1464 개 항목 찾음
취약점

AWS CloudFormation Misconfiguration: Weak IAM Authentication

Abstract
ꡬ성이 μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•©λ‹ˆλ‹€.
Explanation
μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•˜λŠ” 쑰직은 무단 μ•‘μ„ΈμŠ€ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.

인증 λ©”μ»€λ‹ˆμ¦˜μ€ λ‹€μŒκ³Ό 같은 λ‹€μ–‘ν•œ 이유둜 μ‹€νŒ¨ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
- μ·¨μ•½ν•œ λΉ„λ°€λ²ˆν˜Έ
- λΆ€μ μ ˆν•œ μœ νš¨μ„± 검사
- μ·¨μ•½ν•œ 자격 증λͺ… 관리 κΈ°λŠ₯
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
ꡬ성이 μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•©λ‹ˆλ‹€.
Explanation
μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•˜λŠ” 쑰직은 무단 μ•‘μ„ΈμŠ€ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.

인증 λ©”μ»€λ‹ˆμ¦˜μ€ λ‹€μŒκ³Ό 같은 λ‹€μ–‘ν•œ 이유둜 μ‹€νŒ¨ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
- μ·¨μ•½ν•œ λΉ„λ°€λ²ˆν˜Έ
- λΆ€μ μ ˆν•œ μœ νš¨μ„± 검사
- μ·¨μ•½ν•œ 자격 증λͺ… 관리 κΈ°λŠ₯
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak Lambda Authentication

Abstract
ꡬ성이 μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•©λ‹ˆλ‹€.
Explanation
μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•˜λŠ” 쑰직은 무단 μ•‘μ„ΈμŠ€ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.

인증 λ©”μ»€λ‹ˆμ¦˜μ€ λ‹€μŒκ³Ό 같은 λ‹€μ–‘ν•œ 이유둜 μ‹€νŒ¨ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
- μ·¨μ•½ν•œ λΉ„λ°€λ²ˆν˜Έ
- λΆ€μ μ ˆν•œ μœ νš¨μ„± 검사
- μ·¨μ•½ν•œ 자격 증λͺ… 관리 κΈ°λŠ₯
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
ꡬ성이 μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•©λ‹ˆλ‹€.
Explanation
μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•˜λŠ” 쑰직은 무단 μ•‘μ„ΈμŠ€ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.

인증 λ©”μ»€λ‹ˆμ¦˜μ€ λ‹€μŒκ³Ό 같은 λ‹€μ–‘ν•œ 이유둜 μ‹€νŒ¨ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
- μ·¨μ•½ν•œ λΉ„λ°€λ²ˆν˜Έ
- λΆ€μ μ ˆν•œ μœ νš¨μ„± 검사
- μ·¨μ•½ν•œ 자격 증λͺ… 관리 κΈ°λŠ₯
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak RDS Authentication

Abstract
ꡬ성이 μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•©λ‹ˆλ‹€.
Explanation
μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•˜λŠ” 쑰직은 무단 μ•‘μ„ΈμŠ€ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.

인증 λ©”μ»€λ‹ˆμ¦˜μ€ λ‹€μŒκ³Ό 같은 λ‹€μ–‘ν•œ 이유둜 μ‹€νŒ¨ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
- μ·¨μ•½ν•œ λΉ„λ°€λ²ˆν˜Έ
- λΆ€μ μ ˆν•œ μœ νš¨μ„± 검사
- μ·¨μ•½ν•œ 자격 증λͺ… 관리 κΈ°λŠ₯
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
ꡬ성이 μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•©λ‹ˆλ‹€.
Explanation
μ·¨μ•½ν•œ 인증 λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•˜λŠ” 쑰직은 무단 μ•‘μ„ΈμŠ€ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.

