Supported Services and Risks

Panoptica continually scans your cloud resources for potential risks, security issues and vulnerabilities across dozens of key services. This catalog provides a complete list of the services Panoptica scans across multiple cloud providers and platforms, and the hundreds of risks Panoptica can detect in those services. The results of these scans show up in different aspects of the Panoptica platform:

  • To view the services Panoptica has identified in your environment, see Asset Inventory.
  • To view the risks Panoptica has identified, see Security Posture.
  • To view those risks prioritized and contextualized, see Attack Paths.

The catalog is sorted by provider, service name, and category. In Chrome or Edge, use the Table of Contents to the right to navigate to the information you're looking for. Firefox and Safari, however, are unable to expand a section to display an anchor link within, like Chrome and Edge can. If you're using Firefox or Safari, click the cloud provider header in the Table of Contents (AWS, Azure, GCP, etc.), then select the service you want to expand in the main section.

Amazon Web Services (AWS) - click to collapse

Amazon Web Services (AWS)

Click on a service name below to view a table of the risks Panoptica detects in AWS, along with brief descriptions and attack scenarios.

    AWS Certificate Manager

    AWS Certificate Manager

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsACM Certificate Without Minimum Of 2048-bit Key For RSA CertificateAn ACM certificate that does not use a minimum of 2048-bit key for RSA certificate."A key length of 1024 bit is not considered secure, as it can be cracked using brute-force methods. Upgrade your certificates to 2048-bit or 4096-bit RSA certificates which are using stronger encryption algorithms."
    Neglected ResourceACM Certificate Expires In 30 DaysAn ACM certificate is going to expire in 30 days.It is not a best practice to have an expired certificate. An expired certificate can be accidentally deployed to another resource, leading to application errors and credibility damage. Renew the certificate as soon as possible.
    Neglected ResourceACM Certificate Pending ValidationAn ACM certificate with 'PENDING_VALIDATION' status.When an ACM certificate is not validated within 72 hours, it becomes invalid and you have to create a new certificate request.
    Neglected ResourceExpired ACM CertificateAn expired ACM certificate.It is not a best practice to have an expired certificate. An expired certificate can cause an accidental deployment to another resource, leading to application errors and credibility damage.
    Neglected ResourceInvalid ACM CertificateAn ACM certificate with 'FAILED' or 'VALIDATION_TIMED_OUT' status.It is not a best practice to have invalid certificates. Invalid certificates should be deleted.
    Neglected ResourceUnused ACM CertificateUnused ACM CertificateIt is not a best practice to have unused certificates. Unused certificates should be used or removed.
    Amazon CloudFront

    Amazon CloudFront

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsCloudFront Distribution Lacking WAF ProtectionThis risk highlights a CloudFront distribution that is not protected by a Web Application Firewall (WAF). Without WAF protection, your distribution may be vulnerable to common web exploits that could affect availability or compromise security. To enhance your distribution's security, it's recommended to attach a properly configured WAF to your CloudFront distribution."A WAF helps protect web applications by filtering and monitoring traffic. It usually protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection. An attacker can use this opportunity to attack your application."
    Insecure ConfigurationsCloudFront Distribution Permitting Insecure HTTP ConnectionsThis risk underscores a CloudFront distribution that allows insecure HTTP connections. Such connections could expose your data to potential risks during transmission. It's advised to enforce secure HTTPS connections for your CloudFront distribution to ensure the security and integrity of your data.An attacker can gain access to traffic between your CloudFront distribution and the application viewers.
    Insecure ConfigurationsCloudFront Distribution with Logging DisabledThis risk signifies a CloudFront distribution that has logging disabled. Without logging, it can be challenging to monitor and troubleshoot your distribution's activity. It's highly recommended to enable and properly configure logging for your CloudFront distribution to ensure effective operations and prompt issue resolution.CloudFront distribution logging is used to track all the requests. It is necessary for investigating activities and for auditing purposes.
    Insecure ConfigurationsCloudFront Operating with Unencrypted Origin Server ConnectionThis risk identifies a CloudFront distribution configured to operate with an unencrypted connection to the origin server. Such a configuration can expose your data to unnecessary risks during transmission. It's highly advised to secure the connection to your origin server with encryption, such as HTTPS, to uphold the integrity and confidentiality of your data.An attacker can gain access to traffic between your CloudFront distribution and an origin server.
    Insecure ConfigurationsCloudFront With Insecure TLS CiphersA CloudFront distribution that does not use secure TLS (Transport Layer Security) protocol versions.It is recommended to use the latest version of TLS if possible. Older versions (prior to TLS 1.2) may be deprecated or may contain known vulnerabilities that an attacker can use.
    Amazon DocumentDB

