User Pods should not be placed in kube-system namespace

Property
Languageterraform
Severitymedium
Vulnerability Typemisconfiguration

Description

User pods are deployed into the kube-system namespace, which is reserved for critical Kubernetes system components. This practice can lead to mixing user workloads with core infrastructure resources, increasing risk and complexity.

Impact

Placing user pods in the kube-system namespace could allow accidental or malicious interference with essential cluster services, potentially leading to cluster instability, privilege escalation, or denial of service affecting the entire Kubernetes environment.

User with admin access

Property
Languageterraform
Severitymedium
Vulnerability Typemisconfiguration

Description

Granting users or service accounts the ‘cluster-admin’, ‘admin’, or ’edit’ roles provides them with broad, unrestricted permissions in the Kubernetes cluster, exceeding the principle of least privilege.

Impact

If exploited, users with these elevated roles can perform sensitive actions such as modifying or deleting cluster resources, potentially leading to unauthorized access, data loss, or full cluster compromise.

Resolution

Remove binding for clusterrole ‘cluster-admin’, ‘admin’ or ’edit

Users should not be granted service account access at the folder level

Property
Languageterraform
Severitymedium
ServiceIAM
ProviderGoogle
Vulnerability Typemisconfiguration

Description

Granting users service account access at the folder level allows them to impersonate any service account within that folder, rather than limiting access to only necessary accounts. This broad permission increases the risk of unauthorized actions and privilege misuse.

Impact

If exploited, a user could escalate privileges or perform actions as any service account in the folder, potentially accessing sensitive resources, modifying infrastructure, or bypassing intended security controls across multiple projects.

Users should not be granted service account access at the organization level

Property
Languageterraform
Severitymedium
Serviceiam
ProviderGoogle
Vulnerability Typemisconfiguration

Description

Granting service account access at the organization level allows users to impersonate any service account across all projects. This broad permission should be restricted to only the specific service accounts required for a user’s role.

Impact

If exploited, users can escalate privileges and act as any service account within the organization, enabling unauthorized access to sensitive resources, data exfiltration, or disruption of services across all projects.

Users should not be granted service account access at the project level

Property
Languageterraform
Severitymedium
Serviceiam
ProviderGoogle
Vulnerability Typemisconfiguration

Description

Granting users service account access at the project level allows them to impersonate any service account within the project. This broad permission bypasses the principle of least privilege and should be restricted to specific service accounts as needed.

Impact

If exploited, users can escalate privileges by impersonating any service account, potentially accessing sensitive resources or performing unauthorized actions across all services in the project, leading to loss of control and data exposure.

VM disks should be encrypted with Customer Supplied Encryption Keys

Property
Languageterraform
Severitylow
Servicecompute
ProviderGoogle

Description

VM disks are not encrypted with customer-managed encryption keys, relying instead on default or unmanaged keys. This limits control over key management, including rotation and access policies.

Impact

Without customer-managed keys, organizations cannot enforce their own key rotation, revocation, or granular access controls, increasing the risk of unauthorized data access if the default encryption is compromised.

Resolution

Use managed keys

VPC flow logs should be enabled for all subnetworks

Property
Languageterraform
Severitylow
Servicecompute
ProviderGoogle

Description

VPC subnetworks are configured without VPC flow logs enabled, resulting in a lack of traffic monitoring and visibility into network activity. This prevents capturing valuable data on network flows for auditing and security analysis.

Impact

Without VPC flow logs, suspicious or unauthorized network traffic may go undetected, limiting the ability to investigate security incidents or troubleshoot networking issues. This can lead to delayed detection of breaches or policy violations, increasing organizational risk.

Weak Authentication

Property
Languagehcl
Severitymedium
CWECWE-1390: Weak Authentication
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelLow

Description

The EC2 launch template is configured to allow the older Instance Metadata Service Version 1 (IMDSv1), which lacks strong authentication. This makes it easier for attackers to access sensitive metadata from within the instance.

Impact

If exploited, attackers can retrieve credentials and other metadata from the instance, potentially leading to privilege escalation, data breaches, or compromise of AWS resources. This can result in unauthorized access to critical systems and data.