302 个项目已找到
弱点

AWS Ansible Misconfiguration: Insecure RDS Storage

Abstract
该模板定义了未加密的 Amazon RDS 实例。
Explanation
默认情况下,Amazon RDS 实例未加密。这会使数据面临潜在的盗用和未经授权的访问。
References
[1] Ansible project contributors community.aws.rds_instance – Manage RDS instances
[2] Amazon Web Services Encrypting Amazon RDS resources
[3] Amazon Web Services Security in Amazon RDS
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 311
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[12] Standards Mapping - FIPS200 MP
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[24] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_rds_storage.base

AWS Ansible Misconfiguration: Insecure RDS Transport

Abstract
服务不强制使用可靠的传输加密。
Explanation
保护不充分的数据通信通道可能会使关键的组织数据面临盗用、篡改或泄露的风险。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark Confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark Complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 319
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[8] Standards Mapping - FIPS200 SC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[32] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.iac.misconfiguration_insecure_transport.base

AWS Ansible Misconfiguration: Insecure Redshift Storage

Abstract
该模板定义了未加密的 Amazon Redshift 群集。
Explanation
默认情况下,Amazon Redshift 群集处于未加密状态。这会使数据面临未经授权的访问和潜在的盗用。
References
[1] Ansible project contributors community.aws.redshift – create, delete, or modify an Amazon Redshift instance
[2] Amazon Web Services Amazon Redshift database encryption
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 311
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.aws_ansible_misconfiguration_insecure_redshift_storage.base

AWS Ansible Misconfiguration: Insecure S3 Bucket Storage

Abstract
创建 Amazon S3 存储桶时未启用静态加密。
Explanation
创建 Amazon S3 存储桶时未启用服务器端加密。加密通过使没有适当凭据的任何人无法读取数据来降低数据泄露风险。静态加密有助于满足一些工业和政府合规性要求,例如 GDPR、HIPAA 和 PCI。
References
[1] GDPR Article 32 European Parliament and Council of the European Union
[2] Manage S3 buckets in AWS Ansible project contributors
[3] Amazon Simple Storage Service User Guide Amazon Web Services, Inc.
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 311
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[11] Standards Mapping - FIPS200 MP
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13), Application Misconfiguration (WASC-15)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_s3_bucket_storage.base

AWS Ansible Misconfiguration: Insufficient API Gateway Logging

Abstract
该模板定义了一项审计日志记录不足的服务。
Explanation
缺乏审计记录会限制检测和响应安全相关事件的能力,并导致无法进行取证调查。

可破坏日志记录功能的配置设置包括但不限于:
- 故意禁用审计日志记录
- 不记录特定用户、组或流程的操作
- 不充分保护日志完整性
- 不启用可选的审计日志记录
- 降低日志采样率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient CloudFront Logging

Abstract
该模板定义了一项审计日志记录不足的服务。
Explanation
缺乏审计记录会限制检测和响应安全相关事件的能力,并导致无法进行取证调查。

可破坏日志记录功能的配置设置包括但不限于:
- 故意禁用审计日志记录
- 不记录特定用户、组或流程的操作
- 不充分保护日志完整性
- 不启用可选的审计日志记录
- 降低日志采样率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient CloudTrail Logging

Abstract
Ansible 任务定义了禁用日志记录的 AWS CloudTrail。
Explanation
默认情况下,CloudTrail 会记录事件并提供日志文件,但故意禁用日志记录。这可以使恶意行为不被发现,并导致发生违规事件时无法进行取证分析。

示例 1:以下 Ansible 任务设置了禁用日志记录的 CloudTrail,因为 enable_logging 设置为 false

- name: create a single region cloudtrail
  community.aws.cloudtrail:
    s3_bucket_name: mylogbucket
    s3_key_prefix: cloudtrail
    region: us-west-2
    enable_logging: false
References
[1] Ansible project contributors community.aws.cloudtrail – manage CloudTrail create, delete, update
[2] Amazon Web Services Security best practices in AWS CloudTrail
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - Common Weakness Enumeration CWE ID 778
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[19] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.iac.yaml.aws_ansible_misconfiguration_insufficient_cloudtrail_logging

