Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Google Data Fusion instance is deployed without Stackdriver logging enabled. This means that important logs and audit trails for the instance’s activity are not being recorded.

Impact

Without Stackdriver logging, suspicious or unauthorized actions within the Data Fusion instance may go undetected, making it difficult to investigate security incidents or comply with audit requirements. This can increase the risk of undetected misuse or breaches.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code assigns BigQuery table access to ‘allUsers’ or ‘allAuthenticatedUsers’, making the table publicly accessible to anyone on the internet or any authenticated Google user. This exposes sensitive data to unauthorized access.

Impact

If exploited, anyone—including malicious actors—could view or manipulate the data in your BigQuery tables. This can lead to data leaks, privacy violations, and potential regulatory non-compliance for your organization.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Assigning the ‘roles/editor’ permission at the organization level in GCP allows users to manage all resources, including impersonating and managing all service accounts. This grants overly broad privileges that can lead to unauthorized actions.

Impact

If exploited, an attacker or unauthorized user could gain full control over resources and service accounts across the entire organization. This could allow them to access sensitive data, escalate privileges, or disrupt organizational operations.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The firewall rule allows inbound TCP traffic on port 20 (FTP data) from any IP address (0.0.0.0/0), exposing the service to the entire internet. This configuration makes the FTP service publicly accessible without restriction.

Impact

Unrestricted FTP access can allow attackers to probe, exploit, or abuse the FTP service from anywhere, increasing the risk of unauthorized data transfer, brute-force attacks, or service misuse. This can lead to data breaches or compromise of other internal resources.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Network Policy is disabled on this Google Kubernetes Engine (GKE) cluster, which means traffic between pods is not restricted. This allows any pod to communicate with any other pod in the cluster, regardless of their intended roles or security boundaries.

Impact

Without network policies, attackers who compromise one pod could move laterally to other pods, potentially accessing sensitive data or critical services. This increases the risk of unauthorized access, data breaches, and escalation of attacks within your Kubernetes environment.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code creates a Google Cloud subnetwork without enabling VPC Flow Logs, which means network traffic within the subnet will not be logged. This lack of logging reduces visibility into what is happening in your network.

Impact

Without VPC Flow Logs, suspicious or unauthorized network activity may go undetected, making it harder to investigate security incidents or respond to potential breaches. This can delay detection of attacks and hinder compliance with auditing requirements.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The configuration grants public access to a Google Cloud Storage bucket by assigning the ‘allUsers’ member, making the bucket and its contents accessible to anyone on the internet. This exposes data without requiring authentication.

Impact

If exploited, anyone can read, upload, or delete files in the affected storage bucket, leading to potential data leaks, unauthorized modifications, or loss of sensitive or critical information. This could result in privacy breaches, compliance violations, or service disruption.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Integrity monitoring is disabled for Shielded GKE node pools, which means the nodes are not being checked for unauthorized changes or tampering. This weakens the security of the Kubernetes cluster.

Impact

If integrity monitoring is off, attackers could compromise or alter node configurations without detection, potentially leading to unauthorized access, data breaches, or persistence of malicious activity within your GKE cluster.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Google Kubernetes Engine (GKE) cluster configuration is missing VPC Flow Logs and intranode visibility. Without these settings, network traffic within and between nodes is not captured for monitoring or auditing.

Impact

If exploited, this lack of visibility can let attackers move laterally or access sensitive data within the cluster without detection. It makes it harder to investigate incidents, detect suspicious activity, and comply with security policies.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

When creating a new Google Cloud project in Terraform, not setting ‘auto_create_network’ to false causes a default network to be automatically created. This default network is overly permissive and may expose project resources to unnecessary risks.

Impact

If the default network is created, it often includes broad firewall rules that allow unrestricted internal communication and external access. Attackers could exploit these open configurations to move laterally within the network or access sensitive services, increasing the risk of unauthorized access or data breaches.