    Amazon DocumentDB

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDocumentDB Audit Logs Export DisabledDocumentDB cluster without export audit logs to Cloudwatch.Without comprehensive auditing, there's a higher risk of undetected security breaches or unauthorized access to your system.
    Insecure ConfigurationsDocumentDB Cluster has Short Retention PeriodDocumentDB cluster has less than 7 days backup retention period.A backup retention period ensures that you have a reliable copy of your data in case of accidental deletion, corruption, or other data loss events.
    Insecure ConfigurationsDocumentDB without Deletion ProtectionDeletion protection is disabled.Disabling deletion protection in a DocumentDB can introduce several security risks. Deletion protection is a feature that prevents accidental or unauthorized data deletions, and disabling it can make your database more vulnerable to various threats.
    Insecure ConfigurationsDocumentDB Without Storage EncryptionAn attacker with access to the DocumentDB can access sensitive data stored in the DB.This risk indicates an Amazon DocumentDB that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Amazon DynamoDB

    Amazon DynamoDB

    CategoryRisk NameDescriptionAttack Scenario
    Neglected ResourceDynamoDB Table Without Continuous BackupA DynamoDB table without continuous backups for the point-in-time recovery feature.It is a best practice to enable continuous backups for your DynamoDB tables. DynamoDB continuous backups, powered by Point-in-time Recovery (PITR) feature, will help you protect your DynamoDB data against accidental writes, deletes, or any loss of data.
    Insufficient MonitoringDynamoDB Streams is disabledDynamoDB Streams is disabled. DynamoDB Streams is a feature of AWS DynamoDB that captures a time-ordered sequence of item-level modifications in any DynamoDB table and stores this information in a log for up to 24 hours. Whenever an application performs create, update, or delete operations on items in the table, DynamoDB Streams writes a record of the changes to a stream. When DynamoDB Streams is disabled for a table, no stream records will be captured or available for that table. This implies that any applications or services that depend on this stream for triggers or data will not receive any updates. Also, any existing stream data for the table will be inaccessible, and the history of changes will not be stored.The absence of DynamoDB streams means there is no real-time monitoring or auditing trail of item-level changes, which could delay the detection of unauthorized modifications to the database. As a result it could potentially give an attacker more time to operate unnoticed within the system.
    Insufficient EncryptionDynamoDB Encrypted at Rest with Amazon DynamoDB KeyAWS DynamoDB table encrypted with Amazon DynamoDB key.KMS service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon DynamoDB. Using a default Amazon DynamoDB key to encrypt DynamoDB table in AWS is not recommended due to limited control over key management, potential security risks from shared keys across accounts, and inadequate support for key rotation.
    Insecure ConfigurationsDynamoDB Table without Deletion ProtectionDeletion protection is disabled.Disabling deletion protection in DynamoDB can introduce several security risks. Deletion protection is a feature that prevents accidental or unauthorized data deletions, and disabling it can make your database more vulnerable to various threats.
    Insufficient EncryptionDynamoDB Encrypted at Rest with AWS Managed Key (Single)
    Amazon EC2

