Instances should not use the default service account

Property
Languageterraform
Severitycritical
Servicecompute
ProviderGoogle
Vulnerability Typemisconfiguration

Description

Google Compute Engine instances are configured to use the default service account, which grants broad, project-wide permissions instead of limiting access to only what’s necessary. This approach violates the principle of least privilege and increases risk in case of compromise.

Impact

If the instance is compromised, an attacker could leverage the default service account to gain full access to Google Cloud project resources, potentially reading, modifying, or deleting sensitive data and services across the entire project.

Insufficient Control of Network Message Volume (Network Amplification)

Property
Languageyaml
Severitylow
CWECWE-406: Insufficient Control of Network Message Volume (Network Amplification)
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

Setting ‘hostNetwork: true’ in a Kubernetes Pod specification allows the pod to use the host node’s network namespace. This exposes the pod to the node’s network interfaces and local services, which is generally unnecessary and can increase risk.

Impact

If exploited, a compromised pod could access network traffic intended for the host or other pods, potentially intercepting sensitive data or attacking services running on the node. This can lead to privilege escalation, data leaks, or disruption of network services within your Kubernetes cluster.

Insufficient Logging

Property
Languagehcl
Severitylow
CWECWE-778: Insufficient Logging
OWASPA10:2017 - Insufficient Logging & Monitoring
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The Azure App Service resource is not configured to enable detailed error messages in its logging settings. This means important error details may not be captured, making troubleshooting and security monitoring more difficult.

Impact

Without detailed error messages, it can be harder to detect and investigate issues or attacks, potentially allowing malicious activity to go unnoticed and delaying response to incidents. This can increase operational risk and hinder compliance efforts.

Insufficient Logging

Property
Languagehcl
Severitylow
CWECWE-778: Insufficient Logging
OWASPA10:2017 - Insufficient Logging & Monitoring
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The App Service resource in Azure is not configured to enable failed request tracing. Without this setting, important information about failed requests may not be logged, making it harder to diagnose issues or investigate suspicious activity.

Impact

If failed request tracing is disabled, security incidents or operational problems could go undetected or unresolved, as there would be insufficient logs to identify what went wrong. This can hinder incident response and leave the application vulnerable to undetected attacks or misconfigurations.

Insufficient Logging

Property
Languagehcl
Severitylow
CWECWE-778: Insufficient Logging
OWASPA10:2017 - Insufficient Logging & Monitoring
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The App Service resource in Azure is missing HTTP logging in its configuration. Without HTTP logging enabled, important request and response data will not be recorded for monitoring or troubleshooting.

Impact

If HTTP logs are not collected, it becomes difficult to detect, investigate, or respond to suspicious activity or security incidents. Attack attempts, unauthorized access, or misconfigurations may go unnoticed, putting the application and sensitive data at risk.

Insufficient Logging

Property
Languagehcl
Severitylow
CWECWE-778: Insufficient Logging
OWASPA10:2017 - Insufficient Logging & Monitoring
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The storage account is missing logging configuration for queue services. Without proper logging, important details about queue operations (such as access and errors) are not recorded.

Impact

Lack of logging makes it difficult to detect and investigate unauthorized access, operational issues, or potential attacks on your storage queues. This can lead to delayed incident response and hinder compliance or auditing efforts.

Insufficient Logging

Property
Languagehcl
Severitylow
CWECWE-778: Insufficient Logging
OWASPA10:2017 - Insufficient Logging & Monitoring
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The EKS cluster configuration does not enable control plane logging for key components like the Kubernetes API server and audit logs. Without these logs, important actions and access events within the cluster may go unmonitored.

Impact

If control plane logging is disabled, suspicious activity or security incidents in your EKS cluster may go undetected, making it harder to investigate breaches or unauthorized access. This lack of visibility can allow attackers to exploit the cluster without being noticed, increasing the risk to your infrastructure and data.

Insufficient Logging

Property
Languagehcl
Severitylow
CWECWE-778: Insufficient Logging
OWASPA10:2017 - Insufficient Logging & Monitoring
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The Google Cloud Storage bucket is created without enabling access logging. This means actions like reading, writing, or modifying data in the bucket are not being recorded.

Impact

Without access logs, it becomes difficult to detect unauthorized access, investigate security incidents, or audit data usage. Attackers or malicious insiders could access or alter sensitive data without leaving a trace, increasing the risk of data breaches and compliance violations.

Insufficient Logging

Property
Languagehcl
Severitylow
CWECWE-778: Insufficient Logging
OWASPA09:2021 Security Logging and Monitoring Failures
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The AWS Lambda function is missing active X-Ray tracing, which means detailed execution traces are not being captured. Without this, it’s harder to debug issues or monitor the function’s behavior in production.

Impact

Lack of active tracing limits visibility into your Lambda’s execution, making it difficult to detect performance bottlenecks, errors, or suspicious activity. This can delay incident response and troubleshooting, increasing the risk of undetected problems in your application.

Insufficient Logging

Property
Languagehcl
Severitymedium
CWECWE-778: Insufficient Logging
OWASPA09:2021 - Security Logging and Monitoring Failures
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelLow

Description

The AWS Config aggregator is set to collect configuration data from only specific regions instead of all regions. This leaves some AWS regions unmonitored, potentially missing important changes in those areas.

Impact

If not all regions are included, unauthorized or accidental changes in unmonitored regions could go undetected, leading to blind spots in security monitoring. Attackers or misconfigurations in these regions might compromise resources without being logged or alerted.