Skip to content

Security: aws-samples/sample-CryptaMap

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a potential security issue in this project, we ask that you notify AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com.

Please do not create a public GitHub issue for security vulnerabilities.

Scope and intent

CryptaMap is a read-only discovery tool: it enumerates cryptographic configuration metadata across AWS services and emits a CycloneDX CBOM + a PQC (post-quantum) readiness report. By design it:

  • makes only read/describe/list API calls in its scanners (the least-privilege IAM policy it ships, generated by cmd/gen-policy, contains only read actions plus two resource-scoped writes used solely by the org orchestrator (s3:PutObject to the results bucket and dynamodb:PutItem to the scans table); live Security Hub import is not carried in this release — ASFF is a local export only);
  • never transmits customer scan data off the customer's account — output is written locally (or to a customer-owned S3 bucket in org mode);
  • ships no real account data. The dashboard's demo data is generated synthetically (cmd/gen-dashboard-mock); CI fails the build on any committed real AWS account ID, ARN, bucket name, or private key.

Handling your own results

The CBOM and reports CryptaMap produces describe your cryptographic posture and may be sensitive. Treat them as you would any security finding: store them in a controlled location and do not commit them to public source control. The default deployment model keeps results within your AWS account and region.

Supported versions

CryptaMap is distributed as source you build yourself — there is no prebuilt or signed release artifact (see docs/INSTALL.md). Security fixes are applied to the main branch; build and run from the latest main.

There aren't any published security advisories