Threat Modeling Rules
Amazon Threat Modeling Rules
Amazon DocumentDb(docdb)
Amazon DocumentDB Cluster is not encrypted
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Amazon DocumentDB supports native support for data-at-rest encryption. Enabling this feature protects a DocumentDB cluster's data, indexes, logs, replicas, and snapshots. All encryption and decryption operations are handled transparently with minimal impact on cluster performance hit. Please follow the documentation listed below for enabling data-at-rest encryption of an Amazon DocumentDB cluster. https://docs.Amazon.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon DocumentDB Cluster is not encrypted with the Customer Master Key(CMK)
Description: Amazon Secret Manager provides customers the ability to encrypt secrets like database credentials, API keys, OAuth tokens, etc. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. To meet the security and compliance requirements, enable CMKs for the DocumentDB cluster encryption process.
CWE: CWE-653 Insufficient Compartmentalization
Assurance Scope: PCI, NIST, GDPR, HIPPA
Severity: High
CVSS: 7.0
source: Rapticore Automated Threat Modeler
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon Elastic Loadbalancing(ELB)
Traffic to Load Balancers is not encrypted
Description: The use of insecure and unencrypted communication channels can lead to eavesdropping and Man-In-The-Middle(MITM) attacks. A network attacker can use these attacks to compromise the confidentiality potentially, integrity of the traffic, tamper with the traffic for replay attacks, and gain access to the Amazon Service by stealing authentication credentials. All transport between ELBs and nodes should be encrypted using TLS or similar industry-standard encryption mechanisms.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Ensure the ELB listeners are using TLS Listener; this will ensure all traffic between Nodes and ELB is encrypted in transit.
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Insecure ELB Security Policy
Description: Communication security not only depends on the use of secure protocols but also secure configuration along with the use of secure ciphers. Insecure configuration can lead to attacks like Logjam. To ensure an adequate level of transport-level security, follow the best practices laid out by Amazon.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
source: Rapticore Automated Threat Modeler
Recommendation: Amazon makes it easy to implement secure transport-level security by providing a predefined Amazon security policy for TLS. It is highly recommended that the latest Amazon security policy is used for securing the configuration of deployed ELBs. Checks for ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-2-2017-01, ELBSecurityPolicy-TLS-1-1-2017-01.
Threat Model STRIDE Mapping: Tampering, Information Disclosure
ELB Audit Logs are not enabled
Description: Audit trails and logging are critical non-repudiation controls and help detect security incidents and other security and operational issues. Amazon natively provides capabilities to log Amazon Services that can then be used for auditing and detecting security and operational issues.
CWE: CWE-778 Insufficient Logging
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: ELBs should have Access logs enabled to support this control. ELBs can record network and application-level logs and provide details about each transaction, which can be extremely helpful in auditing and monitoring.
Threat Model STRIDE Mapping: Tampering, Repudiation
Amazon Application Load Balancer (ALBs) have Access Logging feature not enabled
Description: Amazon Application Load Balancer (ALBs) have Access Logging feature not enabled
CWE: CWE-778 Insufficient Logging
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
source: Rapticore Automated Threat Modeler
Recommendation: Ensure the ELB listeners are using TLS Listener; this will ensure all traffic between Nodes and ELB is encrypted in transit.
Threat Model STRIDE Mapping: Tampering, Repudiation
ELBv2 Load Balancer has Deletion Protection feature is not enabled in order to protect them from being accidentally deleted
Description: ELBv2 Load Balancer has Deletion Protection feature is not enabled in order to protect them from being accidentally deleted
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: Medium
CVSS: 5.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Ensure the ELB listeners are using TLS Listener; this will ensure all traffic between Nodes and ELB is encrypted in transit.
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Less than two healthy target instances associated with each Amazon ELBv2 load balancer
Description: Less than two healthy target instances associated with each Amazon ELBv2 load balancer
CWE: CWE-410 Insufficient Resource Pool
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Ensure the ELB listeners are using TLS Listener; this will ensure all traffic between Nodes and ELB is encrypted in transit.
