Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Redis instance in Google Cloud Memorystore is not configured to use in-transit encryption, which means data sent between clients and the Redis server is not encrypted. This exposes sensitive information to interception during network transmission.

Impact

Without in-transit encryption, attackers could eavesdrop on unencrypted network traffic and steal sensitive data such as credentials or application secrets, potentially leading to data breaches or unauthorized access to your Redis instance.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The cluster configuration allows the use of legacy Compute Engine instance metadata APIs, which can expose sensitive metadata to workloads running in the cluster. This setting can enable unauthorized access to cluster or cloud resources.

Impact

If exploited, attackers may retrieve sensitive information such as service account tokens or configuration details from the metadata server, potentially allowing privilege escalation or unauthorized actions within your GCP environment.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Assigning the Service Account User or Token Creator roles at the project level grants broad permissions, allowing users to act as any service account within the project. This can lead to excessive privileges and weakens the principle of least privilege.

Impact

If exploited, attackers or unauthorized users could impersonate service accounts across the entire project, potentially accessing sensitive resources, escalating privileges, or performing unauthorized actions. This increases the risk of data breaches and unauthorized access to cloud services.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code assigns IAM roles at the project level to Google Cloud’s default Compute Engine service account. Using default service accounts can grant excessive permissions and increase the risk of unintended access.

Impact

If exploited, attackers or unauthorized users could leverage the default service account to access or modify resources across the project, potentially leading to data exposure, privilege escalation, or disruption of cloud services.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The KMS key resource does not have ‘prevent_destroy’ enabled, which means keys can be deleted without safeguards. This makes it easy for users or automated processes to accidentally or intentionally remove critical encryption keys.

Impact

If a KMS key is deleted, all data encrypted with that key can become permanently inaccessible, leading to data loss or service outages. Attackers or misconfigured automation could exploit this to disrupt operations or cause irrecoverable loss of sensitive information.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The GKE control plane is publicly accessible because ‘master_authorized_networks_config’ is not set, leaving it open to connections from any IP address. This exposes the Kubernetes API server to the internet without network restrictions.

Impact

If left public, attackers could attempt unauthorized access to your Kubernetes cluster, potentially gaining control, exfiltrating data, or disrupting services. This increases the risk of compromise and may violate organizational or compliance requirements.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Disabling OS Login on a Google Compute instance overrides the project-wide security setting and allows users to connect using SSH keys stored in instance metadata, reducing centralized access control.

Impact

Attackers or unauthorized users could gain direct SSH access to instances by bypassing organization-wide login policies, increasing the risk of unauthorized access and making it harder to audit and manage user permissions across your cloud infrastructure.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The storage bucket is configured to allow access to ‘allAuthenticatedUsers’, making it publicly accessible to anyone with a Google account. This means unauthorized users can view or modify the contents of the bucket.

Impact

If exploited, attackers or unintended users could access sensitive files, upload malicious content, or disrupt storage resources. This can lead to data leaks, compliance violations, or service disruptions affecting your organization and customers.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The storage bucket is missing ‘uniform_bucket_level_access’, which means access permissions can be set at both the bucket and individual object levels. This can lead to inconsistent access controls and unintentional data exposure.

Impact

Without uniform bucket-level access, users may bypass centralized permission management, increasing the risk of unauthorized access or data leaks. Attackers or misconfigured users might gain access to sensitive files that should not be publicly available, potentially leading to data breaches or compliance violations.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The firewall rule allows incoming traffic from any IP address (0.0.0.0/0) to port 3306, which is used by MySQL. This exposes your database to the public internet and makes it accessible to anyone.

Impact

Attackers could attempt to connect directly to your MySQL database, potentially leading to unauthorized data access, data breaches, or database compromise. This significantly increases the risk of credential brute-forcing and exploitation of database vulnerabilities.