Amazon EC2
π Public exposure of AWS EC2 instances can lead to significant security threats, including unauthorized access and data breaches. Implementing stringent access controls is vital to protect these instances from external threats.
- Section: Public Exposure
- Severity: Critical
- CWE: CWE-668 Exposure of Resource to the Wrong Sphere
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
π Using non-default security groups in AWS EC2 can expose instances to configuration errors and vulnerabilities. Ensuring proper security group configuration is essential for maintaining the security and integrity of EC2 instances.
- Section: Compute
- Severity: Medium
- CWE: CWE-16 Configuration
- Assurance Scope: NIST
- Threat Modeling Principal: Tampering, Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
π Utilizing AWS EC2 Classic instances may pose security risks due to outdated configurations and lack of newer security features. Transitioning to more secure and modern instance types is recommended for enhanced security.
- Section: Compute
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: NIST
- Threat Modeling Principal: Tampering, Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
π AWS EC2 instances not using IAM Roles can lead to improper access control, increasing the risk of unauthorized actions. Implementing IAM Roles is crucial for secure and efficient management of permissions.
- Section: Compute
- Severity: Medium
- CWE: CWE-284 Improper Access Control
- Assurance Scope: NIST
- Threat Modeling Principal: Tampering, Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
π Having over permissive IAM roles and enabling IMDSv1 on AWS EC2 instances can create significant security vulnerabilities. Tightening IAM roles and updating to more secure configurations are essential steps for safeguarding these instances.
- Section: Compute
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Escalation of Privileges
- Rule Set: Threat Modeling - Cloud Configuration Check
π Enabling IMDSv1 on AWS EC2 instances can expose them to security risks, including unauthorized access. Transitioning to more secure instance metadata options, like IMDSv2, is recommended to enhance security.
- Section: Compute
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Escalation of Privileges
- Rule Set: Threat Modeling - Cloud Configuration Check
π Granting over permissive IAM access to AWS EC2 instances can lead to security breaches and unauthorized actions. It is crucial to adhere to the principle of least privilege to minimize risks.
- Section: Compute
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Escalation of Privileges
- Rule Set: Threat Modeling - Cloud Configuration Check
π Not encrypting AWS EC2 EBS Volumes with the Customer Master Key can result in insufficient data protection. Using CMKs for encryption offers better security control and data confidentiality.
- Section: Databases and Datastores
- Severity: High
- CWE: CWE-653 Insufficient Compartmentalization
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
π The lack of encryption for AWS EC2 attached EBS Volumes poses a risk of unauthorized data access and breaches. Encrypting these volumes is essential for protecting sensitive data
stored on them.
- Section: Databases and Datastores
- Severity: High
- CWE: CWE-311 Missing Encryption of Sensitive Data
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
Updated 5 months ago