Property
Language
Severity

Description

The role configuration allows users to attach to the shell of pods by granting ‘create’ access on ‘pods/attach’ and ‘get’ access on ‘pods’. This enables interactive access to containers, which can bypass application-level security controls.

Impact

If exploited, attackers or unauthorized users could gain direct shell access to running containers, potentially leading to data exfiltration, privilege escalation, or manipulation of workloads. This increases the risk of lateral movement and compromise of other resources within the Kubernetes cluster.

Property
Language
Severity

Description

Roles are configured to allow impersonation of privileged groups, enabling users to assume high-level permissions they were not intended to have. This misconfiguration bypasses intended access controls and violates least privilege principles.

Impact

If exploited, attackers or unauthorized users could gain privileged access, perform administrative actions, escalate their privileges, or compromise sensitive resources within the Kubernetes cluster, leading to a potential full cluster takeover or severe data breaches.

Property
Language
Severity
Vulnerability Type	omission

Description

Kubernetes roles or cluster roles are configured to allow ‘get’ or ‘create’ access on the ’nodes/proxy’ resource, which can enable privilege escalation through the node proxy feature. This grants users unnecessary or overly broad access to node-level operations.

Impact

If exploited, an attacker could use the node proxy to access or control Kubernetes nodes directly, potentially gaining access to sensitive data, executing arbitrary commands, or escalating privileges across the cluster, severely compromising cluster security.

Property
Language
Severity

Description

The role is configured to allow the creation of role bindings and association with privileged roles or cluster roles, granting excessive permissions that can be abused to escalate privileges within the Kubernetes cluster.

Impact

If exploited, attackers could bind themselves or others to highly privileged roles, gaining unauthorized access and control over cluster resources, potentially leading to data breaches, service disruption, or full cluster compromise.

Property
Language
Severity

Description

The role configuration allows users to create ClusterRoleBindings and associate them with any privileged ClusterRole, granting broad and potentially dangerous permissions across the cluster. This setup enables escalation of privileges beyond intended access controls.

Impact

If exploited, an attacker could bind themselves or others to highly privileged cluster roles, potentially gaining full administrative control over the Kubernetes cluster. This could lead to unauthorized access, data breaches, or disruption of services.

Property
Language
Severity

Description

The role configuration allows users associated with a rolebinding to modify rolebindings, enabling them to add or remove users from privileged roles. This grants users the ability to escalate privileges by altering access controls.

Impact

If exploited, users could assign themselves or others elevated permissions, potentially leading to unauthorized access, privilege escalation, and compromise of sensitive resources within the Kubernetes cluster.

Resolution

Create a role which does not permit allowing users in a rolebinding to add other users to their rolebindings if not needed

Property
Language
Severity
Service	documentdb
Provider	AWS

Description

The DocumentDB cluster is encrypted using AWS-managed keys instead of customer-managed KMS keys, limiting control over key management operations such as rotation and access policies. This configuration reduces the ability to customize encryption settings to meet specific security or compliance requirements.

Impact

Relying on AWS-managed keys restricts fine-grained control over encryption, potentially preventing compliance with organizational policies or regulatory standards. If the encryption key is compromised or needs to be rotated, the lack of direct management increases the risk of unauthorized data access or data exposure.

Property
Language
Severity
Service	documentdb
Provider	AWS
Vulnerability Type	omission

Description

AWS DocumentDB clusters without log export enabled lack built-in auditing, making it difficult to monitor or track access and configuration changes. The absence of exported audit or profiler logs limits visibility into potentially unauthorized or suspicious activities within the database.

Impact

Without audit log exports, security incidents or unauthorized actions may go undetected, increasing the risk of data breaches and compliance violations. This lack of traceability can hinder investigations and make it harder to demonstrate security controls during audits.

Property
Language
Severity
Service	documentdb
Provider	AWS
Vulnerability Type	omission

Description

The DocumentDB cluster is configured without storage encryption, leaving data at rest unprotected. This allows sensitive information on the underlying disks to remain readable if physical storage is compromised.

Impact

If exploited, attackers or unauthorized parties with access to the physical storage could retrieve unencrypted database contents, leading to data breaches of sensitive information and possible regulatory violations.

Property
Language
Severity
Service	elastic-search
Provider	AWS
Vulnerability Type	omission

Description

Enabling domain logging for ElasticSearch domains allows for monitoring and auditing of access to the domain, helping identify unusual or malicious activities.

Impact

Without domain logging, suspicious access or misconfigurations may go unnoticed, making it harder to detect breaches or unauthorized data access.

Resolution

Enable logging for ElasticSearch domains