Using clear-text protocols exposes data in transit to eavesdropping and man-in-the-middle attacks.

Why is this an issue?

An attacker who can observe network traffic — for example through a compromised network device, a position on the same network segment, or a cloud environment breach — can read, modify, or inject data sent over ftp, telnet, http, or unencrypted SMTP without detection. This is true even on internal or isolated networks, where insider threats or lateral movement after an initial compromise can expose unencrypted traffic. This rule raises an issue when a clear-text protocol scheme is used or when encryption is explicitly disabled for a network connection.

What is the potential impact?

Sensitive data exposure

An attacker who can intercept network traffic can read all data transmitted over clear-text connections, including credentials, session tokens, API keys, or personal data.

Data tampering

Because clear-text protocols provide no integrity protection, an attacker in a man-in-the-middle position can silently modify data in transit — redirecting users to malicious endpoints, injecting malicious content into responses, or altering commands sent to remote services.

How to fix it in AWS Kinesis

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  KinesisStream: # Noncompliant
    Type: AWS::Kinesis::Stream
    Properties:
      ShardCount: 1
      # No StreamEncryption

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  KinesisStream:
    Type: AWS::Kinesis::Stream
    Properties:
      ShardCount: 1
      StreamEncryption:
         EncryptionType: KMS

How to fix it in Amazon ElastiCache

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Example:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: "example"
      TransitEncryptionEnabled: false  # Noncompliant

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Example:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupId: "example"
      TransitEncryptionEnabled: true

How to fix it in Amazon ECS

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  EcsTask:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: "service"
      Volumes:
        -
          Name: "storage"
          EFSVolumeConfiguration:
            FilesystemId: !Ref FS
            TransitEncryption: "DISABLED"  # Noncompliant

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  EcsTask:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: "service"
      Volumes:
        -
          Name: "storage"
          EFSVolumeConfiguration:
            FilesystemId: !Ref FS
            TransitEncryption: "ENABLED"

How to fix it in AWS Elastic Load Balancing

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  HTTPlistener:
   Type: "AWS::ElasticLoadBalancingV2::Listener"
   Properties:
     DefaultActions:
       - Type: "redirect"
         RedirectConfig:
           Protocol: "HTTP" # Noncompliant
     Protocol: "HTTP" # Noncompliant

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  HTTPlistener:
   Type: "AWS::ElasticLoadBalancingV2::Listener"
   Properties:
     DefaultActions:
       - Type: "redirect"
         RedirectConfig:
           Protocol: "HTTPS"
     Protocol: "HTTPS"

How to fix it in AWS OpenSearch

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Example:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: example
      DomainEndpointOptions:
        EnforceHTTPS: false # Noncompliant
      NodeToNodeEncryptionOptions:
        Enabled: false # Noncompliant

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Example:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: example
      DomainEndpointOptions:
        EnforceHTTPS: true
      NodeToNodeEncryptionOptions:
        Enabled: true

How to fix it in Amazon MSK

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MSKCluster:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: MSKCluster
      EncryptionInfo:
        EncryptionInTransit:
          ClientBroker: TLS_PLAINTEXT # Noncompliant
          InCluster: false # Noncompliant

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MSKCluster:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: MSKCluster
      EncryptionInfo:
        EncryptionInTransit:
          ClientBroker: TLS
          InCluster: true

Amazon MSK encrypts data in transit by default, allowing you to omit the EncryptionInTransit configuration entirely.

Resources

Documentation

• AWS Documentation - Listeners for your Application Load Balancers
• AWS Documentation - Stream Encryption

Articles & blog posts

• Google - Moving towards more secure web
• Mozilla - Deprecating non secure http

Standards

• CWE - CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
• CWE - CWE-319 - Cleartext Transmission of Sensitive Information
• STIG Viewer - Application Security and Development: V-222397 - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
• STIG Viewer - Application Security and Development: V-222534 - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.
• STIG Viewer - Application Security and Development: V-222562 - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications.
• STIG Viewer - Application Security and Development: V-222563 - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications.
• STIG Viewer - Application Security and Development: V-222577 - The application must not expose session IDs.
• STIG Viewer - Application Security and Development: V-222596 - The application must protect the confidentiality and integrity of transmitted information.
• STIG Viewer - Application Security and Development: V-222597 - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
• STIG Viewer - Application Security and Development: V-222598 - The application must maintain the confidentiality and integrity of information during preparation for transmission.
• STIG Viewer - Application Security and Development: V-222599 - The application must maintain the confidentiality and integrity of information during reception.