302 개 항목 찾음
취약점

AWS CloudFormation Misconfiguration: Insufficient Log Group Logging

Abstract
이 템플릿은 보존 기간이 없는 CloudWatch 로그 그룹을 정의합니다.
Explanation
기본적으로 CloudWatch 로그 그룹은 로그를 무기한 보관합니다. 설정되지 않은 값은 적절한 구성을 설정하기 위해 조직의 데이터 처리 정책을 참조하지 않았음을 나타냅니다. 이는 조직에서 더 이상 관련이 없는 로깅 이벤트를 저장하고 관리하는 데 불필요한 비용이 발생할 수 있음을 의미할 수 있습니다.

공격자는 장기간에 걸쳐 가짜 이벤트 로깅을 지속적으로 유도하여 DoW(Denial of Wallet) 공격을 시작할 수 있으며, 이는 조직에 재정적 영향을 미칠 수 있습니다.

예제 1: 다음 예제는 보존 정책을 정의하지 못하는 템플릿을 보여줍니다.


{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MyLogGroup": {
            "Type": "AWS::Logs::LogGroup",
            "Properties": {
                "LogGroupName": "Service01LogGroup"
            }
        }
    }
}
References
[1] Tal Melamed and Marcin Hoppe OWASP Serverless Top 10 (2017)
[2] AWS AWS Documentation: Working with Log Groups and Log Streams
[3] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - Common Weakness Enumeration CWE ID 778
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[10] Standards Mapping - FIPS200 CM
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.aws_cloudformation_misconfiguration_insufficient_log_group_logging.base
Abstract
이 템플릿은 보존 기간이 없는 CloudWatch 로그 그룹을 정의합니다.
Explanation
기본적으로 CloudWatch 로그 그룹은 로그를 무기한 보관합니다. 설정되지 않은 값은 적절한 구성을 설정하기 위해 조직의 데이터 처리 정책을 참조하지 않았음을 나타냅니다. 이는 조직에서 더 이상 관련이 없는 로깅 이벤트를 저장하고 관리하는 데 불필요한 비용이 발생할 수 있음을 의미할 수 있습니다.

공격자는 장기간에 걸쳐 가짜 이벤트 로깅을 지속적으로 유도하여 DoW(Denial of Wallet) 공격을 시작할 수 있으며, 이는 조직에 재정적 영향을 미칠 수 있습니다.

예제 1: 다음 예제는 보존 정책을 정의하지 못하는 템플릿을 보여줍니다.

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MyLogGroup:
    Type: AWS::Logs::LogGroup
  Properties:
    LogGroupName: Service01LogGroup
References
[1] Tal Melamed and Marcin Hoppe OWASP Serverless Top 10 (2017)
[2] AWS AWS Documentation: Working with Log Groups and Log Streams
[3] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - Common Weakness Enumeration CWE ID 778
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[10] Standards Mapping - FIPS200 CM
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.yaml.aws_cloudformation_misconfiguration_insufficient_log_group_logging.base

AWS CloudFormation Misconfiguration: Insufficient MQ Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient MSK Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient Neptune Logging

Abstract
이 템플릿은 로그 모니터링을 구현하지 않습니다.
Explanation
이 템플릿은 모니터링을 위한 감사 로그를 Amazon CloudWatch로 전송하지 않습니다. 이로 인해 악의적인 동작이 감지되지 않고 사고 대응이 지연될 수 있습니다.
References
[1] Amazon Web Services Security best practices in AWS CloudTrail
[2] Amazon Web Services Publishing Neptune Logs to Amazon CloudWatch Logs
[3] Amazon Web Services Using Audit Logs with Amazon Neptune Clusters
[4] Amazon Web Services Logging and Monitoring in Amazon DocumentDB
[5] Amazon Web Services Auditing Amazon DocumentDB Events
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark partial
[12] Standards Mapping - Common Weakness Enumeration CWE ID 778
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[22] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.iac.aws.missing_cloudwatch_integration.base
Abstract
이 템플릿은 로그 모니터링을 구현하지 않습니다.
Explanation
이 템플릿은 모니터링을 위한 감사 로그를 Amazon CloudWatch로 전송하지 않습니다. 이로 인해 악의적인 동작이 감지되지 않고 사고 대응이 지연될 수 있습니다.
References
[1] Amazon Web Services Security best practices in AWS CloudTrail
[2] Amazon Web Services Publishing Neptune Logs to Amazon CloudWatch Logs
[3] Amazon Web Services Using Audit Logs with Amazon Neptune Clusters
[4] Amazon Web Services Logging and Monitoring in Amazon DocumentDB
[5] Amazon Web Services Auditing Amazon DocumentDB Events
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark partial
[12] Standards Mapping - Common Weakness Enumeration CWE ID 778
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[22] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.iac.aws.missing_cloudwatch_integration.base

AWS CloudFormation Misconfiguration: Insufficient OpenSearch Service Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient RDS Monitoring

Abstract
구성이 모니터링되지 않는 리소스를 설정합니다.
Explanation
위반 상황에 신속하게 대응하지 않는 조직은 위반의 영향 범위를 제한하기가 어렵습니다.