AWS Ansible Misconfiguration: Insufficient CloudWatch Logging

Abstract
Ansible 任务定义了未设置保留期的 CloudWatch 日志组。
Explanation
默认情况下,CloudWatch 日志组会无限期地保留日志。未设置的保留值表示尚未查阅组织数据处理策略以设置适当的配置。这可能会导致组织在存储和管理日志记录事件方面产生不必要的费用。

攻击者可以通过长时间持续提示虚假事件日志来发起拒绝钱包 (DoW) 攻击,这可能会对组织的财务方面造成影响。

示例 1:以下示例显示的 Ansible 任务未能定义保留策略。

- name: create a log_group in CloudWatchLogs
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
    tags: { "Name": "test-log-group", "Env" : "QA" }
References
[1] Willian Ricardo (@willricardo) community.aws.cloudwatchlogs_log_group – create or delete log_group in CloudWatchLogs
[2] Tal Melamed and Marcin Hoppe OWASP Serverless Top 10 (2017)
[3] AWS AWS Documentation: Working with Log Groups and Log Streams
[4] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[10] Standards Mapping - CIS Kubernetes Benchmark partial
[11] Standards Mapping - Common Weakness Enumeration CWE ID 778
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[13] Standards Mapping - FIPS200 CM
[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[21] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Application Misconfiguration
desc.structural.yaml.aws_ansible_misconfiguration_insufficient_cloudwatch_logging

AWS Ansible Misconfiguration: Insufficient Lambda Logging

Abstract
该模板定义了一项审计日志记录不足的服务。
Explanation
缺乏审计记录会限制检测和响应安全相关事件的能力,并导致无法进行取证调查。

可破坏日志记录功能的配置设置包括但不限于:
- 故意禁用审计日志记录
- 不记录特定用户、组或流程的操作
- 不充分保护日志完整性
- 不启用可选的审计日志记录
- 降低日志采样率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient RDS Backup

Abstract
配置设置了缺少适当备份设置的资源。
Explanation
备份对于防止数据丢失或损坏至关重要。可破坏备份的设置包括但不限于:
- 禁用数据备份
- 未能定期备份数据
- 未能定期检查备份的完整性
- 备份保留期不足
References
[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[9] Standards Mapping - FIPS200 CP
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Ansible Misconfiguration: Insufficient S3 Backup

Abstract
配置设置了缺少适当备份设置的资源。
Explanation
备份对于防止数据丢失或损坏至关重要。可破坏备份的设置包括但不限于:
- 禁用数据备份
- 未能定期备份数据
- 未能定期检查备份的完整性
- 备份保留期不足
References
[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[9] Standards Mapping - FIPS200 CP
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Ansible Misconfiguration: Insufficient S3 Logging

Abstract
该模板定义了一项审计日志记录不足的服务。
Explanation
缺乏审计记录会限制检测和响应安全相关事件的能力,并导致无法进行取证调查。

可破坏日志记录功能的配置设置包括但不限于:
- 故意禁用审计日志记录
- 不记录特定用户、组或流程的操作
- 不充分保护日志完整性
- 不启用可选的审计日志记录
- 降低日志采样率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient S3 Monitoring

Abstract
配置设置了一个缺少监控的资源。
Explanation
对违规行为的响应延迟会削弱组织限制违规影响的能力。

可破坏监控功能的配置设置包括但不限于:
- 故意禁用监控
- 不启用可选监控
- 不指定导出到监控服务的相关事件
- 不监控特定用户、组、流程和地理区域的操作
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Ansible Misconfiguration: Insufficient Stack Monitoring

Abstract
配置设置了一个缺少监控的资源。
Explanation
对违规行为的响应延迟会削弱组织限制违规影响的能力。

可破坏监控功能的配置设置包括但不限于:
- 故意禁用监控
- 不启用可选监控
- 不指定导出到监控服务的相关事件
- 不监控特定用户、组、流程和地理区域的操作
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Ansible Misconfiguration: Missing CloudTrail Log Validation

