The severity of a control is determined based on an assessment of the following criteria:
- How difficult is it for a threat actor to take advantage of the configuration weakness associated with the control?
- How likely is it that the weakness will lead to a compromise of your AWS accounts or resources?
Severity mapping to the difficulty to exploit and the likelihood of compromiseCompromise highly likely
Compromise likely
Compromise unlikely
Compromise highly unlikely
Very easy to exploit
Critical
Critical
High
Medium
Somewhat easy to exploit
Critical
High
Medium
Medium
Somewhat difficult to exploit
High
Medium
Medium
Low
Very difficult to exploit
Medium
Medium
Low
Low
The severity does not take into account the criticality of the underlying resource. you should consider the criticality of the resource
Severity
Recommended action
Critical The issue should be remediated immediately to avoid it escalating High The issue must be addressed as a near-term priority. Medium The issue should be addressed as a mid-term priority. Low The issue does not require action on its own. Informational No recommended action. Informational findings help customers to demonstrate that they are in a compliant state.
Compromise highly likely | Compromise likely | Compromise unlikely | Compromise highly unlikely | |
Very easy to exploit | Critical | Critical | High | Medium |
Somewhat easy to exploit | Critical | High | Medium | Medium |
Somewhat difficult to exploit | High | Medium | Medium | Low |
Very difficult to exploit | Medium | Medium | Low | Low |
The severity does not take into account the criticality of the underlying resource. you should consider the criticality of the resource
| Severity | Recommended action |
|---|---|
| Critical | The issue should be remediated immediately to avoid it escalating |
| High | The issue must be addressed as a near-term priority. |
| Medium | The issue should be addressed as a mid-term priority. |
| Low | The issue does not require action on its own. |
| Informational | No recommended action. Informational findings help customers to demonstrate that they are in a compliant state. |