Threat Model STRIDE Mapping: Denial of Amazon Service, Availability
Amazon Network Load Balancers (NLBs) is not configured to terminate TLS traffic
Description: Amazon Network Load Balancers (NLBs) is not configured to terminate TLS traffic
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Ensure the ELB listeners are using TLS Listener; this will ensure all traffic between Nodes and ELB is encrypted in transit.
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon Lambda
Amazon Lambda Function Exposed to the Public
Description: Unauthorized users can potentially invoke Amazon Lambda functions from the Internet or other unauthorized Amazon accounts resulting in data exposure, data loss, and expected changes in Amazon environments.
CWE: CWE-653 Insufficient Compartmentalization
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST, GDPR
Recommendation: Restrict access to Amazon Lambda functions to only authorized and trusted users by implementing appropriate permission policies. Verify the Principal element's value for an Amazon Lambda function Policy has at least one condition like the example below, which restricts Lambda access to the numbered Amazon Account.
Threat Model STRIDE Mapping: Information Disclosure
Amazon Lambda using Administrative Privileges
Description: Lambda functions should be run with the appropriate privileges for the proper execution of the function. Ensure the Lambda function is not using admin privileges by following the Principle of Least Privilege.
CWE: CWE-284 Improper Access Control
Severity: High
CVSS: 8.0
Assurance Scope: PCI, NIST
Recommendation: Implement the Principle of least privileges for the Lambda Function. Check the Policy attached with IAM Execution Role and ensure that it has the appropriate permissions.
Threat Model STRIDE Mapping: Information Disclosure
Tracing is not enabled for the Amazon Lambda function
Description: Tracing is not enabled for the Amazon Lambda function. Tracing utilizes Amazon X-ray Amazon Service to monitor performance and resource utilization for a Lambda function. Tracing can help improve and monitor the Lambda function's performance but can also be used in security investigations.
CWE: CWE-778 Insufficient Logging
Severity: Medium
CVSS: 5.0
Assurance Scope: PCI, NIST
Recommendation: Implement Tracing for Lambda function. Tracing is useful in investigating performance and security-related events on the lambda function. https://docs.Amazon.amazon.com/lambda/latest/dg/Amazon Services-xray.html
Threat Model STRIDE Mapping: Tampering, Repudiation, Availability
Amazon Lambda function with appropriate network access and isolation
Description: Lambda function associated with network-based Amazon Services like RDS, Redshift, and EC2 should have network access through an ENI. Lambda functions without an ENI will require these resources to be potentially accessible to any resource located in the same Amazon region as the integrated Lambda. Such configuration is more permissive than necessary and can potentially lead to data compromise.
CWE: CWE-284 Improper Access Control
Severity: Medium
CVSS: 5.0
Assurance Scope: PCI, NIST
Recommendation: Implement the Principle of least privileges for the Lambda Function. For Lambda function should have an attached ENI which through which the Lambda function can access any network-based resources. Such configuration will enable proper network-based access control. https://docs.Amazon.amazon.com/lambda/latest/dg/configuration-vpc.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon S3
Amazon S3 does not enforce Secure Transport
Description: Insecure traffic to S3 buckets can allow potential attackers to eavesdrop on or manipulate networking traffic using person-in-the-middle attacks.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST
Recommendation: Allow only encrypted connections over HTTPS (TLS) using the Amazon: SecureTransport condition on Amazon S3 bucket policies.https://docs.Amazon.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Boolean.
Threat Model STRIDE Mapping: Information Disclosure
Amazon S3 is Not Encrypted
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST
Recommendation: Amazon S3 supports native support for data-at-rest encryption. Enabling this feature protects Amazon S3 Objects. All encryption and decryption operations are handled transparently with minimal impact. Please follow the documentation listed below for enabling data-at-rest encryption of an Amazon S3. https://docs.Amazon.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon S3 Encryption does not use Customer Master Key
Description: Amazon Secret Manager provides customers the ability to encrypt secrets like database credentials, API keys, OAuth tokens, etc. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. Ensure that your Amazon S3 meets the security and compliance requirements by enabling CMKs for the Amazon S3 encryption process.