    Amazon EC2

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDefault Security Group AssignmentThe EC2 instance uses the default Security Group.An attacker might exploit misconfuguration or wide allowed outbound IP range to obtain network access to the EC2 instance.
    Insecure ConfigurationsEC2 Classic Instance Not Operating Within a VPCThis risk underscores an EC2 Classic instance that is not operating within a Virtual Private Cloud (VPC). Operating outside of a VPC may expose your EC2 instance to unnecessary security risks and limit control over network configuration. It's strongly advised to migrate your EC2 Classic instances to a VPC, providing an additional layer of security and increased control over networking aspects, to bolster your system security.Current workloads might be interrupted.
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata.When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf.
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication.This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0.
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Public ExposurePublic AWS EBS SnapshotPublicly shared Elastic Block Store (EBS) volume snapshot with all other AWS accounts.An attacker can use the public shared EBS snapshot in its own account and potentially expose sensitive data.
    Neglected ResourceUnassociated Elastic IP AddressThe Elastic IP is unused, not associated with any resource in the cloud environment.An attacker might leverage the neglected Elastic IP to bypass security mechanisms or direct traffic to a malicious server.
    Public ExposurePublic AWS AMIPublicly shared AWS AMI with all other AWS accounts.An attacker can attach the public shared AMI to a machine in the attacker's AWS account and inspect the image.
    Amazon Elastic Container Registry

    Amazon Elastic Container Registry

    CategoryRisk NameDescriptionAttack Scenario
    Permissive AccessPrivate ECR Repository Allows Anonymous Users To Pull ImagesPrivate ECR repository allowing anyone to pull images.An attacker can pull images from a private repository.
    Permissive AccessPrivate ECR Repository Allows Anonymous Users To Push ImagesPrivate ECR repository with permissions to push images.An attacker can push a malicious image to the repository.
    Insecure ConfigurationsPrivate ECR Repository Without KMS KeyPrivate ECR repository without KMS encryption.KMS provides more control over the repository encryption.
    Insecure ConfigurationsPublic ECR Repository Allows Anonymous Users AccessPublic ECR repository enables any user to perform ECR actions.
    Insecure ConfigurationsPublic ECR Repository Allows Anonymous Users To Push ImagesPublic ECR repository with permissions to push images.An attacker can push a malicious image to the repository.
    Amazon ECS

    Amazon ECS

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata."When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. \nThe metadata information is available by making a request to the IP address of 169.254.169.254. \nThe current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf."
    Insecure ConfigurationsECS Container Operating in Elevated Privilege ModeThis risk signifies an ECS container that's operating in a privileged mode. When a container is run in privileged mode, it holds potential access to all devices on the host system, thereby posing a significant security risk. This unrestricted access could lead to unauthorized activities or data breaches if the container were to be compromised. It's highly recommended to review the necessity of privileged mode for this container. If not required, a prompt action to modify the container's access privileges is advised to uphold system security and integrity.An attacker with access to the container can gain unauthorized access to other resources in the enviornment.
    Insecure ConfigurationsECS Container with Elevated System Administrator CapabilitiesThis risk underscores an ECS container configured with CAP_SYS_ADMIN capabilities. This configuration grants the container nearly unrestricted system-level permissions equivalent to the root user on the host, which can significantly amplify the potential impact of a security breach if the container is compromised. It's essential to reassess the necessity of such elevated privileges. If these superuser capabilities are not necessary for the container's operations, it is strongly advised to reduce its permissions promptly, thereby bolstering system security and reducing potential attack vectors.CAP_SYS_ADMIN is equivalent to root. An attacker with access to the container can gain root privileges."
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication.This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0.
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Amazon EKS