인증 λ©”μ»€λ‹ˆμ¦˜μ€ λ‹€μŒκ³Ό 같은 λ‹€μ–‘ν•œ 이유둜 μ‹€νŒ¨ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
- μ·¨μ•½ν•œ λΉ„λ°€λ²ˆν˜Έ
- λΆ€μ μ ˆν•œ μœ νš¨μ„± 검사
- μ·¨μ•½ν•œ 자격 증λͺ… 관리 κΈ°λŠ₯
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

AWS CloudFormation Misconfiguration: Weak SecretsManager Generated Password

Abstract
ꡬ성이 μ·¨μ•½ν•œ λΉ„λ°€λ²ˆν˜Έλ₯Ό ν—ˆμš©ν•©λ‹ˆλ‹€.
Explanation
λ³΄μ•ˆμ„ μœ μ§€ν•˜λ €λ©΄ λ°˜λ“œμ‹œ 인증을 진행해야 ν•©λ‹ˆλ‹€. 인증 ν”„λ‘œμ„ΈμŠ€μ˜ 신뒰성은 둜그인 자격 증λͺ…μ˜ μ•ˆμ „μ„±κ³Ό 강도에 따라 λ‹¬λΌμ§‘λ‹ˆλ‹€. μ•ˆμ „ν•œ μ›Ή μ‚¬μ΄νŠΈλ₯Ό λ°°ν¬ν•˜λ €λ©΄ μ‚¬μš©μžκ°€ κ°•λ ₯ν•œ λΉ„λ°€λ²ˆν˜Έλ₯Ό 생성할 수 μžˆλ„λ‘ ν•˜λŠ” λΉ„λ°€λ²ˆν˜Έ 정책을 μ μš©ν•΄μ•Ό ν•©λ‹ˆλ‹€. λΉ„λ°€λ²ˆν˜Έ κ°•λ„λž€ ν•΄λ‹Ή λΉ„λ°€λ²ˆν˜Έκ°€ μΆ”μΈ‘ 및 무차별 λŒ€μž… 곡격을 λ°©μ§€ν•˜λŠ” νš¨μœ¨μ„±μ„ μΈ‘μ •ν•œ κ°’μž…λ‹ˆλ‹€. λΉ„λ°€λ²ˆν˜Έ 길이, λ³΅μž‘λ„, λ¬΄μž‘μœ„μ„±κ³Ό 같은 λΉ„λ°€λ²ˆν˜Έ νŠΉμ„±μ„ 맀개 λ³€μˆ˜λ‘œ ν™œμš©ν•˜μ—¬ λΉ„λ°€λ²ˆν˜Έ 강도λ₯Ό μ •μ˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
References
[1] National Institute of Standards and Technology (NIST) NIST Special Publication 800-63B: Digital Identity Guidelines
[2] Open Web Application Security Project (OWASP) Authentication Cheat Sheet
[3] Standards Mapping - Common Weakness Enumeration CWE ID 521
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000192, CCI-000193, CCI-000194, CCI-000205, CCI-000366, CCI-001619, CCI-002041
[11] Standards Mapping - FIPS200 IA
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), IA-5 Authenticator Management (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, IA-5 Authenticator Management
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[17] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[18] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[20] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[21] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[22] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[23] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 8.5.10, Requirement 8.5.11
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 8.5.10, Requirement 8.5.11
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 8.5.10, Requirement 8.5.11
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 8.2.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 8.2.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 8.2.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 8.2.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 8.3.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 8.3.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.1 - Web Software Access Controls, Control Objective C.2.1.2 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 307
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II, APSC-DV-001760 CAT II, APSC-DV-001770 CAT II, APSC-DV-001780 CAT II, APSC-DV-001790 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II, APSC-DV-001760 CAT II, APSC-DV-001770 CAT II, APSC-DV-001780 CAT II, APSC-DV-001790 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II, APSC-DV-001760 CAT II, APSC-DV-001770 CAT II, APSC-DV-001780 CAT II, APSC-DV-001790 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Brute Force (WASC-11)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Brute Force
desc.structural.iac.misconfiguration_weak_password_policy.base