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon S3 Bucket is Public
Description: Public access to Amazon S3 buckets could allow unauthorized users from the Internet to download, view, modify and delete data on the expose Amazon S3 bucket leading to data exposure or data loss.
CWE: CWE-668 Exposure of Resource to the Wrong Sphere
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST
Recommendation: Review the business needs and restrict access to the Amazon S3 bucket using the least privileged Principle.
Threat Model STRIDE Mapping: Information Disclosure
Amazon Dynamodb
Amazon Dynamodb Cluster is not encrypted with the Customer Master Key
Description: Amazon Secret Manager provides customers the ability to encrypt secrets like database credentials, API keys, OAuth tokens, etc. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. Ensure that your DynamoDB Table is encrypted with the Customer Master Key to meet the security and compliance requirements by enabling CMKs for DynamoDB Table.
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/Amazon Services-dynamodb.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon EC2
Amazon EC2 is using the default Security Group
Description: Amazon EC2 instance is using the default Amazon Security Group. Default configurations could potentially lead to an insecure configuration and should be avoided.
CWE: CWE-16 Configuration
Severity: Medium
CVSS: 5.0
Assurance Scope: NIST
Recommendation: Amazon EC2 instance should have a custom Security Group with network access permissions that follow the Principle of Least Privilege.
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Instance is an Amazon EC2 Classic
Description: Amazon EC2 Classic instances do not provide the same level of security, availability, and performance capabilities as the EC2 instances deployed in VPC.
CWE: CWE-16 Configuration
Severity: High
CVSS: 7.0
Assurance Scope: NIST
Recommendation: As part of the layered defense approach Amazon EC2 Instances should be deployed in VPCs.
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon EC2 Instance is not using IAM Roles
Description: Long-term credentials sharing and use pose a significant risk of unauthorized access if these credentials are compromised. Mitigation of this risk requires credential rotation, which puts an additional burden on the operations team.
CWE: CWE-284 Improper Access Control
Severity: Medium
CVSS: 5.0
Assurance Scope: NIST
Recommendation: Amazon IAM Roles allow access to other Amazon Amazon Services without using passwords or API keys. Improving security and reducing operational overhead.
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon EC2 Instance is not launched in an Autoscaling Group
Description: Reliability and availability of Amazon Services delivered through an Amazon EC2 launched outside of an Autoscaling Group is not guaranteed, resulting in Amazon Service downtime.
CWE: CWE-16 Configuration
Severity: Medium
CVSS: 5.0
Assurance Scope: NIST
Recommendation: High availability and reliance of Amazon Service can be significantly improved by launching Amazon EC2 instances within an Autoscaling Group. https://docs.Amazon.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html
Threat Model STRIDE Mapping: availability
Amazon EC2 instance is not in the Multi-AZ Auto Scaling Group
Description: Reliability and availability of Amazon Services delivered through an Amazon EC2 launched outside of an Autoscaling Group is not guaranteed, resulting in Amazon Service downtime. Multi-AZ Auto Scaling Groups provide additional reliability by distributing workloads across multiple Amazon Zones.
CWE: CWE-410 Insufficient Resource Pool
Severity: Medium
CVSS: 5.0
Assurance Scope: NIST
Recommendation: High availability and reliance of Amazon Service can be significantly improved by launching Amazon EC2 instances within an Autoscaling Group. https://docs.Amazon.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html
Threat Model STRIDE Mapping: Availability
Amazon EC2 EBS Volume is Not Encrypted
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: High availability and reliance on Amazon Service can be significantly improved by launching Amazon EC2 instances within an Autoscaling Group. https://docs.Amazon.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon EC2 EBS Volume is not encrypted with the Customer Master Key
Description: Amazon Secret Manager provides customers the ability to encrypt secrets like database credentials, API keys, OAuth tokens, etc. The default configuration of the Amazon Secrets Manager uses Amazon-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. Ensure that your EBS Volume meets the security and compliance requirements by enabling CMKs for the EBS encryption process.
