411 – Insecure encryption algorithm - Default encryption

Description

Some Amazon services support Key Management Service (KMS). As a good practice, it is recommended to use Customer Controlled Keys (CMK) instead of the default keys, in order to take full advantage of the KMS service.

Impact

- Obtain sensitive information in plain text - Lose the malleability and control offered by a Customer Managed Key

Recommendation

Enable the encryption using KMS Customer Controlled Keys (CMK)

Threat

Authenticated attacker from the Internet with access to the service

Expected Remediation Time

20 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): L
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 147 - Use pre-existent mechanisms
• 151 - Separate keys for encryption and signatures
• 181 - Transmit data using secure protocols
• 224 - Use secure cryptographic mechanisms

Fixes

• Aws
• Csharp
• Go
• Java
• Ruby
• Scala

Last updated

2024/02/21