Art.32(1)(a)-encryption-at-rest — Encryption of personal data at rest FAIL
Category: n/a · Violations: 23
Customer-managed KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' has automatic key rotation DISABLED. CC6.3 expects cryptographic credential rotation cadence; AWS recommends enabling annual automatic rotation for customer-managed symmetric encryption keys. Enable via kms:EnableKeyRotation, or document the manual rotation procedure for auditor walkthrough.Source: aws-kms-auditor
Art. 32(1)(a) substrate — CMK rotation hygiene for at-rest encryption keys.
RDS DB instance 'northwind-orders-db' has storage encryption DISABLED (StorageEncrypted=false). C1.1 confidentiality gap: underlying EBS volume, automated snapshots, and read-replicas all unencrypted; no crypto-shred capability. Storage encryption cannot be enabled in-place — requires snapshot + restore-to-new-instance with KmsKeyId set.Source: aws-rds-auditor
Art. 32(1)(a) substrate — an RDS instance with StorageEncrypted=false leaves its storage, automated snapshots, and read-replicas unencrypted at rest: a direct encryption-of-personal-data-at-rest gap. At-rest fleet-sweep parity 2026-06-22 (RDS already routed to the at-rest set in 5/7 frameworks; closing the iso/gdpr asymmetry). Personal-data-scope: an Art. 32 finding ONLY if the database holds personal data (confirm vs Art. 30 RoPA). art83(4)-lower tier. Plugin 1140.
SQS queue 'https://sqs.us-east-1.amazonaws.com/123456789012/nw-order-events' has encryption-at-rest DISABLED (SqsManagedSseEnabled=false AND no KmsMasterKeyId set). C1.1 confidentiality gap: queue message bodies are stored on Amazon's SQS service infrastructure in cleartext (subject to Amazon employee operational access per the AWS shared-responsibility model). Enable SqsManagedSseEnabled=true (AWS-managed) OR set KmsMasterKeyId to a customer-managed CMK alias (customer key custody).Source: aws-sqs-sns-auditor
Art. 32(1)(a) substrate — SQS encryption-at-rest DISABLED leaves personal data in message bodies unencrypted at rest. Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1150.
SNS topic 'arn:aws:sns:us-east-1:123456789012:nw-notifications' has encryption-at-rest DISABLED (no KmsMasterKeyId set). C1.1 confidentiality gap: published messages are stored on Amazon's SNS service infrastructure in cleartext until delivery. SNS has no SQS-managed-SSE equivalent — the ONLY at-rest encryption mechanism is a customer-set KmsMasterKeyId. Enable via SetTopicAttributes KmsMasterKeyId=<alias/aws/sns or CMK alias>.Source: aws-sqs-sns-auditor
Art. 32(1)(a) substrate — SNS encryption-at-rest DISABLED leaves personal data in published messages unencrypted at rest. Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1150.
EC2 account default EBS encryption is DISABLED in ap-south-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-north-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ca-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in sa-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EBS volume 'vol-0abcdef0100000014' attached to instance 'i-0a1b2c3d4e5f60718' has encryption DISABLED (Encrypted=false). C1.1 confidentiality gap: volume data at rest is stored unencrypted; without encryption there is no crypto-shred capability on decommission. Remediate by recreating the volume from an encrypted snapshot (default EBS encryption recommended account-wide).Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — an EBS volume with Encrypted=false leaves personal data unencrypted at rest. At-rest fleet-sweep parity 2026-06-22. Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
ElastiCache Redis cache-cluster 'nw-session-cache' has at-rest encryption DISABLED (AtRestEncryptionEnabled=false). C1.1 confidentiality gap: cache data persisted to EBS snapshots + cross-region replication backups stored unencrypted; no crypto-shred capability. At-rest encryption cannot be enabled in-place — requires snapshot-restore-to-new-cluster with KmsKeyId set + DR window for data migration.Source: aws-elasticache-redis-auditor
Art. 32(1)(a) substrate — ElastiCache Redis with at-rest encryption DISABLED leaves personal data in the cache unencrypted at rest. At-rest fleet-sweep parity (reviewer fold) 2026-06-22. Personal-data-scope: an Art. 32 finding ONLY if the cache holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1180.