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon API Gateway
Development API Gateway is not integrated with the Amazon Web Application Firewall(WAF)
Description: API layer vulnerabilities in the application can compromise SQLi, XSS, CSRF, etc., leading to incidents affecting availability, performance, and data security.
CWE: CWE-76 Improper Neutralization of Equivalent Special Elements
Severity: High
CVSS: 8.0
Assurance Scope: PCI, NIST
Recommendation: Integrating Amazon WAF with API Gateway is an effective way to reduce the risk of compromise from the application layer vulnerabilities. See details for implementation - https://docs.Amazon.amazon.com/apigateway/latest/developerguide/apigateway-control-access-Amazon-waf.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon Athena
Amazon Athena Query results are not stored encrypted
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST
Recommendation: Amazon Athena natively provides methods to encrypt query results stored in the S3 bucket. Please find details on the link https://docs.Amazon.amazon.com/athena/latest/ug/encryption.html.
Threat Model STRIDE Mapping: Tampering, Information Disclosure
dependent: None
Amazon Athena Query results are not encrypted with the Customer Master Key(CMK)
Description: Amazon Secret Manager provides customers the ability to encrypt secrets like database credentials, API keys, OAuth tokens, etc. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. To meet the security and compliance requirements, enable CMKs for the Amazon Athena Query Result encryption process.
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/athena/latest/ug/encryption.html
Amazon SNS
Amazon SNS Topic is exposed to Public
Description: Public access to Amazon SNS could allow unauthorized users and attackers from the Internet to publish or receive your SNS topic
CWE: CWE-668 Exposure of Resource to the Wrong Sphere
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST
Recommendation: Review the business needs and restrict Amazon SNS's access using the Principle of least Privilege. https://docs.Amazon.amazon.com/config/latest/developerguide/sns-topic-policy.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon SNS Topic is Accessible to Public Subscription
Description: Public access to Amazon SNS could allow unauthorized users to subscribe to your SNS topics resulting in unauthorized users gaining access to sensitive information.
CWE: CWE-284 Improper Access Control
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, GDPR, NIST
Recommendation: Review the business needs and restrict the access to Amazon SNS using the Principle of least Privilege. https://docs.Amazon.amazon.com/config/latest/developerguide/sns-topic-policy.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon SNS Topic is not Encrypted
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, GDPR, HIPPA, NIST
Recommendation: Amazon SNS native support for data-at-rest encryption. Enabling this feature protects the contents of published messages within your SNS Topics. All encryption and decryption operations are handled transparently with minimal impact and would allow you to meet your security and regulatory compliance requirements. Please follow the documentation listed below for enabling data-at-rest encryption.https://docs.Amazon.amazon.com/sns/latest/dg/sns-server-side-encryption.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon SNS Topic is not Encrypted with the Customer Master Key(CMK)
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. To meet the security and compliance requirements, enable CMKs for the SNS Topic encryption process.
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, GDPR, HIPPA, NIST
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon SQS
Amazon SQS Server-Side Encryption is not enabled
Description: Amazon SQS queues can be used for sending and receiving highly sensitive data. Unencrypted message queues can potentially be read by authorized users leading to data exposure.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, GDPR, HIPPA, NIST
Recommendation: Amazon SQS can be protected by enabling Amazon SQS Server Side Encryption. This feature protects the content of the messages while they help in the messaging queue.
Threat Model STRIDE Mapping: Information Disclosure
Amazon SQS Queue is not Encrypted with Customer Master Key(CMK)
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. To meet the security and compliance requirements, enable CMKs for the SQS message queue encryption process.
