Security controls absence - Monitoring
Description
The application lacks of alert or notification mechanisms in the presence of critical changes in the system, such as: access and modification of resources, roles creation, among others.
Impact
Perform potentially harmful operations in the system without raising an alert.
Recommendation
Set notification mechanisms in critical changes in the system resources or services.
Threat
Authenticated attacker from the Internet who succeeded to compromise a resource.
Expected Remediation Time
⌚ 90 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: H
- Availability: N
Temporal
- Exploit code madurity: P
- Remediation level: U
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:U/RC:C
- Score:
- Base: 5.3
- Temporal: 5.0
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
Sensitive resources have notification mechanisms in place to report changes
resource "aws_iam_notification" "iam_notification" {
lambda_function {
lambda_function_arn = aws_lambda_function.func.arn
events = ["iam:Edited*"]
filter_prefix = "AWSLogs/"
filter_suffix = ".log"
}
depends_on = [resource.name]
}
Non compliant code
There are sensitive resources in the application that do not have notification mechanisms in case of changes