Art.32(1)(b)-confidentiality — Ongoing confidentiality of processing systems and services FAIL
Category: n/a · Violations: 16
SHADOW ADMIN: User has full wildcard (*) permissionsSource: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — shadow-admin paths defeat least-privilege over personal-data systems.
No MFA configured on active IAM userSource: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — missing MFA weakens access control to personal data.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]Source: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — shadow-admin paths defeat least-privilege over personal-data systems.
SHADOW ADMIN: User has full wildcard (*) permissionsSource: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — shadow-admin paths defeat least-privilege over personal-data systems.
No MFA configured on active IAM userSource: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — missing MFA weakens access control to personal data.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]Source: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — shadow-admin paths defeat least-privilege over personal-data systems.
Bucket policy grants public accessSource: aws-s3-auditor
Art. 32(1)(b) confidentiality substrate — policy-granted public access to a store.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessibleSource: aws-s3-auditor
Art. 32(1)(b) confidentiality substrate — confirmed public accessibility of bucket/objects.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessibleSource: aws-s3-auditor
Art. 32(1)(b) confidentiality substrate — confirmed public accessibility of bucket/objects.
KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' policy grants Principal: AWS: "*" on 1 sensitive action(s) [kms:Decrypt] WITHOUT Condition (any authenticated AWS principal can perform these confidentiality-boundary-crossing actions). C1.1 confidentiality-boundary risk.Source: aws-kms-auditor
Art. 32(1)(b) confidentiality substrate — Principal:* on sensitive KMS actions including Decrypt / ReEncrypt* / GenerateDataKey* grants read-of-plaintext capability to any authenticated AWS principal. Anchored on the `C1.1 confidentiality-boundary risk` trailer so it excludes the demoted AWS-managed-CMK-template INFO (service-scoped, by-design). Personal-data-scope + proportionality caveats control-level. Inherits soc2 C1.1.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
Art. 32(1)(b) confidentiality substrate — an IAM principal with effective kms:Decrypt on Resource:* can read (decrypt) personal data protected by every CMK that admits it (account-wide decrypt reach). Decrypt-SPECIFIC (plugin 1110 emits this only for decrypt-equivalent ops → genuine read-of-plaintext; no action-agnostic over-claim, unlike the wildcard-on-sensitive KMS anchor), so the confidentiality home is correct. Dual-homed with Art.32(4)-instruction-bound: completes the cross-vector confidentiality view so all three KMS-decrypt vectors (key-policy admission + grant + identity-policy) route here. Personal-data-scope + four-factor proportionality + art83Tier 83(4)-lower caveats control-level. Inherits soc2 CC6.1; real-engine ==.
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
Art. 32(1)(b) confidentiality substrate — an IAM principal with effective kms:Decrypt on Resource:* can read (decrypt) personal data protected by every CMK that admits it (account-wide decrypt reach). Decrypt-SPECIFIC (plugin 1110 emits this only for decrypt-equivalent ops → genuine read-of-plaintext; no action-agnostic over-claim, unlike the wildcard-on-sensitive KMS anchor), so the confidentiality home is correct. Dual-homed with Art.32(4)-instruction-bound: completes the cross-vector confidentiality view so all three KMS-decrypt vectors (key-policy admission + grant + identity-policy) route here. Personal-data-scope + four-factor proportionality + art83Tier 83(4)-lower caveats control-level. Inherits soc2 CC6.1; real-engine ==.
