Toxic Combination - Blended Rules
š Public EC2 instances with unrestricted IAM roles can be exploited, potentially granting unauthorized access to your AWS resources.
- Section: Identity and Access Management
- Severity: Critical
- CWE: CWE-250 Execution with Unnecessary Privileges
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: Information Disclosure, Escalation of Privileges
- Rule Set: Rapticore Benchmark
š Even non-public EC2 instances shouldn't have unrestricted IAM roles. Privilege escalation can occur if breached.
- Section: Identity and Access Management
- Severity: High
- CWE: CWE-250 Execution with Unnecessary Privileges
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: Information Disclosure, Escalation of Privileges
- Rule Set: Rapticore Benchmark
š Combining IMDSv1 with over permissive IAM roles on public EC2 can amplify risks, from data breaches to malicious resource manipulation.
- Section: Public Exposure
- Severity: Critical
- CWE: CWE-668 Exposure of Resource to the Wrong Sphere
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Information Disclosure, Escalation of Privileges
- Rule Set: Threat Modeling - Cloud Configuration Check
š IMDSv1 on public EC2 instances lacks certain security features, making them more susceptible to unauthorized resource access or data exfiltration.
- Section: Public Exposure
- Severity: Critical
- CWE: CWE-668 Exposure of Resource to the Wrong Sphere
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Information Disclosure, Escalation of Privileges
- Rule Set: Threat Modeling - Cloud Configuration Check
š Public EC2 instances with excessively broad IAM roles can become key targets, leading to resource misuse or data compromise.
- Section: Public Exposure
- Severity: Critical
- CWE: CWE-668 Exposure of Resource to the Wrong Sphere
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: Tampering, Information Disclosure, Escalation of Privileges
- Rule Set: Threat Modeling - Cloud Configuration Check
Updated about 1 year ago
Whatās Next