Property
Language
Severity
Vulnerability Type	misconfiguration

Description

The configuration adds Linux capabilities to containers beyond the default set, violating Kubernetes Pod Security Standards. Granting extra capabilities can expose the container to elevated privileges and increase the attack surface.

Impact

Attackers could exploit the additional capabilities to perform unauthorized actions within the container, potentially leading to privilege escalation, lateral movement, or compromise of the host system and other resources in the Kubernetes cluster.

Property
Language
Severity
Service	sqs
Provider	AWS
Vulnerability Type	misconfiguration

Description

The SQS queue is encrypted using the default AWS managed KMS key instead of a customer-managed key, limiting fine-grained access controls and key management. This configuration reduces the ability to restrict or audit access to the queue’s encrypted data.

Impact

If compromised, attackers could potentially access the SQS queue’s messages due to weaker key management and broader access to default keys. This increases the risk of unauthorized data exposure and limits the ability to enforce strict security policies or respond to breaches.

Property
Language
Severity
Service	network
Provider	Azure
Vulnerability Type	misconfiguration

Description

The network security group allows inbound SSH (port 22) connections from any IP address, exposing SSH access to the entire internet. This configuration makes remote server management interfaces publicly accessible and highly susceptible to unauthorized access attempts.

Impact

Unrestricted internet access to SSH can enable attackers to attempt brute-force attacks, exploit vulnerabilities, or gain unauthorized control over cloud resources. This may lead to data breaches, service disruption, or further compromise of the organization’s Azure environment.

Property
Language
Severity
Service	compute
Provider	DigitalOcean
Vulnerability Type	omission

Description

The configuration allows creation of DigitalOcean droplets without specifying SSH keys, defaulting to less secure password-based authentication. This increases the risk of unauthorized access due to weaker credentials.

Impact

Attackers may more easily compromise droplets via brute-force or stolen passwords, leading to potential server takeover, data loss, or use of the server for malicious activities.

Resolution

Use ssh keys for login

Property
Language
Severity
Service	sql
Provider	Google
Vulnerability Type	omission

Description

The SQL database instance is configured to allow unencrypted connections, meaning data sent between clients and the database can travel in plaintext. This exposes sensitive information to interception if network traffic is captured.

Impact

Without enforced SSL, attackers who intercept network traffic could read credentials, queries, or sensitive data transmitted to and from the database, leading to data leaks, account compromise, or broader breaches within the application environment.

Property
Language
Severity
Service	compute
Provider	Google
Vulnerability Type	omission

Description

The SSL policy allows TLS versions earlier than 1.2, which are outdated and contain known security vulnerabilities. This configuration exposes data in transit to interception and compromise due to weak encryption protocols.

Impact

Attackers could exploit outdated TLS versions to decrypt, intercept, or manipulate sensitive data transmitted between clients and servers, leading to data breaches, session hijacking, or loss of data integrity. This undermines compliance and exposes the organization to significant security risks.

Property
Language
Severity
Service	database
Provider	Azure
Vulnerability Type	omission

Description

Database servers are configured without enforcing SSL connections, allowing clients to connect without encryption. This exposes data in transit to potential interception or tampering.

Impact

Without SSL enforcement, sensitive information such as credentials and application data can be intercepted or altered by attackers monitoring the network, increasing the risk of data breaches and unauthorized access.

Resolution

Enable SSL enforcement

Property
Language
Severity
Service	gke
Provider	Google

Description

Stackdriver Logging is not enabled for the GKE cluster, resulting in container stdout/stderr logs not being captured for monitoring and debugging. This configuration reduces operational visibility into cluster activity and issues.

Impact

Without Stackdriver Logging, it becomes difficult to detect, investigate, and respond to operational problems or security incidents in the cluster, increasing the risk of undetected failures or malicious activity.

Property
Language
Severity
Service	gke
Provider	Google

Description

The GKE cluster is not configured with Stackdriver Monitoring, resulting in a lack of aggregated logs, events, and metrics collection for Kubernetes workloads. This reduces observability and monitoring capabilities in production environments.

Impact

Without Stackdriver Monitoring, issues and anomalies within the cluster may go undetected, making it harder to troubleshoot failures or security incidents. This can lead to delayed incident response, increased downtime, and potential non-compliance with monitoring requirements.

Property
Language
Severity
Service	storage
Provider	Azure
Vulnerability Type	misconfiguration

Description

The storage account allows data transfers over insecure connections (HTTP), rather than enforcing secure transfers (HTTPS only). This misconfiguration exposes data in transit to potential interception or tampering.

Impact

If exploited, attackers could intercept or manipulate sensitive data transmitted to or from the storage account over unencrypted connections, leading to data breaches, unauthorized data access, or loss of data integrity.