| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The Kubernetes Engine cluster is not configured with PodSecurityPolicy enabled, meaning there are no enforced restrictions on what pods can do or what resources they can access. This leaves the cluster open to running potentially risky or untrusted workloads without proper security controls.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
This configuration grants public or anonymous access to a BigQuery table by assigning ‘allUsers’ or ‘allAuthenticatedUsers’ as IAM members. This means anyone on the internet, or any Google-authenticated user, can access the table’s data.
If exploited, sensitive data stored in the BigQuery table could be exposed to unauthorized users, leading to data leaks, compliance violations, or misuse of your organization’s information. Attackers could read, query, or potentially modify your data without restriction.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The configuration enables a public IP address for a Google Cloud SQL database instance, making the database accessible from the internet. This increases exposure to unauthorized access and potential attacks.
If exploited, attackers could attempt to connect to the database from anywhere, increasing the risk of data breaches, unauthorized data manipulation, or service disruption. Exposing databases to the public internet often leads to credential brute-forcing and is a common target for automated attacks.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Granting folder-level IAM permissions to the default Compute Engine service account allows this account broad access across all resources in the folder. Default service accounts are not intended for wide access and may be used by multiple workloads.
If exploited, attackers or compromised workloads could leverage the default service account’s elevated permissions to access, modify, or delete resources across all projects in the folder, increasing the risk of privilege escalation and unauthorized access.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
This code assigns a folder-level IAM role to a Google Cloud default service account. Default service accounts have broad permissions and are not intended for granular access control.
If exploited, attackers or unauthorized users could abuse the over-privileged default service account to access or modify resources across all projects under the folder, increasing the risk of privilege escalation and data exposure.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
This code allows ‘allUsers’ or ‘allAuthenticatedUsers’ to access a Google Cloud Run service, making it publicly or anonymously accessible. Anyone on the internet could reach this service without proper authentication controls.
If exploited, unauthorized users—including malicious actors—could access, interact with, or abuse the Cloud Run service. This could lead to data leakage, service disruption, or unexpected costs from misuse, potentially compromising sensitive information and the integrity of your application.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Granting organization-level IAM roles to default Compute Engine service accounts in GCP can unintentionally give broad permissions to these accounts. This practice increases the risk of privilege misuse if the default service account is compromised.
If an attacker gains access to a default service account with organization-level permissions, they could manipulate resources across the entire GCP organization, leading to data leaks, unauthorized changes, or disruption of critical services.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Assigning the ‘roles/editor’ role at the organization level in GCP gives users broad permissions, including the ability to impersonate and manage all service accounts. This overly permissive access can expose sensitive cloud resources to misuse.
If exploited, attackers or unauthorized users could gain control over all service accounts, potentially allowing them to escalate privileges, access confidential data, and perform destructive actions across your entire GCP organization.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The AWS Transfer Server resource is configured with a public or unspecified endpoint type, allowing access from the internet. This exposes the server to unauthorized connections instead of restricting access to a specific VPC.
If exploited, anyone on the internet could attempt to connect to your Transfer Server, increasing the risk of unauthorized data access, credential theft, or misuse of your AWS resources. This exposure could lead to data breaches or compliance violations.
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
This code configures a network ACL rule in AWS to allow incoming traffic from any public IP address. Allowing unrestricted public ingress exposes your resources to the entire internet, increasing the risk of unauthorized access.
If exploited, attackers could access or probe your AWS resources from anywhere on the internet, potentially leading to data breaches, service disruptions, or unauthorized use of your cloud infrastructure. This exposure makes your environment a target for automated attacks and malicious actors.