Amazon S3
š The lack of enforced secure transport on AWS S3 can lead to the transmission of data over insecure channels, increasing the risk of sensitive information being intercepted. Implementing secure transport protocols is essential for data confidentiality.
- Section: Encryption
- Severity: Critical
- CWE: CWE-311 Missing Encryption of Sensitive Data
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
š Not encrypting data stored in AWS S3 exposes it to potential unauthorized access and breaches, emphasizing the need for encryption to safeguard data at rest.
- Section: Encryption
- Severity: High
- CWE: CWE-311 Missing Encryption of Sensitive Data
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
š Failing to use a Customer Master Key for AWS S3 encryption limits the control over encryption keys and security, highlighting the importance of key management for enhanced data protection.
- Section: Encryption
- Severity: High
- CWE: CWE-653 Insufficient Compartmentalization
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
š Publicly exposed AWS S3 buckets pose a significant risk of unauthorized data access and leaks, underscoring the critical need for proper access controls and privacy settings to protect data.
- Section: Public Exposure
- Severity: Critical
- CWE: CWE-668 Exposure of Resource to the Wrong Sphere
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: Information Disclosure
- Rule Set: Threat Modeling - Cloud Configuration Check
Updated 11 months ago