Ensure that Cloud SQL Database Instances are not publicly exposed

Property
Languageterraform
Severityhigh
Servicesql
ProviderGoogle
Vulnerability Typeomission

Description

The configuration allows Cloud SQL database instances to be accessible from the public internet by permitting public IPs or broad CIDR ranges (e.g., 0.0.0.0/0). This exposes the database outside the internal network, increasing the risk of unauthorized access.

Impact

If exploited, attackers could connect to the database from anywhere on the internet, potentially leading to data breaches, data loss, or service disruption. Sensitive information stored in the database could be exposed or manipulated, compromising the security and integrity of organizational data.

Ensure that Cloud Storage bucket is not anonymously or publicly accessible.

Property
Languageterraform
Severityhigh
Servicestorage
ProviderGoogle
Vulnerability Typemisconfiguration

Description

The storage bucket IAM configuration includes ‘allUsers’ or ‘allAuthenticatedUsers’ as members, which grants public or anonymous access to the bucket’s data. This exposes stored objects to anyone on the internet or any authenticated Google user, bypassing organizational access controls.

Impact

If exploited, sensitive data in the storage bucket can be accessed, downloaded, or modified by unauthorized users worldwide. This can lead to data leaks, regulatory violations, and loss of intellectual property or customer trust.

Ensure that Cloud Storage buckets have uniform bucket-level access enabled

Property
Languageterraform
Severitymedium
Servicestorage
ProviderGoogle
Vulnerability Typeomission

Description

Cloud Storage buckets without uniform bucket-level access enabled allow object-level ACLs, resulting in multiple, potentially conflicting access controls. This increases the risk of misconfigurations and unintentional data exposure.

Impact

If exploited, attackers or unauthorized users could gain unintended access to sensitive data due to overly permissive or misconfigured ACLs, leading to potential data leaks, compliance violations, and loss of data confidentiality.

Ensure that lambda function permission has a source arn specified

Property
Languageterraform
Severitycritical
Servicelambda
ProviderAWS
Vulnerability Typeomission

Description

When an AWS Lambda permission is created without specifying a source ARN, any resource from the specified AWS service principal can invoke the Lambda function. This lack of restriction allows invocation from unintended or even external AWS accounts.

Impact

Without a source ARN, attackers or unauthorized AWS resources could trigger the Lambda function, potentially leading to data leaks, unauthorized actions, or service disruptions. This broad access increases the risk of compromise and loss of control over Lambda executions.

Ensure that logging of checkpoints is enabled.

Property
Languageterraform
Severitymedium
Servicesql
ProviderGoogle
Vulnerability Typeomission

Description

Checkpoint logging is disabled for the PostgreSQL database instance, preventing collection of key diagnostic information about database write operations. This limits visibility into performance issues and potential denial-of-service (DoS) attack vectors.

Impact

Without checkpoint logs, root causes of database slowdowns, outages, or attacks may go undetected, delaying incident response and increasing the risk of prolonged downtime or data loss. Attackers exploiting performance weaknesses may remain unnoticed, putting the integrity and availability of the application at risk.

Ensure that logging of connections is enabled.

Property
Languageterraform
Severitymedium
Servicesql
ProviderGoogle
Vulnerability Typeomission

Description

The database instance is not configured to log connection attempts, resulting in missing records of session activity and access events. This lack of logging reduces visibility into who is accessing the database and when.

Impact

Without connection logs, it becomes difficult to detect unauthorized access, investigate security incidents, or identify patterns indicative of attacks such as denial-of-service or brute-force attempts. This can hinder incident response and compliance efforts.

Ensure that logging of disconnections is enabled.

Property
Languageterraform
Severitymedium
Servicesql
ProviderGoogle
Vulnerability Typeomission

Description

The configuration does not enable logging of database disconnections, resulting in a lack of records for when client sessions end. Without this logging, important diagnostic information such as session durations and abnormal disconnect patterns is unavailable.

Impact

Missing disconnection logs limits the ability to detect performance issues, investigate potential denial-of-service (DoS) attacks, and perform forensic analysis. This can hinder incident response and allow malicious or unintended behaviors to go unnoticed, increasing operational and security risk.

Ensure that logging of lock waits is enabled.

Property
Languageterraform
Severitymedium
Servicesql
ProviderGoogle
Vulnerability Typeomission

Description

Lock wait logging is disabled for the Google Cloud SQL PostgreSQL instance, preventing the system from recording events where database operations are blocked waiting for locks. This omission makes it difficult to detect and analyze performance bottlenecks or suspicious activity related to resource contention.

Impact

Without lock wait logs, administrators may miss signs of performance degradation or denial-of-service conditions caused by excessive locking. This can allow attackers or misbehaving applications to degrade service availability undetected, potentially leading to prolonged outages or security incidents.

Ensure that logging of long statements is disabled.

Property
Languageterraform
Severitylow
Servicesql
ProviderGoogle

Description

Database instance is configured to log SQL statements that exceed a certain duration, which may inadvertently capture sensitive data such as credentials or user information in logs. Logging of such statements should be disabled to prevent unintended data exposure.

Impact

If exploited, sensitive information present in SQL statements could be exposed through database logs, increasing the risk of data breaches, unauthorized access, or regulatory non-compliance. Attackers or unauthorized users with log access may obtain confidential data that should remain protected.

Ensure that no sensitive credentials are exposed in VM custom_data

Property
Languageterraform
Severitymedium
Servicecompute
ProviderAzure
Vulnerability Typeomission

Description

Sensitive credentials, such as passwords or access keys, are being included in the custom_data field when provisioning Azure Virtual Machines. This practice exposes secrets in plain text within the VM metadata, making them accessible to anyone with read access to the VM configuration.

Impact

If exploited, attackers or unauthorized users with access to VM metadata can obtain exposed credentials, leading to potential unauthorized access to databases, services, or other cloud resources. This can compromise infrastructure security, result in data breaches, and cause loss of control over critical systems.