모니터링 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 모니터링 비활성화
- 선택적 모니터링 미활성화
- 모니터링 서비스로 내보낼 관련 이벤트 미지정
- 특정 사용자, 그룹, 프로세스 및 지역의 작업을 모니터링에서 제외
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base
Abstract
구성이 모니터링되지 않는 리소스를 설정합니다.
Explanation
위반 상황에 신속하게 대응하지 않는 조직은 위반의 영향 범위를 제한하기가 어렵습니다.

모니터링 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 모니터링 비활성화
- 선택적 모니터링 미활성화
- 모니터링 서비스로 내보낼 관련 이벤트 미지정
- 특정 사용자, 그룹, 프로세스 및 지역의 작업을 모니터링에서 제외
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS CloudFormation Misconfiguration: Insufficient Redshift Logging

Abstract
이 템플릿은 감사 로깅이 없는 Amazon Redshift 클러스터를 정의합니다.
Explanation
기본적으로 Amazon Redshift 클러스터는 감사 로그를 캡처하지 않습니다. 이로 인해 악의적인 동작이 감지되지 않고 침해 발생 시 포렌식 분석이 억제될 수 있습니다.

예제 1: 다음 예제 템플릿은 감사 로깅이 없는 Amazon Redshift 클러스터를 정의합니다.

  "Resources": {
    "RedshiftClusterTest": {
      "Properties": {
        "NodeType": "dc1.large",
        "Port": 5439,
        "VpcSecurityGroupIds": [
          "${RedshiftSecurityGroup}"
        ],
        "ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
        "ClusterType": "single-node"
        "MasterUserPassword": "MasterUserPassword",
        "MasterUsername": "MasterUsername",
        "DBName": "${DatabaseName}",
        "IamRoles": ["RawDataBucketAccessRole.Arn"],
        "PubliclyAccessible": true
      },
      "Type": "AWS::Redshift::Cluster"
    }
References
[1] Ron Bennatan Security for Amazon Redshift
[2] Amazon Web Services Database Audit Logging
[3] Amazon Web Services AWS Documentation: AWS::Redshift::Cluster LoggingProperties
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark partial
[10] Standards Mapping - Common Weakness Enumeration CWE ID 778
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[12] Standards Mapping - FIPS200 CM
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[20] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.aws_cloudformation_misconfiguration_insufficient_redshift_logging.base
Abstract
이 템플릿은 감사 로깅이 없는 Amazon Redshift 클러스터를 정의합니다.
Explanation
기본적으로 Amazon Redshift 클러스터는 감사 로그를 캡처하지 않습니다. 이로 인해 악의적인 동작이 감지되지 않고 침해 발생 시 포렌식 분석이 억제될 수 있습니다.

예제 1: 다음 예제 템플릿은 감사 로깅이 없는 Amazon Redshift 클러스터를 정의합니다.

Resources:
  RedshiftClusterTest:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
      ClusterType: single-node
      NumberOfNodes: !Ref RedshiftNodeCount
      DBName: !Sub ${DatabaseName}
      IamRoles:
        - !GetAtt RawDataBucketAccessRole.Arn
      MasterUserPassword: !Ref MasterUserPassword
      MasterUsername: !Ref MasterUsername
      PubliclyAccessible: true
      NodeType: dc1.large
      Port: 5439
      VpcSecurityGroupIds:
        - !Sub ${RedshiftSecurityGroup}
References
[1] Ron Bennatan Security for Amazon Redshift
[2] Amazon Web Services Database Audit Logging
[3] Amazon Web Services AWS Documentation: AWS::Redshift::Cluster LoggingProperties
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark partial
[10] Standards Mapping - Common Weakness Enumeration CWE ID 778
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[12] Standards Mapping - FIPS200 CM
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[20] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.yaml.aws_cloudformation_misconfiguration_insufficient_redshift_logging.base