    Amazon EKS

    CategoryRisk NameDescriptionAttack Scenario
    Credentials ExposureEKS Cluster Operating Without Secrets EncryptionThis risk identifies an EKS cluster that is operating without secrets encryption. The absence of encryption could expose your sensitive information and make it vulnerable to unauthorized access or breaches. It's strongly advised to enable secrets encryption for your EKS cluster to enhance the protection of sensitive data. OWASP K08:2022 Secrets Management FailuresBy default, Kubernetes secrets are stored in Base64 encoding in the etcd. An attacker with access to the cluster etcd, will be able to use the stored secrets and compromise your cluster.
    Insecure ConfigurationsEKS Cluster Running With Logging Configurations DisabledThis risk signifies an EKS cluster that is operating with disabled logging configurations. Proper logging provides crucial insights into your system's operations and potential issues. A disabled logging configuration could hinder problem detection and system monitoring. It's highly recommended to enable and configure appropriate logging for your EKS cluster to ensure efficient operations and issue resolution. OWASP K05:2022 Inadequate Logging and MonitoringLogging provides audit and diagnostic logs directly from EKS to CloudWatch Logs in your account. These logs make it easy for you to secure and run your clusters.
    Public ExposurePublicly Accessible EKS API Server EndpointThis risk underscores an EKS API Server Endpoint that is publicly accessible. Public access to your API Server Endpoint could potentially expose your system to unauthorized access and possible security threats. It's advised to review and restrict access to your EKS API Server Endpoint, limiting it to necessary IP ranges or secure VPN connections, to bolster system security. OWASP K09:2022 Misconfigured Cluster ComponentsAn attacker can access the Kubernetes API server from external IP address and use it as an optional entry point into the environment.
    Inadequate Authorization & AuthenticationWeak Password on Linux Non-Privileged UserWeak passwords for non-privileged Linux users expose systems to unauthorized access risks.Compromised accounts could lead to data leaks or be a pivot point for deeper network infiltration.
    Inadequate Authorization & AuthenticationWeak Password on Linux Privileged UserWeak passwords on privileged Linux accounts pose a critical threat to system security.Attackers gaining privileged access can execute commands, alter system configurations, or access sensitive data.
    Inadequate Authorization & AuthenticationWeak Password on Windows Standard UserStandard Windows accounts with weak passwords increase the vulnerability to system breaches.Unauthorized access might result in information theft, malware installation, or user impersonation.
    Inadequate Authorization & AuthenticationWeak Password on Windows AdministratorWeak passwords in Windows administrator accounts significantly elevate the risk of system compromise.Critical system operations can be hijacked, leading to full system control, data exfiltration, or widespread system damage.
    Amazon EFS