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
Art. 32(1)(b) confidentiality substrate — an IAM principal with effective kms:Decrypt on Resource:* can read (decrypt) personal data protected by every CMK that admits it (account-wide decrypt reach). Decrypt-SPECIFIC (plugin 1110 emits this only for decrypt-equivalent ops → genuine read-of-plaintext; no action-agnostic over-claim, unlike the wildcard-on-sensitive KMS anchor), so the confidentiality home is correct. Dual-homed with Art.32(4)-instruction-bound: completes the cross-vector confidentiality view so all three KMS-decrypt vectors (key-policy admission + grant + identity-policy) route here. Personal-data-scope + four-factor proportionality + art83Tier 83(4)-lower caveats control-level. Inherits soc2 CC6.1; real-engine ==.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
Art. 32(1)(b) confidentiality substrate — a Security Group exposing a restricted management/data-tier port (SSH/RDP/DB) to a public-internet source range (literal 0.0.0.0/0, a public CIDR, or a split-range covering all IPv4/IPv6) is the same confidentiality-of-processing-systems concern as the all-protocol case (which already routes here) and the Azure NSG restricted-port analog (which routes to Art.32(1)(b)). Closes the AWS-SG cross-cloud/cross-dim under-claim (review C2-3). Inherits soc2.json (CC6.6). Plugin 1170.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
Art. 32(1)(b) confidentiality substrate — a Security Group exposing a restricted management/data-tier port (SSH/RDP/DB) to a public-internet source range (literal 0.0.0.0/0, a public CIDR, or a split-range covering all IPv4/IPv6) is the same confidentiality-of-processing-systems concern as the all-protocol case (which already routes here) and the Azure NSG restricted-port analog (which routes to Art.32(1)(b)). Closes the AWS-SG cross-cloud/cross-dim under-claim (review C2-3). Inherits soc2.json (CC6.6). Plugin 1170.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
Art. 32(1)(b) confidentiality substrate — a Security Group exposing a restricted management/data-tier port (SSH/RDP/DB) to a public-internet source range (literal 0.0.0.0/0, a public CIDR, or a split-range covering all IPv4/IPv6) is the same confidentiality-of-processing-systems concern as the all-protocol case (which already routes here) and the Azure NSG restricted-port analog (which routes to Art.32(1)(b)). Closes the AWS-SG cross-cloud/cross-dim under-claim (review C2-3). Inherits soc2.json (CC6.6). Plugin 1170.
Art.32(1)(d)-testing-effectiveness — Process for regularly testing and evaluating the effectiveness of security measures FAIL
Category: n/a · Violations: 34
⚠️ Coverage caveat: PARTIAL — this recurring scan + vulnerability/threat-detection substrate is one input to the Art. 32(1)(d) regular-testing process; it is NOT the whole. The operator's penetration testing, DR drills, and documented test-evaluate-remediate process complete the obligation. Per the audit-gdpr-art32 Class J discipline: the engine must not claim it IS the operator's regular testing.
AWS GuardDuty is NOT ENABLED in region 'ap-south-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-north-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-west-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ca-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'sa-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'us-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'us-east-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'us-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'us-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
Art.32(4)-instruction-bound-processing — Persons under authority process personal data only on instructions FAIL
Category: n/a · Violations: 5
⚠️ Coverage caveat: PARTIAL — IAM least-privilege / no-privilege-escalation / scoped-decrypt substrate enforces instruction-bound processing technically, but the organisational half (the Art. 28 processor agreement, documented processing instructions, and personnel confidentiality undertakings) is operator-side.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletionSource: aws-iam-deep-auditor
Art. 32(4) substrate — privilege-escalation paths let principals exceed their instructed access to personal data.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletionSource: aws-iam-deep-auditor
Art. 32(4) substrate — privilege-escalation paths let principals exceed their instructed access to personal data.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
Art. 32(4) substrate — effective decrypt on Resource:* lets a principal read personal data beyond instructed scope.
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
Art. 32(4) substrate — effective decrypt on Resource:* lets a principal read personal data beyond instructed scope.
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
Art. 32(4) substrate — effective decrypt on Resource:* lets a principal read personal data beyond instructed scope.