The severity of a control is determined based on an assessment of the following criteria:
How difficult is it for a threat actor to take advantage of the configuration weakness associated with the control?
How likely is it that the weakness will lead to a compromise of your AWS accounts or resources?
The table below lists the severity mapping based on difficulty of exploitation and likelihood of compromise.
Compromise highly likely | Compromise likely | Compromise unlikely | Compromise highly unlikely | |
Very easy to exploit | Critical | Critical | High | Medium |
Somewhat easy to exploit | Critical | High | Medium | Medium |
Somewhat difficult to exploit | High | Medium | Medium | Low |
Very difficult to exploit | Medium | Medium | Low | Low |
Note: The severity does not take into account the criticality of the underlying resource. However, you must consider the criticality of the resource.
Review the table below to understand the recommended actions based on the severity condition.
Severity | Recommended action |
Critical | The issue should be remediated immediately to avoid escalation. |
High | The issue must be addressed as a near-term priority. |
Medium | The issue should be addressed as a mid-term priority. |
Low | The issue does not require action on its own. |
Informational | No recommended action. Informational findings help customers to demonstrate that they are in a compliant state. |