界: Environment

本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。

633 找到的項目
弱點

AWS Terraform Misconfiguration: Insecure RDS Proxy Transport

Abstract
Terraform 組態會建立一個傳輸層保護不足的 AWS 資源。
Explanation
與 AWS 資源的連線不安全。這類不安全的連線會將資料暴露於未經授權存取、潛在竊取和竄改的風險。
References
[1] Amazon Web Services, Inc. or its affiliates Protecting data in transit
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[4] Standards Mapping - FIPS200 SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.structural.hcl.iac.aws_misconfiguration_insecure_transport.base

AWS Terraform Misconfiguration: Insecure RDS Storage

Abstract
Terraform 組態會建立一個沒有靜態加密的 AWS 資源。
Explanation
未啟用靜態加密。如此會使資料暴露於未經授權存取和潛在竊取的風險。
References
[1] Amazon Web Services, Inc. or its affiliates AWS Well-Architected Framework Security Pillar
[2] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.3.1
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[27] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[28] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.hcl.iac.aws_misconfiguration_insecure_storage.base

AWS Terraform Misconfiguration: Insecure RDS Transport

Abstract
服務不會在傳輸過程中強制執行強加密。
Explanation
保護不足的資料通訊管道可能會使關鍵的組織資料面臨遭受竊取、篡改或外洩的風險。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 319
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[3] Standards Mapping - FIPS200 SC
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.iac.misconfiguration_insecure_transport.base

AWS Terraform Misconfiguration: Insecure Redshift Storage

Abstract
組態會建立一個沒有靜態加密的資源。
Explanation
未啟用靜態加密。如此會使資料暴露於未經授權存取和潛在竊取的風險。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 311
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[9] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[10] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[11] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[25] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[26] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.iac.misconfiguration_insecure_storage.base

AWS Terraform Misconfiguration: Insecure S3 Storage

Abstract
組態會建立一個沒有靜態加密的資源。
Explanation
未啟用靜態加密。如此會使資料暴露於未經授權存取和潛在竊取的風險。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 311
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[9] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[10] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[11] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[25] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[26] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.iac.misconfiguration_insecure_storage.base

AWS Terraform Misconfiguration: Insecure SageMaker Storage

Abstract
組態會建立一個沒有靜態加密的資源。
Explanation
未啟用靜態加密。如此會使資料暴露於未經授權存取和潛在竊取的風險。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 311
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[9] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[10] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[11] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[25] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[26] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.iac.misconfiguration_insecure_storage.base

AWS Terraform Misconfiguration: Insecure SNS Storage

Abstract
Terraform 組態會建立一個沒有靜態加密的 AWS 資源。
Explanation
未啟用靜態加密。如此會使資料暴露於未經授權存取和潛在竊取的風險。
References
[1] Amazon Web Services, Inc. or its affiliates AWS Well-Architected Framework Security Pillar
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.hcl.iac.aws_misconfiguration_insecure_storage.base

AWS Terraform Misconfiguration: Insecure Supply Chain

Abstract
Terraform 組態使用的模組是來自不受信任的來源。
Explanation
軟體模組若是來自不受信任的軟體供應鏈,可能不安全。攻擊者可以利用任何管理不善的供應鏈的弱點來插入惡意程式碼。
Terraform 模組是一組預先建立的組態設定檔案。模組可使啟動和執行雲端服務變得更加容易和快速。許多來源都提供模組,包括但不限於 Terraform Registry、本機目錄、來源儲存庫和雲端儲存空間。然而,在所有來源中,只有一小部分發佈在 Terraform Registry 中的模組,有經過系統性和持續性的驗證。Terraform Registry 中列出的經過驗證的模組,都採用主動維護模式並經過相容性測試,但在設計上不一定安全。
References
[1] Terraform Modules
[2] HashCorp Terraform Registry
[3] xssfox Supply Chain Attack as Code
[4] Standards Mapping - Common Weakness Enumeration CWE ID 829
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001749, CCI-001764
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), SA-12 Supply Chain Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, CM-14 Signed Components, SR-3 Supply Chain Controls and Processes
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 10.2.3 Malicious Code Search (L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
desc.structural.hcl.aws_terraform_misconfiguration_insecure_supply_chain