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, GDPR, HIPPA, NIST
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Information Disclosure
** Amazon SQS Queue is exposed to Public
Description: Public access to Amazon SQS could allow unauthorized users to read messages in your SQS queue
CWE: CWE-284 Improper Access Control
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST
Recommendation: Review the business needs and restrict Amazon SQS using the Principle of least Privilege. https://docs.Amazon.amazon.com/AmazonSimpleQueueAmazon Service/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon Rational Database Service(RDS)
Amazon RDS Cluster is not encrypted
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while it is stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Amazon RDS supports native support for data-at-rest encryption. Enabling this feature protects an RDS's data, indexes, logs, replicas, and snapshots. All encryption and decryption operations are handled transparently with minimal impact on cluster performance hit. Please follow the documentation listed below for enabling data-at-rest encryption of an Amazon RDS cluster. https://Amazon.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon RDS Cluster exposed to the Public
Description: Unauthorized users can potentially invoke Amazon RDS from the Internet or other unauthorized Amazon accounts resulting in data exposure, data loss, and expected changes in Amazon environments.
CWE: CWE-668 Exposure of Resource to the Wrong Sphere
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Restrict access to Amazon RDS Databases to only authorized and trusted users by implementing appropriate network restrictions using Amazon Security Groups. https://docs.Amazon.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon RDS does not use IAM Database Authentication
Description: Insecure Database connections from using passwords and insecure database connectors can lead to compromises. Passwords are operationally hard to manage and can lead to availability concerns.
CWE: CWE-284 Improper Access Control
Severity: High
CVSS: 8.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Amazon RDS for Aurora, MySQL, and Postgres supports the use of IAM roles. Using IAM roles natives support secure connections between hosts and databases and elevate the need for password changes. https://docs.Amazon.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon RDS not in Multi-AZ
Description: Reliability and availability of Amazon Services delivered through an Amazon RDS launched outside of an Autoscaling Group is not guaranteed, resulting in Amazon Service downtime. Multi-AZ Auto Scaling Groups provide additional reliability by distributing workloads across multiple Amazon Zones.
CWE: CWE-410 Insufficient Resource Pool
Severity: High
CVSS: 8.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: High availability and reliance on Amazon Service can be significantly improved by launching Amazon RDS with Multi-AZ configuration. https://docs.Amazon.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html
Threat Model STRIDE Mapping: Denial of Amazon Service, Availability
Amazon Elastic File System(EFS)
Amazon EFS Volume is not encrypted
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while it is stored on disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection. Ensure Amazon EFS volumes are encrypted.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: Amazon Amazon EFS Volume supports support for data-at-rest encryption. Enabling this feature protects Amazon EFS Volume data at rest. All encryption and decryption operations are handled transparently with minimal impact on performance. Please follow the documentation listed below for enabling data-at-rest encryption of an Amazon EFS Volume. https://docs.Amazon.amazon.com/efs/latest/ug/encryption.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon EFS Volume does not enforce data-at-rest encryption using KMS CMKs
Description: Amazon Secret Manager provides customers the ability to encrypt secrets like database credentials, API keys, OAuth tokens, etc. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. To meet the security and compliance requirements, enable CMKs for the DocumentDB cluster encryption process.
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: To integrate CloudFront with Amazon WAF, you must create the required WAF Access Control List and associate it with the appropriate web distribution. To define and assign a new web ACL, perform the following. https://docs.Amazon.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-Amazonwaf.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon Firehose
Amazon Firehose does not enforce data-at-rest encryption
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while it is stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection. Ensure Amazon Firehose at least enforces Server-Side Encryption (SSE).
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: Amazon Firehose supports data-at-rest encryption. Enabling this feature protects Amazon Firehose data at rest. All encryption and decryption operations are handled transparently with minimal impact on performance. Please follow the documentation listed below for enabling data-at-rest encryption of an Amazon Firehose. https://docs.Amazon.amazon.com/firehose/latest/dev/encryption.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon Elastic Container Registry(ECR)
Amazon ECR exposed to Public
Description: Amazon Elastic Container Registry uses resource-based policies to control access. These types of permission policies let you specify who has access to your ECR repositories and what actions they can perform on them. Allowing public access to your Amazon ECR image repositories through resource-based policies can lead to data leakage and/or data loss.
