다.

모니터링 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 모니터링 비활성화
- 선택적 모니터링 미활성화
- 모니터링 서비스로 내보낼 관련 이벤트 미지정
- 특정 사용자, 그룹, 프로세스 및 지역의 작업을 모니터링에서 제외
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base
Abstract
구성이 모니터링되지 않는 리소스를 설정합니다.
Explanation
위반 상황에 신속하게 대응하지 않는 조직은 위반의 영향 범위를 제한하기가 어렵습니다.

모니터링 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 모니터링 비활성화
- 선택적 모니터링 미활성화
- 모니터링 서비스로 내보낼 관련 이벤트 미지정
- 특정 사용자, 그룹, 프로세스 및 지역의 작업을 모니터링에서 제외
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS CloudFormation Misconfiguration: Insufficient Lambda Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient Log Group Logging

Abstract
이 템플릿은 보존 기간이 없는 CloudWatch 로그 그룹을 정의합니다.
Explanation
기본적으로 CloudWatch 로그 그룹은 로그를 무기한 보관합니다. 설정되지 않은 값은 적절한 구성을 설정하기 위해 조직의 데이터 처리 정책을 참조하지 않았음을 나타냅니다. 이는 조직에서 더 이상 관련이 없는 로깅 이벤트를 저장하고 관리하는 데 불필요한 비용이 발생할 수 있음을 의미할 수 있습니다.

공격자는 장기간에 걸쳐 가짜 이벤트 로깅을 지속적으로 유도하여 DoW(Denial of Wallet) 공격을 시작할 수 있으며, 이는 조직에 재정적 영향을 미칠 수 있습니다.

예제 1: 다음 예제는 보존 정책을 정의하지 못하는 템플릿을 보여줍니다.


{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MyLogGroup": {
            "Type": "AWS::Logs::LogGroup",
            "Properties": {
                "LogGroupName": "Service01LogGroup"
            }
        }
    }
}
References
[1] Tal Melamed and Marcin Hoppe OWASP Serverless Top 10 (2017)
[2] AWS AWS Documentation: Working with Log Groups and Log Streams
[3] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - Common Weakness Enumeration CWE ID 778
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[10] Standards Mapping - FIPS200 CM
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.aws_cloudformation_misconfiguration_insufficient_log_group_logging.base
Abstract
이 템플릿은 보존 기간이 없는 CloudWatch 로그 그룹을 정의합니다.
Explanation
기본적으로 CloudWatch 로그 그룹은 로그를 무기한 보관합니다. 설정되지 않은 값은 적절한 구성을 설정하기 위해 조직의 데이터 처리 정책을 참조하지 않았음을 나타냅니다. 이는 조직에서 더 이상 관련이 없는 로깅 이벤트를 저장하고 관리하는 데 불필요한 비용이 발생할 수 있음을 의미할 수 있습니다.

공격자는 장기간에 걸쳐 가짜 이벤트 로깅을 지속적으로 유도하여 DoW(Denial of Wallet) 공격을 시작할 수 있으며, 이는 조직에 재정적 영향을 미칠 수 있습니다.

예제 1: 다음 예제는 보존 정책을 정의하지 못하는 템플릿을 보여줍니다.

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MyLogGroup:
    Type: AWS::Logs::LogGroup
  Properties:
    LogGroupName: Service01LogGroup
References
[1] Tal Melamed and Marcin Hoppe OWASP Serverless Top 10 (2017)
[2] AWS AWS Documentation: Working with Log Groups and Log Streams
[3] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - Common Weakness Enumeration CWE ID 778
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[10] Standards Mapping - FIPS200 CM
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.yaml.aws_cloudformation_misconfiguration_insufficient_log_group_logging.base