AWS CloudFormation Misconfiguration: Insufficient Route 53 Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient S3 Bucket Logging

Abstract
Amazon S3 버킷이 액세스 로깅을 활성화하지 않고 만들어집니다.
Explanation
Amazon S3 버킷에 기본적으로 액세스 로그가 저장되지 않습니다. 그러나 로그에는 보안 사고를 식별하고 정책 위반을 모니터링하며 거부 없음 제어를 지원하는 데 사용되는 중요한 데이터가 포함됩니다.
References
[1] Enabling Amazon S3 server access logging Amazon Web Services, Inc.
[2] AWS::S3::Bucket LoggingConfiguration Amazon Web Services, Inc.
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 778
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[16] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[17] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.aws_cloudformation_misconfiguration_insufficient_s3_bucket_logging.base
Abstract
Amazon S3 버킷이 액세스 로깅을 활성화하지 않고 만들어집니다.
Explanation
Amazon S3 버킷에 기본적으로 액세스 로그가 저장되지 않습니다. 그러나 로그에는 보안 사고를 식별하고 정책 위반을 모니터링하며 거부 없음 제어를 지원하는 데 사용되는 중요한 데이터가 포함됩니다.
References
[1] Enabling Amazon S3 server access logging Amazon Web Services, Inc.
[2] AWS::S3::Bucket LoggingConfiguration Amazon Web Services, Inc.
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 778
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[16] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[17] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.yaml.aws_cloudformation_misconfiguration_insufficient_s3_bucket_logging.base

AWS CloudFormation Misconfiguration: Insufficient Serverless Logging

Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base
Abstract
구성이 감사 로깅 기능이 없는 서비스를 정의합니다.
Explanation
감사 기록이 없으면 보안 관련 사고를 감지하고 대응하는 능력이 제한되고 포렌식 조사가 불가능해집니다.

로깅 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 감사 로깅 비활성화
- 특정 사용자, 그룹, 프로세스의 작업을 로깅 대상에서 제외
- 부적절한 방식으로 로그 무결성 보호
- 선택적 감사 로깅 미활성화
- 로그 샘플링 비율 하향 조정
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS CloudFormation Misconfiguration: Insufficient Stack Monitoring

Abstract
구성이 모니터링되지 않는 리소스를 설정합니다.
Explanation
위반 상황에 신속하게 대응하지 않는 조직은 위반의 영향 범위를 제한하기가 어렵습니다.

모니터링 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 모니터링 비활성화
- 선택적 모니터링 미활성화
- 모니터링 서비스로 내보낼 관련 이벤트 미지정
- 특정 사용자, 그룹, 프로세스 및 지역의 작업을 모니터링에서 제외
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base
Abstract
구성이 모니터링되지 않는 리소스를 설정합니다.
Explanation
위반 상황에 신속하게 대응하지 않는 조직은 위반의 영향 범위를 제한하기가 어렵습니다.

모니터링 기능의 효율성을 떨어뜨리는 구성 설정에는 다음을 비롯한 여러 가지가 포함됩니다.
- 의도적인 모니터링 비활성화
- 선택적 모니터링 미활성화
- 모니터링 서비스로 내보낼 관련 이벤트 미지정
- 특정 사용자, 그룹, 프로세스 및 지역의 작업을 모니터링에서 제외
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS CloudFormation Misconfiguration: Kinesis Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Lambda Denial of Service

Abstract
구성이 무제한 리소스 사용을 허용합니다.
Explanation
리소스를 과도하게 사용하여 리소스 액세스가 거부되도록 하는 방식은 시스템 리소스를 고갈시켜 청구 요금을 증가시키는 데 흔히 사용되는 공격 패턴입니다.
References
[1] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_denial_of_service.base
Abstract
구성이 무제한 리소스 사용을 허용합니다.
Explanation
리소스를 과도하게 사용하여 리소스 액세스가 거부되도록 하는 방식은 시스템 리소스를 고갈시켜 청구 요금을 증가시키는 데 흔히 사용되는 공격 패턴입니다.
References
[1] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_denial_of_service.base

AWS CloudFormation Misconfiguration: Location Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Logs Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: M2 Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: MemoryDB Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Missing CloudTrail Log Validation

Abstract
이 템플릿은 로그 파일 검증이 없는 추적을 정의합니다.
Explanation
기본적으로 CloudTrail 로그 파일검증이 비활성화되어 조사자가 CloudTrail 로그 파일에 대한 외부 변조가 없었음을 확신할 수 없습니다.