    Amazon EFS

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDefault Security Group
    Insecure ConfigurationsSecurity Group with Inappropriately Configured CIDR IPThis risk highlights a Security Group with a misconfigured CIDR IP, which may expose your resources to unintended networks, leading to potential unauthorized access. A swift review and correction of CIDR IP configurations in your security groups is strongly recommended to uphold network security.The Instances that are connected to this security group, can be accidentally exposed to the Internet and compromised.
    Public ExposureSecurity Group Allows Access From Any IP (0.0.0.0/0)A security group with an inbound network rule that allows incoming connection from any IP address (0.0.0.0/0) to any port.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group Permits Connections From Any IP (0.0.0.0/0)This risk points to an AWS Security Group configured to allow incoming connections from any IP address, denoted by the range 0.0.0.0/0. This unrestricted access can lead to potential unauthorized access and data breaches. It's recommended to validate the need for such open access, and if it is not required, promptly implement stricter access control based on specific IP addresses or ranges.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Exposed RDP PortThis risk identifies a Security Group that has the RDP port (3389) open to the public, posing a significant security risk. Unauthorized access to the RDP port can potentially allow cyber attackers to control your AWS resources. It's crucial to review and restrict access to the RDP port, limiting it to specific, necessary IP ranges or secure VPN connections, to strengthen your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Exposed Telnet PortThis risk underscores a Security Group that has the Telnet port (23) open to the public. An open Telnet port can be a significant security vulnerability as it can allow unauthorized access to your AWS resources. This exposure could potentially lead to unauthorized data access, data breaches, or unwanted modifications. It's highly advised to review and tighten access to the Telnet port, limiting it to necessary IP ranges or more secure protocols. Swift action to restrict this access will greatly enhance your AWS security posture and reduce potential cyber attack vectors.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open Cassandra PortThis risk signifies a Security Group that has the Cassandra port (9142) open to the public. This can allow unauthorized access to your Cassandra databases, potentially leading to data breaches or malicious alterations. It's highly recommended to review and limit the port access to necessary IP ranges or secure connections, enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group With Open Kubernetes Kubelet Port (10250)A security group with an inbound network rule that allows incoming connection from any IP address (0.0.0.0/0) to Kubernetes Kubelet port (10250).An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open MySQL/MariaDB PortThis risk points to a Security Group that has the MySQL/MariaDB port (3306) open to the public. This can allow unauthorized access to your MySQL/MariaDB databases, potentially leading to data breaches or malicious alterations. It's highly recommended to review and limit the port access to necessary IP ranges or secure connections, greatly enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open Redis PortThis risk signifies a Security Group with an open Redis port (6379), providing public access. This could potentially expose your Redis databases to unauthorized access and possible security breaches. A swift action to review and restrict access to the Redis port, limiting it to necessary IP ranges or secure VPN connections, is advised to fortify your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Kafka PortThis risk identifies a Security Group with an open Kafka port (9092), providing public access. This configuration could potentially expose your Kafka servers to unauthorized access and potential security threats. It's advised to promptly review and restrict access to the Kafka port, limiting it to necessary IP ranges or secure VPN connections, to improve your overall system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Kibana PortThis risk signifies a Security Group with an open Kibana port (5601), providing public access. This could potentially expose your Kibana instances to unauthorized access and potential security threats. It's advised to promptly review and restrict access to the Kibana port, limiting it to necessary IP ranges or secure VPN connections, to improve your overall system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Memcached PortThis risk highlights a Security Group configured with an open Memcached port (11211), allowing public access. This configuration can potentially expose your Memcached servers to unauthorized access and data breaches. It's recommended to promptly review and restrict access to the Memcached port, limiting it to necessary IP ranges or secure connections, thereby fortifying your server security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Redshift PortThis risk points to a security group configuration that leaves the Amazon Redshift port (5439) open to the public. An exposed Redshift port can increase the risk of unauthorized access and potential data breaches. It's recommended to verify the need for such a configuration and, if unnecessary, promptly restrict access to this port to enhance the security of your Redshift clusters.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible RPC PortThis risk highlights a Security Group configured with an open RPC port (135), making it publicly accessible. This configuration can potentially allow unauthorized access to your AWS resources. Open RPC ports are known to be vectors for certain types of cyber attacks, potentially leading to data breaches or unauthorized modifications. It's strongly recommended to review and limit access to the RPC port, confining it to necessary IP ranges or secure connections. Immediate action to secure this access will substantially enhance your AWS security and reduce potential cyber threats.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Exposed MSSQL PortThis risk signifies a Security Group configured with an open MSSQL port (1433), granting public access. This unrestricted access can potentially expose your SQL Server databases to unauthorized access and malicious activities. It's advised to immediately review and restrict the MSSQL port access to specific, necessary IP ranges or secure connections, enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Exposed Splunkd PortThis risk identifies a Security Group that has the Splunkd port (8089) open to the public. This configuration potentially leaves your Splunkd services vulnerable to unauthorized access and cyber threats. It's strongly recommended to review and limit access to the Splunkd port, confining it to specific, trusted IP ranges or secure VPN connections, to enhance your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted FTP PortsThis risk highlights a Security Group that has FTP ports (20/21) open to the public. An open FTP port can allow unauthorized access to your AWS resources, potentially leading to data breaches, misuse, or unwarranted changes. It's strongly recommended to review and tighten access to these FTP ports, limiting them to specific, necessary IP ranges or secure connections. Prompt action to restrict this access will significantly enhance your AWS security and reduce exposure to potential cyber threats.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted PostgreSQL PortThis risk highlights a Security Group with an open PostgreSQL port (5432). This configuration can expose your PostgreSQL databases to unauthorized access and potential malicious activities. Promptly reviewing and restricting access to the PostgreSQL port, confining it to necessary IP ranges or secure connections, is strongly recommended to enhance your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted SMB Port AccessThis risk category identifies a Security Group that has the SMB port (445) openly accessible to the public. An open SMB port can provide an entry point for unauthorized access to your AWS resources, potentially leading to data breaches or malicious modifications. This port is often targeted for exploits like the WannaCry ransomware attack. It's strongly recommended to review and restrict access to the SMB port, confining it to specific, necessary IP ranges or secure VPN connections. Taking immediate action to limit this access will significantly enhance your AWS security posture and reduce potential attack surfaces.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted SSH Port AccessThis risk identifies a Security Group that has the SSH port (22) open to the public, potentially permitting unauthorized access to your AWS resources. It's crucial to review and restrict access to the SSH port, confining it to specific, necessary IP ranges or secure VPN connections, to bolster your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured DocDB PortThis risk indicates a Security Group that has the DocDB port (27017) open to the public. This configuration potentially leaves your DocumentDB databases exposed to unauthorized access and potential malicious actions. A swift review and restriction of access to the DocDB port, confining it to specific, trusted IP ranges or secure connections, is strongly recommended to uphold your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured Elasticsearch PortsThis risk highlights a Security Group with Elasticsearch ports (9200/9300) open to the public. These open ports can potentially expose your Elasticsearch clusters to unauthorized access and possible cyber threats. Immediate review and restriction of access to these ports, limiting them to necessary IP ranges or secure connections, is strongly advised to bolster your cluster security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured OracleDB PortThis risk highlights a Security Group that has the OracleDB port (1521) open to the public. This configuration potentially leaves your Oracle databases exposed to unauthorized access and cyber attacks. A swift review and restriction of access to the OracleDB port, confining it to specific, trusted IP ranges or secure connections, is strongly recommended to uphold your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Amazon ElastiCache