AWS Terraform Misconfiguration: AMI Missing Customer-Managed Encryption Key

Abstract
ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” 고객 κ΄€λ¦¬ν˜• ν‚€κ°€ μ‚¬μš©λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 AWSλŠ” μ•”ν˜Έν™”κ°€ ν™œμ„±ν™”λœ 경우 AWS κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. 고객 κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 쑰직은 μ„ νƒν•œ μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ 데이터λ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 고객 κ΄€λ¦¬ν˜• ν‚€λŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ

aws/service-name ν˜•μ‹μ˜ ν‚€λŠ” AWS κ΄€λ¦¬ν˜• ν‚€μš©μœΌλ‘œ μ˜ˆμ•½λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: API Gateway Publicly Accessible

Abstract
Terraform ꡬ성이 곡개적으둜 μ•‘μ„ΈμŠ€ κ°€λŠ₯ν•œ AWS λ¦¬μ†ŒμŠ€λ₯Ό μƒμ„±ν•©λ‹ˆλ‹€.
Explanation
곡개적으둜 μ•‘μ„ΈμŠ€ν•  수 μžˆλŠ” λ¦¬μ†ŒμŠ€λŠ” 배포된 μ„œλΉ„μŠ€ κ±°λΆ€(DDoS) 곡격에 μ·¨μ•½ν•˜λ―€λ‘œ 데이터가 무단 μ•‘μ„ΈμŠ€ 및 λ„λ‚œ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates Enforce access control
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.hcl.iac.aws_misconfiguration_publicly_accessible.base

AWS Terraform Misconfiguration: Aurora Auto-Upgrade Disabled

Abstract
ꡬ성이 μžλ™ μ†Œν”„νŠΈμ›¨μ–΄ μ—…κ·Έλ ˆμ΄λ“œλ₯Ό λ•λ‹ˆλ‹€.
Explanation
μ•Œλ €μ§„ μ†Œν”„νŠΈμ›¨μ–΄ 취약성을 ν•΄κ²°ν•˜λŠ” 패치λ₯Ό μ μ‹œμ— μ μš©ν•˜λŠ” μžλ™ μ†Œν”„νŠΈμ›¨μ–΄ μ—…κ·Έλ ˆμ΄λ“œκ°€ λΉ„ν™œμ„±ν™”λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.3.2
[2] Standards Mapping - FIPS200 CM
[3] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[8] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_auto_upgrade_disabled.base

AWS Terraform Misconfiguration: Aurora Missing Customer-Managed Encryption Key

Abstract
ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” 고객 κ΄€λ¦¬ν˜• ν‚€κ°€ μ‚¬μš©λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 AWSλŠ” μ•”ν˜Έν™”κ°€ ν™œμ„±ν™”λœ 경우 AWS κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. 고객 κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 쑰직은 μ„ νƒν•œ μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ 데이터λ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 고객 κ΄€λ¦¬ν˜• ν‚€λŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ

aws/service-name ν˜•μ‹μ˜ ν‚€λŠ” AWS κ΄€λ¦¬ν˜• ν‚€μš©μœΌλ‘œ μ˜ˆμ•½λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: Aurora Publicly Accessible

Abstract
ꡬ성이 μ μ ˆν•œ μ•‘μ„ΈμŠ€ μ œμ–΄λ₯Ό μ μš©ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
곡개적으둜 μ•‘μ„ΈμŠ€ν•  수 μžˆλŠ” λ¦¬μ†ŒμŠ€λŠ” 배포된 μ„œλΉ„μŠ€ κ±°λΆ€(DDoS) 곡격에 μ·¨μ•½ν•˜λ―€λ‘œ 데이터가 무단 μ•‘μ„ΈμŠ€, λ³€μ‘° 및 λ„λ‚œ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.
References
[1] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.3.2
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.aws.misconfiguration_publicly_accessible.base

AWS Terraform Misconfiguration: CloudTrail Missing Customer-Managed Encryption Key

