Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Enabling IP forwarding on an Azure Network Interface allows the VM to route network traffic that is not intended for it. This can inadvertently turn the VM into a gateway or allow unauthorized packet forwarding within your network.

Impact

If exploited, attackers could use the VM to reroute or intercept traffic, bypassing network security controls and potentially exposing sensitive data or enabling lateral movement within your cloud environment.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The RDS database instance is configured with ‘publicly_accessible = true’, making it accessible from the internet. This exposes the database to anyone with network access, increasing the risk of unauthorized connections.

Impact

If exploited, attackers could attempt to connect directly to the database from outside your network, potentially leading to data breaches, unauthorized data manipulation, or service disruption. Public exposure also increases the attack surface for automated scanning and exploitation.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Dataproc cluster IAM configuration allows access to ‘allUsers’ or ‘allAuthenticatedUsers’, making the cluster publicly accessible to anyone on the internet. This exposes sensitive data and resources to unauthorized parties.

Impact

If exploited, anyone could access, modify, or disrupt Dataproc clusters without authentication, leading to data breaches, unauthorized computation costs, or compromise of organizational assets. Attackers could potentially run arbitrary jobs or steal confidential information.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Dataflow job is not configured to use private IP addresses for its worker nodes, making them accessible over public networks. This increases exposure to unauthorized access and potential attacks from the internet.

Impact

If exploited, attackers could connect to Dataflow worker nodes over the public internet, potentially leading to data breaches, resource misuse, or unauthorized manipulation of processing jobs. This exposes sensitive data and system resources to external threats.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Cloud Build worker pool is configured to allow external IP addresses, which means build VMs can be accessed from the public internet. This exposes your build infrastructure to potential unauthorized access.

Impact

Attackers could exploit the public exposure to gain access to your build environment, potentially stealing sensitive code, injecting malicious changes, or disrupting builds. This threatens the security and integrity of your CI/CD pipeline and could lead to broader compromises across your cloud resources.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Artifact Registry repository is configured to grant access to ‘allUsers’ or ‘allAuthenticatedUsers’, making it publicly accessible or accessible to any authenticated Google user. This setting exposes your repository to unauthorized access.

Impact

If exploited, anyone on the internet (or any authenticated Google user) could list, download, or even modify artifacts in your repository. This can lead to data leakage, tampering with packages, and potential supply chain attacks affecting your organization or customers.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

This code configures a Google Compute Engine instance to use the default network, which by default assigns a public IP address to the VM. Exposing VMs to the public internet increases the risk of unauthorized access.

Impact

If exploited, attackers could connect directly to the VM from the internet, potentially bypassing internal security controls. This can lead to data breaches, service disruption, or the VM being used as a launch point for further attacks within your cloud environment.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The GKE cluster configuration enables basic authentication using a static username and password, which is insecure and should be disabled. This approach exposes the cluster to unauthorized access if credentials are leaked or guessed.

Impact

If exploited, attackers could gain administrative access to your Kubernetes cluster, allowing them to steal data, deploy malicious workloads, or disrupt services. This could lead to data breaches, service outages, and further compromise of your cloud environment.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Assigning IAM roles to the default Compute Engine service account at the project level can grant overly broad permissions and increase the risk of unintended access. Default service accounts are not tailored for specific workloads and should not be used for project-wide privileges.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Kubernetes Engine cluster is configured with monitoring disabled. Without monitoring enabled, cluster activity and health metrics are not collected or visible.

Impact

Disabling monitoring makes it harder to detect security incidents, operational issues, or unauthorized changes in your clusters. Attackers or misconfigurations could go unnoticed, increasing the risk of breaches or downtime.