SYM_CONF_0297 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Management Errors
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The EMR security configuration does not specify encryption at rest using a customer-managed KMS key (CMK). Without a CMK, you lack full control over data encryption and key management for your EMR clusters.
Impact
If EMR data is not encrypted with a CMK, sensitive information stored on the cluster could be exposed if the storage is accessed by unauthorized users or compromised. This increases the risk of data breaches and may lead to compliance violations, as you cannot enforce key rotation or restrict key access according to your organization’s security policies.