Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The configuration creates a Google Vertex AI notebook instance without explicitly disabling public IP access. This means the instance may be accessible from the public internet, increasing the risk of unauthorized access.

Impact

If exploited, an attacker could connect to the instance over the internet, potentially gaining access to sensitive data or code. This exposure increases the risk of data breaches, resource misuse, or further attacks on your cloud infrastructure.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The subnetwork resource does not have ‘private_ip_google_access’ enabled, which prevents instances from accessing Google APIs and services using private IPs. This can force traffic over the public internet, reducing network security.

Impact

Without private Google access, sensitive data from internal workloads may traverse public networks to reach Google services, increasing exposure to interception or unauthorized access. This weakens the security posture of cloud resources and may violate compliance requirements.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The configuration allows Google Compute Engine instances to be created with public IP addresses, making them directly accessible from the internet. This increases the risk of unauthorized access to your instances.

Impact

If exploited, attackers could connect to these exposed instances, potentially leading to data breaches, service disruption, or further compromise of your cloud environment. Publicly accessible instances are common targets for automated attacks and scanning.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code assigns ‘allUsers’ or ‘allAuthenticatedUsers’ as members to a Google Pub/Sub topic, making it accessible to anyone on the internet or any authenticated user. This configuration exposes the topic to unauthorized access.

Impact

If exploited, anyone could publish or subscribe to the Pub/Sub topic, potentially leading to data leaks, unauthorized message injection, or service abuse. This can compromise sensitive information and disrupt application workflows.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The project does not have OS Login enabled in its Google Compute metadata configuration. Without OS Login, SSH access to VM instances is managed locally, making it harder to centrally control and audit user access.

Impact

If OS Login is not enabled, attackers or unauthorized users may retain access to VMs even after their permissions are revoked in IAM, increasing the risk of unauthorized access or privilege escalation. This weakens access control and auditability across your GCP environment.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The configuration allows ‘allUsers’ or ‘allAuthenticatedUsers’ to access a Google Artifact Registry repository, making it publicly or anonymously accessible. This exposes the repository contents to anyone on the internet or anyone with a Google account.

Impact

If exploited, unauthorized individuals could download, view, or potentially alter artifacts in the repository. This can lead to intellectual property leakage, distribution of malicious code, or compromise of internal applications, putting the organization’s assets and users at risk.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

This configuration grants public or anonymous access to a Google Pub/Sub topic by including ‘allUsers’ or ‘allAuthenticatedUsers’ in the IAM binding. This means anyone on the internet or any authenticated Google user can access the topic.

Impact

If exploited, unauthorized users could publish or subscribe to messages on your Pub/Sub topic, potentially leading to data leaks, message tampering, spam, or disruption of your messaging workflows. This can compromise sensitive information and the integrity of your cloud infrastructure.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Assigning the ‘Service Account User’ or ‘Service Account Token Creator’ roles to users at the project level grants broad permissions to impersonate or act as any service account in the project. This increases the risk of privilege misuse or unauthorized access.

Impact

If exploited, an attacker or overly-permissioned user could use these roles to assume the identity of any service account, potentially accessing sensitive resources, escalating privileges, or bypassing intended access controls across the entire project.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Kubernetes Engine clusters have client certificate authentication enabled, which can allow users to connect using client certificates. This authentication method is less secure and can expose the cluster to unauthorized access if certificates are compromised.

Impact

If exploited, attackers with access to a client certificate could gain administrative control over the Kubernetes cluster, potentially leading to data breaches, service disruption, or further compromise of cloud resources.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The firewall rule allows incoming SSH (port 22) connections from any IP address (0.0.0.0/0), exposing your servers to the public internet. This configuration makes SSH access unrestricted and easily discoverable.

Impact

Attackers could attempt to brute-force SSH credentials or exploit SSH vulnerabilities, potentially gaining unauthorized access to your servers. This increases the risk of data breaches, system compromise, and further attacks within your cloud environment.