AWS Terraform Misconfiguration: Insufficient API Gateway Logging

Abstract
組態定義了一個稽核記錄不足的服務。
Explanation
若缺乏稽核記錄,將會限制偵測和回應安全相關事件的能力,並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於:
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Terraform Misconfiguration: Insufficient Aurora Backup

Abstract
組態設定了一個沒有適當備份設定的資源。
Explanation
備份對於防止資料遺失或損毀至關重要。削弱備份的設定包括但不限於:
- 停用資料備份
- 未能定期備份資料
- 未能定期檢查備份的完整性
- 備份保留期限不足
References
[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[3] Standards Mapping - FIPS200 CP
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 12.10.1
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Terraform Misconfiguration: Insufficient Aurora Monitoring

Abstract
組態設定了一個缺乏監控的資源。
Explanation
任何延遲回應缺口削弱了組織限制缺口影響的能力。

削弱監控功能的組態設定包括但不限於:
- 蓄意停用監控
- 未啟用選用監控
- 未指定匯出到監控服務的相關事件
- 使特定使用者、群組、程序和地理區域的動作免除監控
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[11] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Terraform Misconfiguration: Insufficient CloudFront Logging

Abstract
組態定義了一個稽核記錄不足的服務。
Explanation
若缺乏稽核記錄,將會限制偵測和回應安全相關事件的能力,並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於:
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Terraform Misconfiguration: Insufficient CloudTrail Logging

Abstract
組態定義了一個稽核記錄不足的服務。
Explanation
若缺乏稽核記錄,將會限制偵測和回應安全相關事件的能力,並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於:
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 3.1, Recommendation 3.2
[3] Standards Mapping - Common Weakness Enumeration CWE ID 778
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[11] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Terraform Misconfiguration: Insufficient DocumentDB Monitoring

Abstract
組態設定了一個缺乏監控的資源。
Explanation
任何延遲回應缺口削弱了組織限制缺口影響的能力。

削弱監控功能的組態設定包括但不限於:
- 蓄意停用監控
- 未啟用選用監控
- 未指定匯出到監控服務的相關事件
- 使特定使用者、群組、程序和地理區域的動作免除監控
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[11] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Terraform Misconfiguration: Insufficient EC2 Logging

Abstract
組態定義了一個稽核記錄不足的服務。
Explanation
若缺乏稽核記錄,將會限制偵測和回應安全相關事件的能力,並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於:
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Terraform Misconfiguration: Insufficient ElastiCache Backup

Abstract
組態設定了一個沒有適當備份設定的資源。
Explanation
備份對於防止資料遺失或損毀至關重要。削弱備份的設定包括但不限於:
- 停用資料備份
- 未能定期備份資料
- 未能定期檢查備份的完整性
- 備份保留期限不足
References
[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[3] Standards Mapping - FIPS200 CP
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 12.10.1
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Terraform Misconfiguration: Insufficient ElastiCache Logging

Abstract
組態定義了一個稽核記錄不足的服務。
Explanation
若缺乏稽核記錄,將會限制偵測和回應安全相關事件的能力,並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於:
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Terraform Misconfiguration: Insufficient ELB Logging

Abstract
組態定義了一個稽核記錄不足的服務。
Explanation
若缺乏稽核記錄,將會限制偵測和回應安全相關事件的能力,並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於:
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Terraform Misconfiguration: Insufficient Global Accelerator Logging

Abstract
組態定義了一個稽核記錄不足的服務。
Explanation
若缺乏稽核記錄,將會限制偵測和回應安全相關事件的能力,並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於:
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Terraform Misconfiguration: Insufficient GuardDuty Monitoring

Abstract
組態設定了一個缺乏監控的資源。
Explanation
任何延遲回應缺口削弱了組織限制缺口影響的能力。

削弱監控功能的組態設定包括但不限於:
- 蓄意停用監控
- 未啟用選用監控
- 未指定匯出到監控服務的相關事件
- 使特定使用者、群組、程序和地理區域的動作免除監控
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[11] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base