Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Integrity Monitoring is disabled for Shielded GKE nodes in your Google Kubernetes Engine (GKE) cluster configuration. This means the system won’t detect or alert on unauthorized changes to node boot or runtime state, reducing protection against tampering.

Impact

If an attacker compromises a node, malicious changes could go undetected, making it harder to spot or respond to security breaches. This weakens the cluster’s defenses and may allow attackers to maintain persistence or escalate privileges without detection.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Assigning the ‘roles/editor’ permission at the folder level in GCP allows users to impersonate and manage all service accounts within that folder. This grants broad access and control that should be limited to trusted users only.

Impact

If exploited, unauthorized users could gain full administrative access to resources in the folder, create or modify resources, and impersonate service accounts. This can lead to privilege escalation, data exposure, or compromise of critical infrastructure.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Redis instance in Google Cloud Memorystore is not configured with AUTH enabled, meaning it does not require a password for access. This leaves the database open to unauthorized connections.

Impact

Without AUTH enabled, anyone with network access to the Redis instance can read, modify, or delete data, potentially leading to data breaches, service disruption, or unauthorized manipulation of application data.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Data Fusion instance is not configured as a private instance, which means it is accessible from the public internet. This increases the risk of unauthorized access to your data and services.

Impact

If left public, attackers could potentially discover and access the Data Fusion instance, leading to data exposure, service disruptions, or misuse of resources. This could compromise sensitive information and violate security or compliance requirements.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Kubernetes cluster is not configured to use Google Groups for managing RBAC users, which means user access is handled individually rather than through group-based controls. This makes it harder to manage permissions and increases the risk of unauthorized access.

Impact

Without Google Groups integration, access control becomes error-prone and harder to audit, potentially allowing users to retain or gain permissions they shouldn’t have. This can lead to privilege escalation, unauthorized actions within the cluster, and compliance issues.

Improper Access Control

Property
Languagehcl
Severitymedium
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The database instance is configured to allow connections from any IP address (0.0.0.0/0), which exposes it to the public internet. This makes the database accessible to anyone without restriction.

Impact

If exploited, attackers could connect to the database from anywhere, potentially leading to unauthorized access, data theft, or database compromise. This exposure increases the risk of data breaches and can threaten the integrity and confidentiality of sensitive information.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The GKE cluster configuration is missing ‘master_authorized_networks_config’, which means access to the Kubernetes master endpoint is not restricted to specific IP addresses. This allows connections from any source, increasing exposure to unauthorized access.

Impact

Without restricting master access, attackers could potentially reach and compromise the Kubernetes control plane, leading to cluster takeover, data breaches, or disruption of services. Sensitive operations and workloads could be exposed to the internet or untrusted networks.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Dataproc cluster is configured without restricting network access to internal IPs only, allowing it to receive a public IP address. This exposes the cluster to the public internet, increasing the risk of unauthorized access.

Impact

If exploited, attackers could connect to the cluster over the internet, potentially gaining access to sensitive data or control over workloads running on the cluster. This exposure could lead to data breaches, service disruption, or unauthorized use of cloud resources.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Enabling IP forwarding on a Google Compute Instance allows the VM to receive and route network traffic that is not explicitly addressed to it. This configuration can make the instance act like a router, potentially exposing it to unwanted or unauthorized network traffic.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Kubernetes cluster is being created on GCP without enabling the private cluster feature. This means nodes can be accessed from public networks instead of being restricted to private connectivity.

Impact

Without a private cluster, malicious actors could potentially reach your cluster nodes directly over the internet, increasing the risk of unauthorized access, data breaches, or compromise of workloads running in the cluster.