CWE: CWE-668 Exposure of Resource to the Wrong Sphere
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: Restrict access to Amazon ECR repositories based on business requirements. Following security best practices, resources should not be exposed to the Public without a valid business reason. perform the following. https://Amazon.amazon.com/ecr/faqs/
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon Kinesis
Amazon Kinesis does not implement data-at-rest encryption
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while it is stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection. Ensure Amazon Kinesis streams enforce Server-Side Encryption (SSE).
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: Amazon Kinesis supports data-at-rest encryption. Enabling this feature protects Amazon Kinesis data at rest. All encryption and decryption operations are handled transparently with minimal impact on performance. Please follow the documentation listed below for enabling data-at-rest encryption of an Amazon Kinesis. https://docs.Amazon.amazon.com/streams/latest/dev/what-is-sse.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon Kinesis does not enforce data-at-rest encryption using KMS CMKs
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. To meet the security and compliance requirements, enable CMKs for Amazon Kinesis.
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon Glue
Amazon Glue Data Catalog objects and connection passwords are not encrypted.
Description: Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted. Password stored in plaintext can be retrieved and used by unauthorized users leading to data exposure.
CWE: CWE-256 Unprotected Storage of Credentials
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted to prevent unauthorized access. https://docs.Amazon.amazon.com/glue/latest/dg/encrypt-connection-passwords.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon Glue Data Catalogs does not enforce data-at-rest encryption
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. To meet the security and compliance requirements, enable CMKs for the Amazon Glue.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon Glue Data Catalogs does not enforce data-at-rest encryption using KMS CMKs
Description: Ensure that Amazon Glue Data Catalogs enforce data-at-rest encryption using KMS CMKs
CWE: CWE-653 Insufficient Compartmentalization
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon Cloudfront
Amazon CloudFront Not Integrated With WAF
Description: WAF integration enabled, you will be able to block any malicious requests made to your Cloudfront Content Delivery Network based on the criteria defined in the WAF Web Access Control List (ACL) associated with the CDN distribution.
CWE: CWE-76 Improper Neutralization of Equivalent Special Elements
Severity: High
CVSS: 8.0
Assurance Scope: PCI, NIST
Recommendation: To integrate CloudFront with the Amazon WAF, you must create the required WAF Access Control List and associate it with the appropriate web distribution. To define and assign a new web ACL, perform the following. https://docs.Amazon.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-Amazonwaf.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
CloudFront Using Insecure Origin SSL Protocols
Description: Using insecure and deprecated SSL protocols for your Cloudfront distributions could make the connection between the Cloudfront CDN and the origin server vulnerable to exploits such as POODLE (Padding Oracle on Downgraded Legacy Encryption). Such attacks allow an attacker to eavesdrop on your Cloudfront traffic over a secure channel (encrypted with the SSLv3 protocol) by implementing a man-in-the-middle tactic.
CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Severity: High
CVSS: 8.0
Assurance Scope: PCI, NIST
Recommendation: To ensure you are using secure and nondeprecated SSL protocols then you should require HTTPS for communication between CloudFront and your custom origin. To see how to require HTTPS see the following. https://docs.Amazon.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
CloudFront Logging Not Enabled
Description: The Cloudfront access logs contain detailed information (requested object name, date and time of the access, client IP, access point, error code, etc.) about each request made for your web content, information that can be extremely useful during security audits or as input data for various analytics/reporting tools. This feature, combined with Amazon Lambda and Amazon WAF to process the logging data and block the requests coming from those IP addresses that generate too many error codes as the requests that cause these errors are often made by attackers trying to find vulnerabilities within your website/web application.
CWE: CWE-778 Insufficient Logging
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA, GDPR, APRA
Recommendation: To enable logging on your Amazon Cloudfront distributions see the following. https://docs.Amazon.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
CloudFront Insecure Security Policy
Description: Using a predefined security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version for CloudFront distributions can further improve the web applications' security that utilizes these distributions. For example, if you select a security policy that enforces TLS version 1.1, weak ciphers such as RC4 and 3DES will be automatically excluded.
