The default action on Storage account network rules should be set to deny

Property
Languageterraform
Severitycritical
Servicestorage
ProviderAzure
Vulnerability Typemisconfiguration

Description

The storage account network rules are configured with a default action of ‘Allow’, meaning any traffic not explicitly permitted or denied by specific rules is automatically granted access. This misconfiguration can unintentionally expose the storage account to unwanted or public network access.

Impact

If exploited, unauthorized users could gain network-level access to the storage account, potentially leading to data exposure, leakage, or unauthorized data manipulation. This increases the risk of data breaches and can compromise sensitive organizational information.

The elb has common private network

Property
Languageterraform
Severitylow
Servicenetwork
ProviderNifcloud

Description

The ELB is configured to use a common private network that is shared with other users, rather than an isolated private LAN. This setup fails to properly isolate internal traffic, exposing sensitive communication to potential interception.

Impact

Using a shared network allows other tenants on the same provider to potentially access or intercept data transmitted between servers, increasing the risk of data leakage or unauthorized access to sensitive resources.

The encryption key used to encrypt a compute disk has been specified in plaintext.

Property
Languageterraform
Severitycritical
Servicecompute
ProviderGoogle
Vulnerability Typemisconfiguration

Description

The Terraform configuration includes raw encryption keys in plaintext for Google Compute Engine disks, exposing sensitive key material directly in code. This practice bypasses secure key management and increases the risk of key compromise.

Impact

If exploited, attackers with access to the codebase or state files can obtain the encryption key, potentially allowing unauthorized decryption and access to all data on the affected disks, leading to data breaches and loss of confidentiality.

The firewall has an inbound rule with open access

Property
Languageterraform
Severitycritical
Servicecompute
ProviderDigitalOcean
Vulnerability Typemisconfiguration

Description

The firewall configuration allows inbound traffic from any IP address by using an open CIDR range (e.g., 0.0.0.0/0), exposing specified ports to the entire internet. This lack of restriction makes the service accessible to anyone, rather than just trusted sources.

Impact

Exposing ports to the public internet enables attackers to attempt unauthorized access, perform brute-force attacks, or exploit vulnerabilities on those ports. This can lead to data breaches, service disruptions, or complete system compromise.

The firewall has an outbound rule with open access

Property
Languageterraform
Severitycritical
Servicecompute
ProviderDigitalOcean
Vulnerability Typemisconfiguration

Description

The firewall configuration allows outbound traffic to any IP address by using overly broad destination CIDR ranges such as 0.0.0.0/0. This lack of restriction exposes internal services or resources to the entire internet.

Impact

Unrestricted outbound access can enable data exfiltration, command-and-control communications, or lateral movement by attackers if a resource is compromised. This greatly increases the risk of data leaks and unauthorized external communications, potentially exposing sensitive systems or information.

The instance has common private network

Property
Languageterraform
Severitylow
Servicecomputing
ProviderNifcloud

Description

The instance is connected to a common private network that is shared with other users, rather than being isolated within a dedicated private LAN. This configuration can expose internal traffic to unintended parties within the shared network.

Impact

Sensitive data transmitted between servers may be accessible to other tenants on the shared network, increasing the risk of data leakage, unauthorized access, or lateral movement by attackers within the provider’s infrastructure.

The Kubernetes cluster does not enable surge upgrades

Property
Languageterraform
Severitymedium
Servicecompute
ProviderDigitalOcean
Vulnerability Typeomission

Description

The Kubernetes cluster is configured without surge upgrades enabled, meaning that during upgrades, workloads are not temporarily rescheduled onto new nodes. This can result in service interruptions or downtime while nodes are updated.

Impact

Without surge upgrades, cluster upgrades may cause application downtime or degraded availability, disrupting user access and potentially violating uptime requirements or SLAs. Attackers or disruptions exploiting upgrade windows could further impact reliability.

The load balancer forwarding rule is using an insecure protocol as an entrypoint

Property
Languageterraform
Severitycritical
Servicecompute
ProviderDigitalOcean
Vulnerability Typemisconfiguration

Description

The load balancer is configured to accept incoming traffic over plain HTTP, which transmits all data in clear text without encryption. This exposes sensitive information to interception by anyone monitoring the network.

Impact

Unencrypted HTTP traffic allows attackers to eavesdrop, capture credentials, session tokens, or other sensitive data, leading to potential data breaches, account compromise, and loss of user trust.

The minimum TLS version for Storage Accounts should be TLS1_2

Property
Languageterraform
Severitycritical
Servicestorage
ProviderAzure
Vulnerability Typemisconfiguration

Description

The storage account is configured to allow outdated TLS versions (TLS 1.0 or 1.1), which have known security flaws. This setting does not enforce the use of TLS 1.2, leaving data transmissions vulnerable to insecure protocols.

Impact

Allowing older TLS versions exposes the storage account to risks such as data interception, man-in-the-middle attacks, and potential compromise of sensitive information. Attackers could exploit these weaknesses to decrypt or tamper with data in transit, threatening both data confidentiality and integrity.

The nas instance has common private network

Property
Languageterraform
Severitylow
Servicenas
ProviderNifcloud

Description

The NAS instance is configured to use a common private network that may be shared with other users, rather than an isolated private LAN. This setup does not adequately separate sensitive traffic from other network tenants.

Impact

Using a shared network exposes sensitive data and traffic to potential interception or unauthorized access by other users on the same network, increasing the risk of data leaks and unauthorized activities within the organization’s environment.