>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SI-11Error Handling

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and

b

Reveal error messages only to organization-defined personnel or roles.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SI-11 (b) [to include the ISSO and/or similar role within the organization]

>Discussion

Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers.

Error messages may also provide a covert channel for transmitting information.

>Programmatic Queries

Beta

Related Services

CloudWatch Logs
API Gateway
Lambda

CLI Commands

Check API Gateway error responses
aws apigateway get-gateway-responses --rest-api-id API_ID
List Lambda error metrics
aws cloudwatch get-metric-statistics --namespace AWS/Lambda --metric-name Errors --dimensions Name=FunctionName,Value=FUNCTION --start-time START --end-time END --period 3600 --statistics Sum
Check CloudWatch error alarms
aws cloudwatch describe-alarms --alarm-name-prefix Error
List X-Ray error traces
aws xray get-trace-summaries --start-time START --end-time END --filter-expression 'error = true'
Open AWS ConsoleDocumentation

>Related Controls

AU-2
AU-3
SC-31
SI-2
SI-15

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern error handling?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

  • What technical controls detect and respond to error handling issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-11 is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?

Ask AI

Configure your API key to use AI features.