Databases should have the minimum TLS set for connections

Property
Languageterraform
Severitymedium
Servicedatabase
ProviderAzure
Vulnerability Typeomission

Description

The configuration allows database connections using outdated TLS versions (below 1.2), which do not provide adequate encryption. This exposes data in transit to known vulnerabilities in older TLS protocols.

Impact

Attackers could exploit weaknesses in older TLS versions to intercept or manipulate sensitive data between clients and the database, leading to data breaches, credential theft, or unauthorized access to the database environment.

DAX Cluster should always encrypt data at rest

Property
Languageterraform
Severityhigh
Servicedynamodb
ProviderAWS
Vulnerability Typeomission

Description

The DAX cluster is configured without encryption at rest, meaning data stored on the underlying storage is not protected against unauthorized access. This leaves sensitive cache data exposed if the storage medium is accessed directly.

Impact

If the cluster storage is compromised, an attacker could read all cached data in plaintext, leading to potential data breaches, exposure of sensitive information, and non-compliance with data protection regulations.

Default capabilities: some containers do not drop all

Property
Languageterraform
Severitylow

Description

Containers are not configured to drop all default Linux capabilities, which means they retain more privileges than necessary for their function. This increases the attack surface by allowing processes inside the container to perform potentially dangerous actions.

Impact

If exploited, attackers who gain access to a container could leverage unused default capabilities to escalate privileges, interfere with the host system, or compromise other containers, increasing the risk of lateral movement and system compromise.

Default capabilities: some containers do not drop any

Property
Languageterraform
Severitylow

Description

Containers are running without dropping any Linux capabilities, meaning they retain all default privileges. This configuration does not follow security best practices, as containers should only have the minimum capabilities required.

Impact

If exploited, containers with unnecessary capabilities could be leveraged by attackers to escalate privileges or compromise the host system, increasing the risk of lateral movement or unauthorized access within the environment.

Default network should not be created at project level

Property
Languageterraform
Severityhigh
Serviceiam
ProviderGoogle
Vulnerability Typeomission

Description

Enabling automatic creation of the default network in a Google Cloud project results in the setup of insecure firewall rules that allow broad ingress access. This configuration exposes internal resources to unnecessary network risk.

Impact

If exploited, attackers could gain unauthorized access to internal services or infrastructure exposed by permissive firewall rules, potentially leading to data breaches, lateral movement, or service disruptions within the project.

Default security context configured

Property
Languageterraform
Severityhigh
Vulnerability Typeomission

Description

Kubernetes resources are configured with the default security context, which means critical security settings like user privileges and filesystem access are not explicitly restricted. This allows containers or pods to run with potentially excessive permissions, such as running as root.

Impact

If exploited, attackers could gain elevated privileges within containers or pods, enabling them to perform unauthorized actions, escalate privileges, or compromise the broader cluster. This increases the risk of data breaches, service disruption, or further lateral movement within the environment.

Default security group should restrict all traffic

Property
Languageterraform
Severitylow
Serviceec2
ProviderAWS

Description

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.

Resolution

Configure default security group to restrict all traffic

Delete expired SSL certificates

Property
Languageterraform
Severitylow
Servicessl-certificate
ProviderNifcloud

Description

Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as NIFCLOUD Load Balancer(L4LB), which candamage the credibility of the application/website behind the L4LB. As a best practice, it is recommended to delete expired certificates.

Resolution

Remove expired certificates

Delete expired TLS certificates

Property
Languageterraform
Severitylow
Serviceiam
ProviderAWS

Description

Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.

Resolution

Remove expired certificates

Delete pod logs

Property
Languageterraform
Severitymedium
Vulnerability Typeomission

Description

Granting ‘delete’ or ‘deletecollection’ permissions on the ‘pods/log’ resource in Kubernetes Roles or ClusterRoles allows users to remove pod logs, which can obscure important audit trails. This weakens the ability to monitor and investigate cluster activities.

Impact

If exploited, an attacker with these permissions could delete pod logs to hide evidence of malicious actions, hindering incident response and forensic analysis. This could allow security breaches to go undetected and compromise compliance requirements.