Abstract
Ansible 任务定义了未启用完整性验证的 CloudTrail 日志文件。
Explanation
默认情况下,CloudTrail 日志文件验证处于禁用状态,这会导致调查人员无法确认 CloudTrail 日志文件未遭到外部篡改。

这使得具有所需权限的攻击者能够执行有害的配置更改,并通过修改 CloudTrail 日志来隐藏这些更改。

示例 1:以下 Ansible 任务设置了未启用日志文件完整性验证的 CloudTrail 配置,因为缺少 enable_log_file_validation 参数。

- name: create a single region cloudtrail
  community.aws.cloudtrail:
    s3_bucket_name: mylogbucket
    s3_key_prefix: cloudtrail
    region: us-west-2
References
[1] Ansible project contributors community.aws.cloudtrail – manage CloudTrail create, delete, update
[2] Amazon Web Services Validating CloudTrail log file integrity
[3] Amazon Web Services Security at Scale: Logging in AWS
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[10] Standards Mapping - Common Weakness Enumeration CWE ID 354
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002451
[12] Standards Mapping - FIPS200 MP
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[20] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3)
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 10.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.3.2
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[32] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[33] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.yaml.aws_ansible_misconfiguration_missing_cloudtrail_log_validation.base

AWS Ansible Misconfiguration: Privileged Batch Container

Abstract
配置设置了一个具有更高权限的容器来运行作业。
Explanation
默认情况下,容器无法执行大多数系统和网络管理操作。特权模式消除了此类限制。这极大地扩大了恶意作业的攻击面。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 250
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.iac.misconfiguration_privileged_container.base

AWS Ansible Misconfiguration: RDS Auto-Upgrade Disabled

Abstract
配置关闭了自动软件升级。
Explanation
能够确保及时修补已知软件漏洞的自动软件升级已被禁用。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_auto_upgrade_disabled.base

AWS Ansible Misconfiguration: RDS Missing Customer-Managed Encryption Key

Abstract
配置没有为静态数据指定任何客户管理的加密密钥。
Explanation
客户管理的密钥不用于加密静态数据。

默认情况下,如果启用了加密,AWS 会使用 AWS 管理的密钥来加密静态数据。客户管理的密钥允许组织使用他们选择的加密密钥来加密数据。这使组织可以更好地控制和记录加密过程。

因此,客户管理的密钥通常是满足以下要求的解决方案的一部分,包括但不限于:
- 敏感数据访问的审核日志
- 数据驻留
- 更换、禁用或销毁密钥

请注意,格式为 aws/service-name 的密钥是为 AWS 管理的密钥保留的。
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.5
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Ansible Misconfiguration: RDS Publicly Accessible

Abstract
Ansible 任务定义了具有公共访问权限的 Amazon RDS 实例。
Explanation
可公开访问的 Amazon RDS 实例不必要地扩大了组织的攻击面。向公众开放的服务会受到攻击者近乎持续的扫描和探测。

示例 1:以下 Ansible 任务设置了具有公共访问权限的 RDS 实例,因为 publicly_accessible 设置为 true

- name: createdb
  community.aws.rds_instance:
    db_instance_identifier: test-db
    engine: aurora
    instance_type: db.t2.small
    username: "{{ username }}"
    password: "{{ password }}"
    cluster_id: test-cluster
    publicly_accessible: true
References
[1] Sloane Hertel (@s-hertel) community.aws.rds_instance – Manage RDS instances
[2] Amazon Web Services Security in Amazon RDS
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - Common Weakness Enumeration CWE ID 749
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.yaml.aws_ansible_misconfiguration_rds_publicly_accessible.base

AWS Ansible Misconfiguration: Reduced CloudFront Availability

Abstract
配置降低了服务可用性。
Explanation
云服务通常使用缓存、复制和负载平衡等技术来促进服务可扩展性、加快内容交付以及减轻容量耗尽攻击的影响。可用性功能禁用或错误配置会降低服务性能,但通常不会造成明显的直接影响,直到最后发生流量峰值和硬件故障等极端事件。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
desc.structural.iac.misconfiguration_reduced_availability.base