CWE: CWE-16 Configuration
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, HIPPA, MAS
Recommendation: To view supported SSL/TLS protocols see the following. https://docs.Amazon.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
Threat Model STRIDE Mapping: Tampering, Spoofing, Information Disclosure
Amazon ELactic Kubernetes Service(EKS)
Amazon EKS security groups allow access on ports other than TCP port 443
Description: Amazon EKS security groups allow access to potentially insecure protocols. HTTPS/443 is a standard for transmitting sensitive information over Public networks. Using unencrypted transmission channels can potentially lead to data exposure, tampering, and spoofing of data leading to data or Amazon Service compromise
CWE: CWE-319 Cleartext Transmission of Sensitive Information
Severity: High
CVSS: 8.0
Assurance Scope: PCI, NIST
Recommendation: Implement the Principle of least privileges and restrict access to the Amazon EKS cluster according to business requirements.https://docs.Amazon.amazon.com/eks/latest/userguide/cluster-endpoint.html
Threat Model STRIDE Mapping: Information Disclosure, Spoofing, Tampering
Amazon EKS cluster's Kubernetes API server endpoint is publicly accessible from the Internet
Description: Amazon EKS cluster's Kubernetes API server endpoint is publicly accessible can be exposed to unauthorized users leading to data exposure, tampering, and resource misuse.
CWE: CWE-668 Exposure of Resource to the Wrong Sphere
Severity: Critical
CVSS: 9.0
Assurance Scope: PCI, NIST
Recommendation: Implement the Principle of least privileges and restrict access to the Amazon EKS cluster according to business requirements.https://docs.Amazon.amazon.com/eks/latest/userguide/cluster-endpoint.html
Threat Model STRIDE Mapping: Information Disclosure, Tampering
Amazon ElastiCache
Amazon ElastiCache cluster in EC2 Classic
Description: Amazon ElastiCache cluster is running in EC2 Classic lacks network isolation such as private IP space, network segregation, granular access control, etc. This can potentially increase performance or security-related risk to the Cluster leading to tampering or data exposure.
CWE: CWE-16 Configuration
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST
Recommendation: Amazon Elasticache Cluster should be moved to an Amazon VPC to provide better network and host isolation leading to improved security and performance. https://docs.Amazon.amazon.com/AmazonElastiCache/latest/mem-ug/VPCs.EC.html
Threat Model STRIDE Mapping: Information Disclosure
Amazon ElastiCache cluster in-transit and at-rest encryption is not enabled.
Description: Data-at-rest reduces the risk of unauthorized access to data while stored on disk or sent over the network. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST, GDPR, HIPPA
Recommendation: Amazon ElastiCache cluster supports data-at-rest encryption. Enabling this feature protects an Amazon ElastiCache cluster's data, indexes, logs, replicas, and snapshots. All encryption and decryption operations are handled transparently with minimal impact on cluster performance hit. Please follow the documentation listed below for enabling data-at-rest encryption of an Amazon ElastiCache cluster. https://docs.Amazon.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
ElastiCache Redis Cache cluster is not using a Multi-AZ.
Description: ElastiCache Redis Cache cluster is not using a Multi-AZ deployment configuration to enhance High Availability (HA) through automatic failover to a read replica in case of a primary cache node failure
CWE: CWE-410 Insufficient Resource Pool
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST
Recommendation: High availability and reliance on Amazon Service can be significantly improved by launching Amazon Elasticache with a Multi-AZ configuration. https://docs.Amazon.amazon.com/AmazonElastiCache/latest/red-ug/AutoFailover.html
Threat Model STRIDE Mapping: Denial of Amazon Service, Availability
Amazon Neptune
Amazon Neptune database cluster not using IAM role-based authentication.