    Amazon ElastiCache

    CategoryRisk NameDescriptionAttack Scenario
    Permissive AccessElasticache User (Not Default) Access String Allows Access to All Keys and CommandsAllowing access to all keys and commands through the Elasticache User Access String provides overly broad and unrestricted access, which can lead to unauthorized data manipulation or misuse.An attacker gains access to the Elasticache User Access String with permissions for all keys and commands. They could potentially launch a series of malicious operations, such as deleting critical data, injecting harmful commands, or exfiltrating sensitive information, posing a significant security threat to the system's integrity and confidentiality.
    Permissive AccessElasticache User without AuthenticationWhen a user in Elasticache lacks authentication, a significant security vulnerability arises as there are no authentication mechanisms in place to verify the legitimacy of user requests, potentially exposing the system to unauthorized access and misuse.An attacker could impersonate a user to gain unrestricted access to the cluster. This could lead to unauthorized data retrieval, manipulation, or even the injection of malicious data into the cache, compromising data integrity.
    Permissive AccessElasticache Default User is in UserGroupsIn Elasticache, a default user is automatically configured with the user ID and name "default," and it is added to all user groups, while remaining immutable and unable to be deleted or modified. This user is granted an access string that allows it to execute all commands and access all keys, creating a potential security vulnerability by providing overly broad and unmodifiable access privileges.An attacker gains access to the cluster using the default user, taking advantage of the absence of authentication requirements and the user's full access privileges, which allows them to perform unauthorized operations.
    Permissive AccessNon Default Elasticache User Not Associated With Any GroupA user not associated with any group.
    Permissive AccessNon Default Elasticache User Not Associated With Any Group that Has High PermissionsA user in Elasticache who possesses a full access string or is authenticated independently (without relying on IAM) lacks the security benefits of centralized access control and proper management, thereby increasing the risk of unauthorized access, misconfigurations, and making it challenging to efficiently audit and administer user permissions.An attacker discovers an unsupervised Elasticache user, initially created without specific permissions. If this user is later added to a group with elevated privileges without proper review, the attacker seizes the moment, gaining unauthorized access to critical resources.
    Insufficient EncryptionElasticache Encryption by Rest is disabledDisabling encryption by rest in AWS ElastiCache can potentially lead to security vulnerabilities, as sensitive data may become exposed to potential unauthorized access, data breaches, or compromises due to the absence of encryption safeguards for stored data.An attacker gains unauthorized access to the Elasticache cluster. Since Encryption at Rest is disabled, they can easily access and exfiltrate sensitive data, such as cached passwords or confidential information, potentially leading to data breaches or unauthorized data exposure.
    Insufficient EncryptionElasticache Encryption by Transit is disabledDisabling Encryption in Transit in Elasticache creates a security problem by allowing data transmitted between clients and the cluster to be susceptible to interception, potentially compromising data confidentiality and integrity.An attacker with access to the network infrastructure or a compromised intermediary device can exploit Elasticache Encryption in Transit being disabled to intercept and eavesdrop on unencrypted data packets transmitted between clients and the cache, potentially compromising data confidentiality and integrity.
    Insufficient EncryptionElasticache Serverless Uses AWS Managed KMSAWS Elasticache Serverless encrypted with AWS managed key.KMS service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon Elasticache. Using a default AWS Key Management Service (KMS) key to encrypt Elasticache Serverless in AWS is not recommended due to limited control over key management, potential security risks from shared keys across accounts, and inadequate support for key rotation.
    Insecure ConfigurationsElasticache User with Password Authentication OnlyWhen a user in Elasticache relies solely on authentication by password, the security concern arises if the chosen password is weak or easily guessable, as it can create a vulnerability where malicious actors may successfully guess or crack the password, leading to unauthorized system access and potential compromises to data integrity and confidentiality.An attacker can employ brute-force or dictionary attacks to repeatedly guess the password.
    Insufficient EncryptionElasticache Serverless Uses AWS Managed KMSAWS Elasticache Serverless encrypted with AWS managed key.KMS service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon Elasticache. Using a default AWS Key Management Service (KMS) key to encrypt Elasticache Serverless in AWS is not recommended due to limited control over key management, potential security risks from shared keys across accounts, and inadequate support for key rotation.
    Amazon ELB

