Using clear-text protocols exposes data in transit to eavesdropping and man-in-the-middle attacks.

Why is this an issue?

An attacker who can observe network traffic — for example through a compromised network device, a position on the same network segment, or a cloud environment breach — can read, modify, or inject data sent over ftp, telnet, http, or unencrypted SMTP without detection. This is true even on internal or isolated networks, where insider threats or lateral movement after an initial compromise can expose unencrypted traffic. This rule raises an issue when a clear-text protocol scheme is used or when encryption is explicitly disabled for a network connection.

What is the potential impact?

Sensitive data exposure

An attacker who can intercept network traffic can read all data transmitted over clear-text connections, including credentials, session tokens, API keys, or personal data.

Data tampering

Because clear-text protocols provide no integrity protection, an attacker in a man-in-the-middle position can silently modify data in transit — redirecting users to malicious endpoints, injecting malicious content into responses, or altering commands sent to remote services.

How to fix it in AWS Kinesis

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

resource "aws_kinesis_stream" "example" {
    encryption_type = "NONE" # Noncompliant
}

Compliant solution

resource "aws_kinesis_stream" "example" {
    encryption_type = "KMS"
}

How to fix it in Amazon ElastiCache

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

resource "aws_elasticache_replication_group" "example" {
    replication_group_id = "example"
    replication_group_description = "example"
    transit_encryption_enabled = false  # Noncompliant
}

Compliant solution

resource "aws_elasticache_replication_group" "example" {
    replication_group_id = "example"
    replication_group_description = "example"
    transit_encryption_enabled = true
}

How to fix it in Amazon ECS

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

resource "aws_ecs_task_definition" "example" {
  family = "service"
  container_definitions = file("task-definition.json")

  volume {
    name = "storage"
    efs_volume_configuration {
      file_system_id = aws_efs_file_system.fs.id
      transit_encryption = "DISABLED"  # Noncompliant
    }
  }
}

Compliant solution

resource "aws_ecs_task_definition" "example" {
  family = "service"
  container_definitions = file("task-definition.json")

  volume {
    name = "storage"
    efs_volume_configuration {
      file_system_id = aws_efs_file_system.fs.id
      transit_encryption = "ENABLED"
    }
  }
}

How to fix it in AWS OpenSearch

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

resource "aws_opensearch_domain" "example" {
  domain_name = "example"
  domain_endpoint_options {
    enforce_https = false # Noncompliant
  }
  node_to_node_encryption {
    enabled = false # Noncompliant
  }
}

Compliant solution

resource "aws_opensearch_domain" "example" {
  domain_name = "example"
  domain_endpoint_options {
    enforce_https = true
  }
  node_to_node_encryption {
    enabled = true
  }
}

How to fix it in AWS Elastic Load Balancing

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

resource "aws_lb_listener" "example" {
  protocol = "HTTP" # Noncompliant

  default_action {
    type = "redirect"

    redirect {
      protocol = "HTTP"
    }
  }
}

Compliant solution

resource "aws_lb_listener" "example" {
  protocol = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      protocol = "HTTPS"
    }
  }
}

How to fix it in GCP Load Balancers

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

resource "google_compute_region_backend_service" "example" {
  name                            = "example-service"
  region                          = "us-central1"
  health_checks                   = [google_compute_region_health_check.region.id]
  connection_draining_timeout_sec = 10
  session_affinity                = "CLIENT_IP"
  load_balancing_scheme           = "EXTERNAL"
  protocol                        = "HTTP" # Noncompliant
}

Compliant solution

resource "google_compute_region_backend_service" "example" {
  name                            = "example-service"
  region                          = "us-central1"
  health_checks                   = [google_compute_region_health_check.region.id]
  connection_draining_timeout_sec = 10
  session_affinity                = "CLIENT_IP"
  load_balancing_scheme           = "EXTERNAL"
  protocol                        = "HTTPS"
}

Exceptions

No issue is reported for the following cases:

• URLs whose host resolves only within a private runtime environment and is not reachable from the public internet (including loopback and cloud metadata hosts)
• Well-known namespace URI authorities used in in XML, JSON-LD, RDF, or similar formats (for example, www.w3.org, schemas.android.com, schema.org).
• IANA-reserved documentation and test domains like example.com, example.net, example.org (RFC 6761). These are almost always placeholders in source code, not real connection targets.

Resources

Documentation

• AWS Documentation - Listeners for your Application Load Balancers
• AWS Documentation - Stream Encryption

Articles & blog posts

• Google - Moving towards more secure web
• Mozilla - Deprecating non secure http

Standards

• CWE - CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
• CWE - CWE-319 - Cleartext Transmission of Sensitive Information
• STIG Viewer - Application Security and Development: V-222397 - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
• STIG Viewer - Application Security and Development: V-222534 - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.
• STIG Viewer - Application Security and Development: V-222562 - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications.
• STIG Viewer - Application Security and Development: V-222563 - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications.
• STIG Viewer - Application Security and Development: V-222577 - The application must not expose session IDs.
• STIG Viewer - Application Security and Development: V-222596 - The application must protect the confidentiality and integrity of transmitted information.
• STIG Viewer - Application Security and Development: V-222597 - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
• STIG Viewer - Application Security and Development: V-222598 - The application must maintain the confidentiality and integrity of information during preparation for transmission.
• STIG Viewer - Application Security and Development: V-222599 - The application must maintain the confidentiality and integrity of information during reception.