Skip to main content

Security controls absence - Monitoring

Description

The application lacks of alert or notification mechanisms in the presence of critical changes in the system, such as: access and modification of resources, roles creation, among others.

Impact

Perform potentially harmful operations in the system without raising an alert.

Recommendation

Set notification mechanisms in critical changes in the system resources or services.

Threat

Authenticated attacker from the Internet who succeeded to compromise a resource.

Expected Remediation Time

⌚ 90 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: H
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:U/RC:C
  • Score:
    • Base: 5.3
    • Temporal: 5.0
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Sensitive resources have notification mechanisms in place to report changes

resource "aws_iam_notification" "iam_notification" {
lambda_function {
lambda_function_arn = aws_lambda_function.func.arn
events = ["iam:Edited*"]
filter_prefix = "AWSLogs/"
filter_suffix = ".log"
}

depends_on = [resource.name]
}

Non compliant code

There are sensitive resources in the application that do not have notification mechanisms in case of changes

Requirements