Description: IAM Database Authentication feature is a role-based authentication and authorization Amazon Service that removes the dependence on security access keys and passwords for accessing the Database Amazon Service. IAM Roles are superior authentication and authorization mechanisms that significantly reduce the risk of compromise from loss and stolen credentials and eliminate the need for credential rotations.
CWE: CWE-284 Improper Access Control
Severity: High
CVSS: 8.0
Assurance Scope: PCI, NIST
Recommendation: Implement the IAM roles for authentication to the Amazon Neptune database cluster. https://docs.Amazon.amazon.com/neptune/latest/userguide/iam-auth.html
Threat Model STRIDE Mapping: Information Disclosure, Repudiation, Elevation of Privileges
Amazon Neptune database instance does not receive minor database engine upgrades
Description: Amazon Neptune cluster updates protect and enhance the functionality of the Amazon Amazon Service. Enabling auto-updates will allow the organization to benefit from security and performance improvements.
CWE: CWE-16 Configuration
Severity: Medium
CVSS: 5.0
Assurance Scope: NIST
Recommendation: Enable auto-updates of Amazon Neptune database instance.
Threat Model STRIDE Mapping: Availability
- *Amazon Neptune cluster uses a low retention period**
Description: Amazon Neptune cluster should have a retention period aligned with your organization's business continuity goals for the specific Amazon Nepture environment. The data retention period allows for continuity against accidental or malicious tamper and deletion of business data.
CWE: CWE-410 Insufficient Resource Pool
Severity: Medium
CVSS: 5.0
Assurance Scope: PCI, NIST
Recommendation: Rapticore recommendations Amazon Neptune data retention period of 10 days.
Threat Model STRIDE Mapping: Availability
Amazon Neptune database instances are not encrypted
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. Data-at-rest reduces the risk of unauthorized access to data while it is stored on a disk. Data-at-rest also meets several compliance requirements in addition to meet security requirements for data protection.
CWE: CWE-311 Missing Encryption of Sensitive Data
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST
Recommendation: Amazon Neptune supports native support for data-at-rest encryption. Enabling this feature protects Neptures's data, indexes, logs, replicas, and snapshots. All encryption and decryption operations are handled transparently with minimal impact on cluster performance hit. Please follow the documentation listed below for enabling data-at-rest encryption of an Amazon Neptune. https://docs.Amazon.amazon.com/neptune/latest/userguide/encrypt.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Amazon Neptune graph database cluster is not using Multi-AZ deployment configurations
Description: Amazon Neptune graph database cluster is not using Multi-AZ deployment configurations
CWE: CWE-410 Insufficient Resource Pool
Severity: High
CVSS: 7.0
Assurance Scope: PCI, NIST
Recommendation: High availability and reliance on Amazon Service can be significantly improved by launching Amazon Neptune with Multi-AZ configuration. https://docs.Amazon.amazon.com/neptune/latest/userguide/feature-overview-availability.html
Threat Model STRIDE Mapping: Denial of Amazon Service, Availability
Amazon Neptune database instance is not encrypted with the Customer Master Key(CMK)
Description: data-at-rest encryption provides an additional layer of protection as part of a defense-in-depth approach. The default configuration of the Amazon Secrets Manager uses Amazon Service-generated Master Keys. This can create compliance issues and loss of granular control of the secret data during the encryption process. To meet the security and compliance requirements, enable CMKs for the Neptune.
CWE: CWE-653 Insufficient Compartmentalization
Assurance Scope: PCI, NIST, GDPR, HIPPA
Severity: High
CVSS: 7.0
Recommendation: Amazon Secrets Manager allows the ability to create Customer Master Key(CMK) - CMK is unique to the customer and allows full access control to the customer over the Master Key. Amazon Key Management Amazon Service will enable customers to manage the Customer Master Key(CMK) efficiently. It is highly recommended that the customer follow the best practice and use CMKs to secure secrets. https://docs.Amazon.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
Threat Model STRIDE Mapping: Tampering, Information Disclosure
Updated 5 months ago