SYM_CONF_0283 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Management Errors
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
S3 objects copied using the aws_s3_object_copy resource are not being encrypted with a customer-managed KMS key (CMK). Without specifying a KMS key, the copied data may rely on default encryption, reducing control over key management and access.
Impact
If a KMS CMK is not used, sensitive data in S3 may be less protected, increasing the risk of unauthorized access or insufficient auditability. Attackers or unauthorized users could potentially access or decrypt data if default keys are compromised or not properly managed.