    Amazon ELB

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata.When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf.
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication.This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0.
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    AWS IAM

    AWS IAM

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementIAM User Access Key Unrotated for Over 90 DaysThis risk identifies an Amazon IAM (Identity and Access Management) user whose access key hasn't been rotated for over 90 days. Keeping access keys unrotated for prolonged periods can increase the risk of unauthorized access if the keys are compromised. It's recommended to adopt a practice of regular key rotation, ideally, every 90 days, to ensure secure access management.An attacker with access to the access key can achieve the user's privileges and perform unauthorized actions in the account.
    Identity & Access ManagementIAM User Holding Unused, Outdated Access KeysThis risk signifies an IAM user that has access keys not used for over 90 days. Outdated, unused keys can pose a significant security risk if they are compromised. It's strongly advised to review and rotate old access keys, promptly deactivating any that are unused to enhance account security.An attacker with access to the access key can achieve the user's privileges and perform unauthorized actions in the account.
    Identity & Access ManagementInactive IAM User Access KeyThis risk indicates an inactive access key associated with an Amazon IAM (Identity and Access Management) user. Despite being inactive, these keys can pose a potential security risk if they were to be reactivated without appropriate controls. It's recommended to routinely review and manage inactive keys, eliminating or rotating those that aren't needed, to maintain a robust access management system.
    Identity & Access ManagementIAM User With Old Password For Over 90 DaysUser unchanged his password in the last 90 days.Attacker can use this user for getting access to compromised environment.
    Identity & Access ManagementIAM User Without MFAThis risk identifies an Amazon IAM (Identity and Access Management) user who doesn't have Multi-Factor Authentication (MFA) enabled. MFA provides an extra layer of security by requiring more than just a password for user authentication. Without MFA, the user's account is at a higher risk of unauthorized access. Enabling MFA for all IAM users is strongly recommended to bolster account security.An attacker can bypass authentication with a password only.
    Identity & Access ManagementInactive IAM User In IAM Credential ReportInactive user is user with unused access key or user that didn't connect to aws console in the last 90 days.Attacker can use inactive user credentials that leading to environment compromised
    Identity & Access ManagementIAM Role Configured with Predictable External IDThis risk points to an IAM role that has a predictable external ID. Such easily guessed IDs can potentially allow unauthorized entities to assume the role, posing a risk of unauthorized access and potential security breaches. A review and update of all IAM role external IDs, ensuring they are complex and unpredictable, is strongly recommended to maintain secure role access."An attacker can trick a third party that can assume a role in your account, and gain unauthorized access to your resources. External ID is a unique identifier that third parties use to assume a role in your account, and its purpose is to prevent the confused deputy problem. When the external id can be easily guessed, the confused deputy remains a problem. We look for external id values that have less than three different types of characters, contain sequences such as 123, abc, qwe, and more, or that are included in the role ARN (account id, role name)."
    Identity & Access ManagementIAM Role Configured with Unrestricted Assume Role PermissionsThis risk identifies an IAM Role that has been configured to allow 'Assume Role' permissions to any AWS user. This broad configuration increases the potential of unauthorized access to the resources associated with this IAM role. It can lead to misuse of permissions, data breaches, or even alteration of your AWS services. It's highly recommended to review and restrict the 'Assume Role' permissions to specific users or roles, thereby enhancing your AWS security posture by reducing unnecessary exposure.An attacker with access to any AWS account can assume the role and use its permissions.
    Inadequate Authentication & AuthorizationRoot user with active access keyRoot user with active access key.Providing access keys to the AWS root user is highly risky, as it allows full, unrestricted access to the entire account, potentially leading to unauthorized actions and severe security breaches.
    Permissive AccessIAM group with administrator policy attachedIAM user group with a managed administrator access policy attached.A privileged IAM group allows its users administrator access to AWS cloud services and resources.
    Insecure ConfigurationsIAM Group with full access policy attachedIAM user group with a managed full access policy attached.A privileged IAM group allows its users full access to AWS cloud services and resources.
    AWS Key Management Service

