An outbound firewall rule allows traffic to /0.

Property
Languageterraform
Severitycritical
Servicecompute
ProviderGoogle
Vulnerability Typemisconfiguration

Description

An outbound firewall rule is configured with a destination range of 0.0.0.0/0, allowing egress traffic to any IP address on the internet. This overly broad rule fails to limit network access to only necessary destinations.

Impact

Unrestricted outbound access can allow compromised resources to communicate freely with external servers, facilitate data exfiltration, and enable attackers to establish command-and-control channels, increasing the risk of data breaches and unauthorized activities.

An outbound network security rule allows traffic to /0.

Property
Languageterraform
Severitycritical
Servicenetwork
ProviderAzure
Vulnerability Typemisconfiguration

Description

The outbound network security rule is configured to allow traffic to all IP addresses (0.0.0.0/0), which creates an unrestricted egress path from resources in the network. This overly broad rule exposes the environment to potential data exfiltration and unauthorized external communications.

Impact

If exploited, attackers or compromised resources could send data to any external destination, bypassing network controls and potentially leaking sensitive information. This significantly increases the risk of data breaches, command-and-control communication, and regulatory non-compliance.

An outdated SSL policy is in use by a load balancer.

Property
Languageterraform
Severitycritical
Serviceelb
ProviderAWS
Vulnerability Typemisconfiguration

Description

The load balancer is configured to use an outdated SSL/TLS policy, enabling insecure or deprecated protocol versions for encrypted connections. This exposes traffic to known cryptographic vulnerabilities that have been addressed in newer TLS versions.

Impact

Attackers could exploit weaknesses in outdated TLS protocols to intercept, decrypt, or manipulate sensitive data in transit. This may lead to data breaches, loss of confidentiality, and non-compliance with security standards and regulations.

An outdated SSL policy is in use by a load balancer.

Property
Languageterraform
Severitycritical
Servicenetwork
ProviderNifcloud
Vulnerability Typemisconfiguration

Description

The load balancer is configured to use an outdated or insecure SSL/TLS policy, which enables deprecated protocols or weak ciphers. This configuration fails to enforce the use of secure, modern TLS versions such as TLS 1.2 or higher.

Impact

Attackers may exploit known vulnerabilities in outdated SSL/TLS protocols or ciphers to intercept, decrypt, or manipulate sensitive data in transit. This exposes users and systems to man-in-the-middle attacks, data breaches, and non-compliance with security standards.

Anonymous user access binding

Property
Languageterraform
Severitycritical

Description

The configuration binds a Kubernetes role or cluster role to the anonymous user, granting unauthenticated users permissions in the cluster. This practice bypasses authentication controls and exposes sensitive operations to anyone.

Impact

An attacker could gain unauthorized access to cluster resources without any authentication, potentially leading to data breaches, service disruption, privilege escalation, or full cluster compromise.

Resolution

Remove anonymous user binding from clusterrolebinding or rolebinding.

API Gateway domain name uses outdated SSL/TLS protocols.

Property
Languageterraform
Severityhigh
Serviceapi-gateway
ProviderAWS
Vulnerability Typeomission

Description

Using outdated SSL/TLS protocols for API Gateway domain names exposes the data transmitted through the API to potential eavesdropping and tampering. Up-to-date encryption standards should always be used to ensure secure communication.

Impact

Outdated protocols are vulnerable to various attacks, such as man-in-the-middle, decryption, or data tampering, compromising both security and user trust.

Resolution

Use the most modern TLS/SSL policies available

API Gateway must have cache enabled

Property
Languageterraform
Severitymedium
Serviceapi-gateway
ProviderAWS
Vulnerability Typeomission

Description

Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception

Resolution

Enable cache encryption

API Gateway must have X-Ray tracing enabled

Property
Languageterraform
Severitylow
Serviceapi-gateway
ProviderAWS

Description

X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.

Resolution

Enable tracing

API Gateway stages for V1 and V2 should have access logging enabled

Property
Languageterraform
Severitymedium
Serviceapi-gateway
ProviderAWS
Vulnerability Typeomission

Description

Enabling access logging for API Gateway stages is essential for monitoring API usage, tracking errors, and detecting potential abuse or attacks. Without access logs, troubleshooting and security auditing become difficult.

Impact

Without logging, there is no visibility into API calls, making it challenging to detect security incidents, misconfigurations, or potential abuse of the API endpoints.

Resolution

Enable logging for API Gateway stages

apk add’ is missing ‘–no-cache

Property
Languageterraform
Severityhigh
Vulnerability Typeomission

Description

The ‘apk add’ command in the Dockerfile is used without the ‘–no-cache’ flag, causing package cache data to remain in the final image and unnecessarily increasing its size.

Impact

Retaining package cache can expose sensitive metadata and inflate container images, leading to increased attack surface, slower deployments, and higher storage and bandwidth costs. Attackers may leverage leftover files to gain insights into package versions or exploit unneeded cache files.