Skip to main content

Security controls absence - Monitoring


The application lacks of alert or notification mechanisms in the presence of critical changes in the system, such as: access and modification of resources, roles creation, among others.


Perform potentially harmful operations in the system without raising an alert.


Set notification mechanisms in critical changes in the system resources or services.


Authenticated attacker from the Internet who succeeded to compromise a resource.

Expected Remediation Time

⌚ 90 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: H
  • Availability: N


  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: C


  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:U/RC:C
  • Score:
    • Base: 5.3
    • Temporal: 5.0
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Sensitive resources have notification mechanisms in place to report changes

resource "aws_iam_notification" "iam_notification" {
lambda_function {
lambda_function_arn = aws_lambda_function.func.arn
events = ["iam:Edited*"]
filter_prefix = "AWSLogs/"
filter_suffix = ".log"

depends_on = []

Non compliant code

There are sensitive resources in the application that do not have notification mechanisms in case of changes