Skip to main content

Use of an insecure channel - AWS

Description

Insecure communications medium and channels require application data protection in transit.

Impact

  • Authenticate and compromise communications channels between the client and the server.
  • Compromise sensitive information that travels in plain text.

Recommendation

  • Enable secure cipher suites and encryption protocols.
  • Encryption and data integrity authentication are important for protecting the communications channel.
  • It is equally important to authenticate the identity of the remote end of the connection.

Threat

Anonymous attacker from adjacent network performing a MitM attack

Expected Remediation Time

⌚ 90 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 2.6
    • Temporal: 2.4
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The AWS resource enables secure transport configuration

Resources:
BucketPolicy1:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: DOC-EXAMPLE-BUCKET
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
- ''
- - 'arn:aws:s3:::'
- DOC-EXAMPLE-BUCKET
- /*
Principal: '*'
Condition:
Bool:
'aws:SecureTransport': true

Non compliant code

The AWS resource does not enable secure transport configuration

Resources:
BucketPolicy1:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: DOC-EXAMPLE-BUCKET
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
- ''
- - 'arn:aws:s3:::'
- DOC-EXAMPLE-BUCKET
- /*
Principal: '*'
Condition:
Bool:
'aws:SecureTransport': false

The AWS resource does not check if the request was performed using SSL

resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.b.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_tf_test_bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"},
"Bool": {"aws:SecureTransport": "False"}
}
}
]
}
POLICY
}

Using the AWS CLI, verify the AWS resource does not an insecure transport channel

$ aws s3api get-bucket-policy
--bucket cc-media-repo
--query Policy
--output text > s3-access-policy.json

If the command output copies the security policy in the s3-access-policy.json, if the document has aws:SecureTransport set to false the resource does not enable a secure transport configuration

Requirements