이에 따른 직접적인 결과는 필요한 권한을 가진 공격자가 CloudTrail 로그를 수정하여 유해한 구성 변경을 수행하고 자신의 흔적을 덮을 수 있다는 것입니다.

예제 1: 다음은 EnableLogFileValidationfalse로 설정하여 로그 파일 검증이 비활성화된 추적의 예제입니다. 또한 속성을 생략하면 기본값이 false로 설정됩니다.


"myTrail": {
    "DependsOn": [
        "BucketPolicy"
    ],
    "Type": "AWS::CloudTrail::Trail",
    "Properties": {
        "S3BucketName": {
            "Ref": "S3Bucket"
        },
        "IsLogging": true,
        "EnableLogFileValidation": false
    }
}
References
[1] Amazon Web Services Validating CloudTrail log file integrity
[2] Amazon Web Services Security at Scale: Logging in AWS
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - Common Weakness Enumeration CWE ID 354
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002451
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[19] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3)
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 10.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.3.2
[30] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 494
[31] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[32] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.json.aws_cloudformation_misconfiguration_missing_cloudtrail_log_validation.base
Abstract
이 템플릿은 로그 파일 검증이 없는 추적을 정의합니다.
Explanation
기본적으로 CloudTrail 로그 파일검증이 비활성화되어 조사자가 CloudTrail 로그 파일에 대한 외부 변조가 없었음을 확신할 수 없습니다.

이에 따른 직접적인 결과는 필요한 권한을 가진 공격자가 CloudTrail 로그를 수정하여 유해한 구성 변경을 수행하고 자신의 흔적을 덮을 수 있다는 것입니다.

예제 1: 다음은 EnableLogFileValidationfalse로 설정하여 로그 파일 검증이 비활성화된 추적의 예제입니다. 또한 속성을 생략하면 기본값이 false로 설정됩니다.


myTrail:
  DependsOn:
    - BucketPolicy
  Type: AWS::CloudTrail::Trail
  Properties:
    S3BucketName:
      Ref: S3Bucket
      IsLogging: true
      EnableLogFileValidation: false
References
[1] Amazon Web Services Validating CloudTrail log file integrity
[2] Amazon Web Services Security at Scale: Logging in AWS
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - Common Weakness Enumeration CWE ID 354
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002451
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[19] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3)
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 10.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.3.2
[30] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 494
[31] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[32] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.yaml.aws_cloudformation_misconfiguration_missing_cloudtrail_log_validation.base

AWS CloudFormation Misconfiguration: Neptune Missing Customer-Managed Encryption Key

Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
구성이 미사용 데이터용 고객 관리형 암호화 키를 지정하지 않습니다.
Explanation
미사용 데이터에는 고객 관리형 키가 사용되지 않습니다.

기본적으로 AWS는 암호화가 활성화된 경우 AWS 관리형 키를 사용하여 미사용 데이터를 암호화합니다. 고객 관리형 키를 사용하는 조직은 선택한 암호화 키를 사용하여 데이터를 암호화할 수 있습니다. 따라서 암호화 프로세스를 더욱 효율적으로 제어하고 로깅할 수 있습니다.

이러한 이유로 인해 고객 관리형 키는 다음을 비롯한 여러 요구 사항을 충족하는 솔루션에 포함되는 경우가 많습니다.
- 민감한 데이터 액세스 관련 감사 로그
- 데이터 보존
- 키 교체, 비활성화 또는 삭제

aws/service-name 형식의 키는 AWS 관리형 키용으로 예약되어 있습니다.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS CloudFormation Misconfiguration: Privileged Batch Container

Abstract
구성이 승격된 권한으로 작업을 실행하도록 컨테이너를 설정합니다.
Explanation
컨테이너는 기본적으로 대부분의 시스템 및 네트워크 관리 작업을 실행할 수 없습니다. 그런데 권한 있는 모드에서는 이러한 제한이 적용되지 않습니다. 그러므로 악의적인 작업의 공격 표면이 대폭 확장됩니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 250
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.iac.misconfiguration_privileged_container.base
Abstract
구성이 승격된 권한으로 작업을 실행하도록 컨테이너를 설정합니다.
Explanation
컨테이너는 기본적으로 대부분의 시스템 및 네트워크 관리 작업을 실행할 수 없습니다. 그런데 권한 있는 모드에서는 이러한 제한이 적용되지 않습니다. 그러므로 악의적인 작업의 공격 표면이 대폭 확장됩니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 250
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.iac.misconfiguration_privileged_container.base