Property
Language
Severity
Service	gke
Provider	Google
Vulnerability Type	omission

Description

Legacy metadata endpoints are enabled on GKE nodes, allowing access to instance metadata without requiring metadata headers, which weakens access controls. The configuration does not explicitly disable these less secure endpoints as recommended.

Impact

If exploited, attackers could retrieve sensitive instance metadata, such as service account tokens, from containers or workloads running on the node. This could lead to privilege escalation, data exposure, or unauthorized access to Google Cloud resources within the environment.

Property
Language
Severity

Description

The absence of a LimitRange policy in Kubernetes allows containers within a namespace to consume unlimited CPU and memory resources, as there are no enforced defaults or boundaries for resource usage.

Impact

Without resource limits, a single container or pod could monopolize cluster resources, leading to service degradation or outages for other workloads. This resource exhaustion could be exploited intentionally or accidentally, affecting application stability and availability.

Property
Language
Severity
Service	iam
Provider	AWS

Description

The root user has unrestricted access to all services and resources in an AWS account. We highly recommend that you avoid using the root user for daily tasks. Minimizing the use of the root user and adopting the principle of least privilege for access management reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.

Resolution

Use lower privileged accounts instead, so only required privileges are available.

Property
Language
Severity
Service	elb
Provider	AWS
Vulnerability Type	omission

Description

The load balancer is configured to be publicly accessible from the internet, which may unintentionally expose internal resources or services to external access. This misconfiguration increases the attack surface if the load balancer is not intended for public use.

Impact

External attackers could directly access services behind the load balancer, potentially leading to data exposure, unauthorized actions, or further network compromise. This exposure increases the risk of exploitation and can undermine the security of internal systems.

Property
Language
Severity
Service	elb
Provider	AWS
Vulnerability Type	omission

Description

The load balancer is configured to forward HTTP headers to targets without filtering out invalid or unknown headers. This allows potentially malicious or malformed headers to reach backend services, increasing the risk of exploitation.

Impact

Attackers could exploit backend vulnerabilities by injecting unexpected or malformed headers, leading to possible security breaches such as unauthorized access, data leakage, or service disruption within the application infrastructure.

Property
Language
Severity
Vulnerability Type	omission

Description

Granting a Kubernetes ClusterRole permission to manage all resources using a wildcard (’*’) gives full control over every resource in the cluster. This approach bypasses the principle of least privilege and allows unrestricted access.

Impact

If exploited, an attacker with this ClusterRole could gain root access on all cluster nodes, access and modify any pod, secret, or data, and potentially disrupt or take over the entire Kubernetes environment, leading to severe data breaches or service outages.

Property
Language
Severity
Vulnerability Type	omission

Description

Granting full control over all resources in a Kubernetes namespace (using a wildcard ‘*’) creates overly broad permissions. This can allow unintended actions across all resource types, violating the principle of least privilege.

Impact

If exploited, an attacker or compromised user could manipulate, delete, or expose any resource within the namespace, leading to data loss, service disruption, or privilege escalation across the cluster.

Property
Language
Severity
Vulnerability Type	omission

Description

Roles or ClusterRoles are configured with write permissions (such as create, update, patch, or delete) on Kubernetes configmaps, which can expose or allow modification of sensitive configuration data.

Impact

If exploited, attackers could alter or delete configmaps, potentially injecting malicious configurations, disrupting application behavior, or escalating privileges within the cluster, leading to service outages or compromise of sensitive information.

Resolution

Remove write permission verbs for resource ‘configmaps

Property
Language
Severity

Description

Roles or cluster roles are granted permissions to manage the ‘aws-auth’ ConfigMap in EKS, allowing modification of IAM to Kubernetes RBAC mappings. This exposes critical access controls to unauthorized changes.

Impact

Exploiting this vulnerability could let attackers escalate privileges, granting themselves or others admin-level access to the Kubernetes cluster by altering RBAC bindings. This compromises cluster security and could lead to full environment takeover.

Property
Language
Severity
Vulnerability Type	omission

Description

Granting broad permissions to manage Kubernetes networking resources (like services, endpoints, network policies, or ingresses) enables users to alter network traffic flows or bypass network restrictions, creating opportunities for interception or lateral movement within the cluster.

Impact

If exploited, attackers with these permissions could reroute or intercept service traffic, expose sensitive data, or move laterally between pods, leading to data breaches or compromise of other services within the Kubernetes environment.