AWS best practice to not use the default VPC for workflows

Property
Languageterraform
Severityhigh
Serviceec2
ProviderAWS
Vulnerability Typeomission

Description

Terraform code is creating resources within the AWS default VPC, which lacks essential security configurations found in custom VPCs. This increases the risk of insecure network exposure for deployed resources.

Impact

Using the default VPC can lead to inadequate network segmentation and insufficient security controls, making resources more vulnerable to unauthorized access or lateral movement by attackers within the AWS environment.

AWS Classic resource usage.

Property
Languageterraform
Severitycritical
Servicerds
ProviderAWS

Description

AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run resources in a VPC instead.

Resolution

Switch to VPC resources

AWS Classic resource usage.

Property
Languageterraform
Severitycritical
Serviceredshift
ProviderAWS

Description

AWS Classic resources, such as Redshift Cluster Security Groups, operate in a shared network environment with other AWS customers instead of an isolated VPC. This configuration exposes resources to increased security risks due to lack of network isolation.

Impact

Running resources in a shared environment can allow attackers from other AWS customers to potentially access or interfere with these resources, increasing the risk of data breaches, unauthorized access, and compliance violations.

AWS SQS policy document has wildcard action statement.

Property
Languageterraform
Severityhigh
Servicesqs
ProviderAWS
Vulnerability Typemisconfiguration

Description

The SQS policy document uses a wildcard (’*’) in the action field, allowing all possible SQS actions instead of restricting permissions to only those required. This broad permission grants unnecessary access to the queue.

Impact

If exploited, anyone with access could perform any operation on the SQS queue, including modifying, deleting, or changing permissions. This increases the risk of data loss, unauthorized message access, or disruption of services relying on the queue.

aws_instance should activate session tokens for Instance Metadata Service.

Property
Languageterraform
Severityhigh
Serviceec2
ProviderAWS
Vulnerability Typeomission

Description

The aws_instance resource does not require session authentication tokens for the Instance Metadata Service (IMDS), leaving the metadata endpoint accessible without proper protection. This configuration fails to enforce IMDSv2’s security improvements, making it easier for unauthorized code or users to access sensitive instance metadata.

Impact

If exploited, attackers could access instance metadata without authentication, potentially exposing credentials and sensitive data. This can lead to privilege escalation, lateral movement within the AWS environment, and compromise of other AWS resources.

aws_instance should activate session tokens for Instance Metadata Service.

Property
Languageterraform
Severityhigh
Serviceec2
ProviderAWS
Vulnerability Typeomission

Description

The AWS EC2 instance is configured to allow optional or no authentication tokens for the Instance Metadata Service (IMDS), instead of requiring session tokens via the ‘http_tokens’ setting. This leaves the IMDS endpoint less protected against unauthorized access from within the instance.

Impact

If exploited, processes or attackers within the instance could freely access sensitive metadata, such as IAM credentials, increasing the risk of privilege escalation, data exfiltration, and lateral movement within the cloud environment.

BigQuery datasets should only be accessible within the organisation

Property
Languageterraform
Severitycritical
Servicebigquery
ProviderGoogle
Vulnerability Typemisconfiguration

Description

The BigQuery dataset is configured to grant access to ‘allAuthenticatedUsers’, which allows any Google account holder—including those outside the organization—to access the dataset. This setting bypasses organizational boundaries and exposes data to unintended parties.

Impact

Sensitive data in the BigQuery dataset could be accessed, viewed, or extracted by anyone with a Google account, including external or malicious actors. This exposure risks data breaches, regulatory non-compliance, and significant reputational and financial harm to the organization.

Buckets should have MFA deletion protection enabled.

Property
Languageterraform
Severitylow
Services3
ProviderAWS

Description

Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete an object version, adding another layer of security in the event your security credentials are compromised or unauthorized access is obtained.

Resolution

Enable MFA deletion protection on the bucket

Can elevate its own privileges

Property
Languageterraform
Severitymedium
Vulnerability Typeomission

Description

Containers are configured without explicitly disabling privilege escalation, allowing processes inside the container to gain elevated (root) privileges. This misconfiguration makes it possible for containerized applications to escape intended security restrictions.

Impact

If exploited, a malicious process inside the container could gain root access, potentially compromising the entire container and even the underlying node. This may lead to unauthorized access, data breaches, disruption of services, or lateral movement within the cluster.

Channel Accessible by Non-Endpoint

Property
Languagego
Severitymedium
CWECWE-300: Channel Accessible by Non-Endpoint
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelHigh
Impact LevelLow
Likelihood LevelLow

Description

The gRPC client is being configured to connect to the server without encryption by using grpc.WithInsecure(). This means all data sent between client and server is transmitted in plain text and can be intercepted.

Impact

Without encryption, attackers on the network can read or modify sensitive gRPC messages, potentially exposing confidential data or injecting malicious commands. This undermines the security of both client and server, making it easier for attackers to compromise the application or gain unauthorized access.