Ensure that Postgres errors are logged

Property
Languageterraform
Severitylow
Servicesql
ProviderGoogle

Description

The database instance is configured with a minimum log severity that is too high, causing important Postgres errors to be omitted from the logs. This prevents error events from being recorded and available for review.

Impact

Without error logging, database issues may go undetected, making troubleshooting difficult and increasing the risk of unresolved outages or security incidents. Critical problems could persist unnoticed, affecting data integrity and application reliability.

Ensure that response caching is enabled for your Amazon API Gateway REST APIs.

Property
Languageterraform
Severitylow
Serviceapi-gateway
ProviderAWS

Description

A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.

Ensure that the –anonymous-auth argument is set to false

Property
Languageterraform
Severitymedium

Description

The API server is configured to allow anonymous requests by not setting the ‘–anonymous-auth’ flag to ‘false’. This means unauthenticated users can interact with the Kubernetes API server.

Impact

Allowing anonymous access can enable attackers to perform unauthorized actions or information gathering on the cluster, potentially leading to privilege escalation, data exposure, or disruption of services.

Resolution

Set ‘–anonymous-auth’ to ‘false’.

Ensure that the –audit-log-maxage argument is set to 30 or as appropriate

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is not configured with the –audit-log-maxage flag, meaning audit logs may not be retained for a sufficient period. This can result in audit logs being deleted too soon, reducing visibility into cluster activity.

Impact

Insufficient audit log retention can hinder detection and investigation of security incidents, making it easier for malicious actions to go unnoticed and limiting the ability to perform forensic analysis or meet compliance requirements.

Ensure that the –audit-log-maxbackup argument is set to 10 or as appropriate

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is not configured with the –audit-log-maxbackup parameter, or it is set too low, causing insufficient retention of audit log backup files. This can lead to old audit logs being overwritten or deleted too soon, reducing log history for security and troubleshooting.

Impact

If exploited, insufficient audit log retention can hinder the ability to investigate security incidents or unauthorized activities, making it easier for attackers to cover their tracks and reducing compliance with auditing requirements.

Ensure that the –audit-log-maxsize argument is set to 100 or as appropriate

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is missing the –audit-log-maxsize argument, which means audit logs are not automatically rotated when they reach a certain size. Without this limit, audit log files can grow indefinitely.

Impact

Unrestricted audit log growth can consume excessive disk space on the control plane node, potentially leading to denial of service, degraded cluster performance, or loss of important log data if the disk becomes full.

Ensure that the –audit-log-path argument is set

Property
Languageterraform
Severitylow

Description

The Kubernetes API Server is not configured with the –audit-log-path argument, which means audit logs of API requests are not being captured. This omission prevents the recording of activities and changes made via the API server.

Impact

Without audit logs, malicious or unauthorized API activity may go undetected, making it difficult to investigate security incidents or comply with auditing requirements. This can allow attackers to perform unauthorized actions without leaving a trace, increasing risk to the cluster.

Ensure that the –authorization-mode argument includes Node

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is not configured with the ‘Node’ authorization mode, which means kubelet nodes may have broader access to cluster resources than necessary. This misconfiguration fails to restrict kubelets to only the resources associated with their own node.

Impact

Without ‘Node’ authorization, compromised or malicious kubelets could potentially read or modify resources for other nodes in the cluster, increasing the risk of privilege escalation, data exposure, or lateral movement by attackers.

Ensure that the –authorization-mode argument includes RBAC

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is not configured with RBAC (Role-Based Access Control) in its –authorization-mode argument, which means fine-grained access control is not enforced. Without RBAC, authorization decisions may be less secure or overly permissive.

Impact

If RBAC is not enabled, unauthorized users or processes could gain access to sensitive Kubernetes resources, modify critical configurations, or escalate privileges, increasing the risk of accidental or malicious actions that compromise cluster security.