Abstract
ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” 고객 κ΄€λ¦¬ν˜• ν‚€κ°€ μ‚¬μš©λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 AWSλŠ” μ•”ν˜Έν™”κ°€ ν™œμ„±ν™”λœ 경우 AWS κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. 고객 κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 쑰직은 μ„ νƒν•œ μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ 데이터λ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 고객 κ΄€λ¦¬ν˜• ν‚€λŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ

aws/service-name ν˜•μ‹μ˜ ν‚€λŠ” AWS κ΄€λ¦¬ν˜• ν‚€μš©μœΌλ‘œ μ˜ˆμ•½λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 3.7
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: CloudWatch Missing Customer-Managed Encryption Key

Abstract
ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” 고객 κ΄€λ¦¬ν˜• ν‚€κ°€ μ‚¬μš©λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 AWSλŠ” μ•”ν˜Έν™”κ°€ ν™œμ„±ν™”λœ 경우 AWS κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. 고객 κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 쑰직은 μ„ νƒν•œ μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ 데이터λ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 고객 κ΄€λ¦¬ν˜• ν‚€λŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ

aws/service-name ν˜•μ‹μ˜ ν‚€λŠ” AWS κ΄€λ¦¬ν˜• ν‚€μš©μœΌλ‘œ μ˜ˆμ•½λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: Database Migration Service Auto-Upgrade Disabled

Abstract
ꡬ성이 μžλ™ μ†Œν”„νŠΈμ›¨μ–΄ μ—…κ·Έλ ˆμ΄λ“œλ₯Ό λ•λ‹ˆλ‹€.
Explanation
μ•Œλ €μ§„ μ†Œν”„νŠΈμ›¨μ–΄ 취약성을 ν•΄κ²°ν•˜λŠ” 패치λ₯Ό μ μ‹œμ— μ μš©ν•˜λŠ” μžλ™ μ†Œν”„νŠΈμ›¨μ–΄ μ—…κ·Έλ ˆμ΄λ“œκ°€ λΉ„ν™œμ„±ν™”λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Standards Mapping - FIPS200 CM
[2] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[7] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_auto_upgrade_disabled.base

AWS Terraform Misconfiguration: Database Migration Service Publicly Accessible

Abstract
ꡬ성이 μ μ ˆν•œ μ•‘μ„ΈμŠ€ μ œμ–΄λ₯Ό μ μš©ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
곡개적으둜 μ•‘μ„ΈμŠ€ν•  수 μžˆλŠ” λ¦¬μ†ŒμŠ€λŠ” 배포된 μ„œλΉ„μŠ€ κ±°λΆ€(DDoS) 곡격에 μ·¨μ•½ν•˜λ―€λ‘œ 데이터가 무단 μ•‘μ„ΈμŠ€, λ³€μ‘° 및 λ„λ‚œ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 749
[2] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[3] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.aws.misconfiguration_publicly_accessible.base

AWS Terraform Misconfiguration: DocumentDB Auto-Upgrade Disabled

Abstract
ꡬ성이 μžλ™ μ†Œν”„νŠΈμ›¨μ–΄ μ—…κ·Έλ ˆμ΄λ“œλ₯Ό λ•λ‹ˆλ‹€.
Explanation
μ•Œλ €μ§„ μ†Œν”„νŠΈμ›¨μ–΄ 취약성을 ν•΄κ²°ν•˜λŠ” 패치λ₯Ό μ μ‹œμ— μ μš©ν•˜λŠ” μžλ™ μ†Œν”„νŠΈμ›¨μ–΄ μ—…κ·Έλ ˆμ΄λ“œκ°€ λΉ„ν™œμ„±ν™”λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Standards Mapping - FIPS200 CM
[2] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[7] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_auto_upgrade_disabled.base

AWS Terraform Misconfiguration: DocumentDB Missing Customer-Managed Encryption Key

Abstract
ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” 고객 κ΄€λ¦¬ν˜• ν‚€κ°€ μ‚¬μš©λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 AWSλŠ” μ•”ν˜Έν™”κ°€ ν™œμ„±ν™”λœ 경우 AWS κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. 고객 κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 쑰직은 μ„ νƒν•œ μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ 데이터λ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 고객 κ΄€λ¦¬ν˜• ν‚€λŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ

aws/service-name ν˜•μ‹μ˜ ν‚€λŠ” AWS κ΄€λ¦¬ν˜• ν‚€μš©μœΌλ‘œ μ˜ˆμ•½λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: DocumentDB Publicly Accessible

