Property
Language
Severity
Service	storage
Provider	Google

Description

Cloud Storage buckets are configured without customer-managed encryption keys, relying instead on Google-managed keys, which limits control over key rotation and lifecycle management.

Impact

Without customer-managed keys, organizations cannot enforce their own encryption key policies, increasing the risk of unauthorized data access and making it harder to respond to key compromise or compliance requirements.

Resolution

Encrypt Cloud Storage buckets using customer-managed keys.

Property
Language
Severity
Service	cloudfront
Provider	AWS
Vulnerability Type	misconfiguration

Description

The CloudFront distribution is configured to allow unencrypted HTTP connections, exposing data in transit to anyone monitoring the network. Secure HTTPS is not enforced, leaving communications vulnerable to interception.

Impact

Allowing unencrypted HTTP traffic enables attackers to eavesdrop on sensitive information exchanged between users and CloudFront, such as authentication credentials or personal data. This can lead to data breaches, session hijacking, and non-compliance with security standards.

Property
Language
Severity
Service	cloudfront
Provider	AWS
Vulnerability Type	omission

Description

The CloudFront distribution is not protected by a Web Application Firewall (WAF), leaving it exposed to common web attacks such as SQL injection, cross-site scripting, and other application-layer threats. The missing WAF means malicious requests are not filtered before reaching the application.

Impact

Without a WAF, attackers can more easily exploit web application vulnerabilities, potentially leading to data breaches, service disruptions, and compromise of sensitive information. This increases the risk of successful attacks against the application and could result in financial or reputational damage.

Property
Language
Severity
Service	cloudfront
Provider	AWS
Vulnerability Type	omission

Description

The CloudFront distribution is missing access logging configuration, which means requests to the distribution are not recorded. Without access logs, visibility into who accessed resources and how is lost, making monitoring and auditing difficult.

Impact

If access logging is not enabled, suspicious or unauthorized activity may go undetected, and forensic investigation after an incident becomes challenging. This lack of visibility can hinder incident response, compliance efforts, and detection of abuse or misconfigurations.

Property
Language
Severity
Service	cloudfront
Provider	AWS
Vulnerability Type	omission

Description

The CloudFront distribution is configured to use outdated SSL/TLS protocols for encrypting traffic, rather than enforcing modern standards like TLS v1.2 or higher. This weakens the security of data in transit due to reliance on protocols with known vulnerabilities.

Impact

Using outdated TLS versions exposes the distribution to attacks such as eavesdropping and man-in-the-middle exploits, potentially allowing attackers to intercept or manipulate sensitive data. This can lead to data breaches, loss of confidentiality, and non-compliance with security standards.

Property
Language
Severity
Service	cloudtrail
Provider	AWS
Vulnerability Type	omission

Description

CloudTrail trails are configured without log file validation, which means there is no mechanism to detect if log files stored in S3 have been tampered with or altered. This makes it possible for malicious changes to go unnoticed.

Impact

If CloudTrail logs are modified by an attacker, evidence of unauthorized or malicious activity can be removed or altered, undermining audit trails and making incident response and forensic investigations unreliable.

Property
Language
Severity
Service	cloudtrail
Provider	AWS

Description

CloudTrail is configured to store logs only in S3 and does not send them to CloudWatch Logs, preventing real-time monitoring and analysis of AWS API activity. This limits the ability to detect and respond quickly to suspicious actions.

Impact

Without integration with CloudWatch Logs, security teams cannot perform real-time alerting or automated responses to critical AWS events. This delay in detection increases the risk of unnoticed unauthorized activities or misconfigurations, potentially leading to security breaches or data loss.

Property
Language
Severity
Service	cloudtrail
Provider	AWS
Vulnerability Type	omission

Description

CloudTrail logs are being encrypted using AWS-managed keys instead of customer-managed keys, which limits the ability to control key policies, permissions, and rotation. This reduces the flexibility and security of sensitive audit log data.

Impact

Without customer-managed keys, organizations cannot enforce fine-grained access controls or customize key management practices for CloudTrail logs. This increases the risk of unauthorized access to audit trails and may result in non-compliance with security or regulatory requirements.

Property
Language
Severity
Service	cloudwatch
Provider	AWS

Description

CloudWatch log groups are not configured to use a customer-managed KMS key (CMK) for encryption, relying instead on default AWS-managed keys. This limits control over encryption settings, such as key rotation and access management.

Impact

Without CMK encryption, sensitive log data is at greater risk of unauthorized access if compromised, and there is reduced visibility and auditing of who accesses log data. This can lead to data leaks and hinder compliance with security policies.

Property
Language
Severity
Service	gke
Provider	Google

Description

Cluster resources are provisioned without labels, making it difficult to identify, organize, or manage clusters within the environment. Missing labels hinder mapping resources to environments or teams.

Impact

Lack of resource labels reduces operational visibility and can lead to mismanagement, compliance issues, and increased risk of unauthorized changes, as assets cannot be easily tracked or associated with specific owners or purposes.