Skip to main content

Authentication mechanism absence or evasion - AWS

Description

The system has not been configured with one of the AWS authentication mechanism available or has one that can be bypassed.

Impact

Access among the most critical parts of an information security program.

Recommendation

Set up the operating AWS system authentication mechanisms based and evaluating the business security requirements.

Threat

Unauthorized attacker with probability of bypassing the authentication process.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 6.5
    • Temporal: 6.5
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

There is at least one authentication mechanism enabled in the system

resource "aws_iam_saml_provider" "default" {
name = "my-saml-provider"
saml_metadata_document = file("saml-metadata.xml")
}

resource "aws_cognito_identity_pool" "main" {
identity_pool_name = "identity pool"
allow_unauthenticated_identities = false
allow_classic_flow = false

cognito_identity_providers {
client_id = "6lhlkkfbfb4q5kpp90urffae"
provider_name = "cognito-idp.us-east-1.amazonaws.com/us-east-1_Tv0493apJ"
server_side_token_check = false
}

supported_login_providers = {
"/auth" = "7346241598935552"
}
}

Non compliant code

The system does not define any authentication mechanisms

resource "aws_iam_saml_provider" "default" {
name = "my-saml-provider"
saml_metadata_document = file("saml-metadata.xml")
}

resource "aws_cognito_identity_pool" "main" {
identity_pool_name = "identity pool"
allow_unauthenticated_identities = true
allow_classic_flow = true
}

Requirements