Abstract
ꡬ성이 μ μ ˆν•œ μ•‘μ„ΈμŠ€ μ œμ–΄λ₯Ό μ μš©ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
곡개적으둜 μ•‘μ„ΈμŠ€ν•  수 μžˆλŠ” λ¦¬μ†ŒμŠ€λŠ” 배포된 μ„œλΉ„μŠ€ κ±°λΆ€(DDoS) 곡격에 μ·¨μ•½ν•˜λ―€λ‘œ 데이터가 무단 μ•‘μ„ΈμŠ€, λ³€μ‘° 및 λ„λ‚œ μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 749
[2] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[3] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.aws.misconfiguration_publicly_accessible.base

AWS Terraform Misconfiguration: EBS Missing Customer-Managed Encryption Key

Abstract
ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” 고객 κ΄€λ¦¬ν˜• ν‚€κ°€ μ‚¬μš©λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 AWSλŠ” μ•”ν˜Έν™”κ°€ ν™œμ„±ν™”λœ 경우 AWS κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. 고객 κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 쑰직은 μ„ νƒν•œ μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ 데이터λ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 고객 κ΄€λ¦¬ν˜• ν‚€λŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ

aws/service-name ν˜•μ‹μ˜ ν‚€λŠ” AWS κ΄€λ¦¬ν˜• ν‚€μš©μœΌλ‘œ μ˜ˆμ•½λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: EC2 Image Builder Missing Customer-Managed Encryption Key

Abstract
ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” 고객 κ΄€λ¦¬ν˜• ν‚€κ°€ μ‚¬μš©λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 AWSλŠ” μ•”ν˜Έν™”κ°€ ν™œμ„±ν™”λœ 경우 AWS κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. 고객 κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 쑰직은 μ„ νƒν•œ μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ 데이터λ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 고객 κ΄€λ¦¬ν˜• ν‚€λŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ

aws/service-name ν˜•μ‹μ˜ ν‚€λŠ” AWS κ΄€λ¦¬ν˜• ν‚€μš©μœΌλ‘œ μ˜ˆμ•½λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: EFS Missing Customer-Managed Encryption Key

Abstract
ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” 고객 κ΄€λ¦¬ν˜• ν‚€κ°€ μ‚¬μš©λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 AWSλŠ” μ•”ν˜Έν™”κ°€ ν™œμ„±ν™”λœ 경우 AWS κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. 고객 κ΄€λ¦¬ν˜• ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 쑰직은 μ„ νƒν•œ μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ 데이터λ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 고객 κ΄€λ¦¬ν˜• ν‚€λŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ

aws/service-name ν˜•μ‹μ˜ ν‚€λŠ” AWS κ΄€λ¦¬ν˜• ν‚€μš©μœΌλ‘œ μ˜ˆμ•½λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Terraform Misconfiguration: ElastiCache Auto-Upgrade Disabled

Abstract
ꡬ성이 μžλ™ μ†Œν”„νŠΈμ›¨μ–΄ μ—…κ·Έλ ˆμ΄λ“œλ₯Ό λ•λ‹ˆλ‹€.
Explanation
μ•Œλ €μ§„ μ†Œν”„νŠΈμ›¨μ–΄ 취약성을 ν•΄κ²°ν•˜λŠ” 패치λ₯Ό μ μ‹œμ— μ μš©ν•˜λŠ” μžλ™ μ†Œν”„νŠΈμ›¨μ–΄ μ—…κ·Έλ ˆμ΄λ“œκ°€ λΉ„ν™œμ„±ν™”λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€.
References
[1] Standards Mapping - FIPS200 CM
[2] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[7] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_auto_upgrade_disabled.base