Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Dataproc cluster IAM configuration allows access to ‘allUsers’ or ‘allAuthenticatedUsers’, making the cluster publicly accessible to anyone on the internet. This exposes sensitive data and resources to unauthorized parties.
Impact#
If exploited, anyone could access, modify, or disrupt Dataproc clusters without authentication, leading to data breaches, unauthorized computation costs, or compromise of organizational assets. Attackers could potentially run arbitrary jobs or steal confidential information.