    AWS Key Management Service

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementKMS Key Allows Anonymous AccessA key policy that allows certain actions to all users.If there are no other access mechanisms with deny statements that override this permissive key policy, an attacker will be able to perform the specified actions on your key.
    Neglected ResourceKMS Customer Managed Key Without RotationA customer-managed key with disabled key rotation.Key rotation reduces the risk of a compromised key being used by an attacker to access your encrypted resources.
    Neglected ResourceUnusable Customer Managed KeyA customer-managed KMS key that can't be used. The key is either disabled or pending deletion.It is not a best practice to have usable keys as it can harm key management processes and increase your monthly AWS bill.
    AWS Lambda

    AWS Lambda

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata."When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf."
    Insecure ConfigurationsLambda Function Security Group
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication."This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0."
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Public ExposurePublic Lambda Function Without Authentication"Lambda Function that is configured with a function URL and without authentication. OWASP A6:2017 <a href=""https://owasp.org/www-pdf-archive/OWASP-Top-10-Serverless-Interpretation-en.pdf""Security> Misconfiguration."A function URL is a dedicated HTTPS endpoint that allows access and invocation of the function from the public Internet. The configuration of the detected function also supports unauthenticated access, which allows anyone from the Internet to trigger it.
    Unsupported SoftwareLambda Function Operating on Deprecated Runtime"This risk identifies a Lambda function operating on a runtime that is deprecated or has reached end of support. Operating on such a runtime can expose the function to unpatched vulnerabilities and reduce overall performance. An immediate update to a supported runtime is recommended to ensure the security and efficiency of your Lambda function. OWASP A6:2017 <a href=""https://owasp.org/www-pdf-archive/OWASP-Top-10-Serverless-Interpretation-en.pdf""Security> Misconfiguration."An attacker can exploit known unpatched vulnerabilities in the Lambda function runtime
    Amazon Neptune

    Amazon Neptune

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsNeptune Cluster has Short Retention PeriodNeptune database has less than 7 days backup retention period.A backup retention period ensures that you have a reliable copy of your data in case of accidental deletion, corruption, or other data loss events.
    Insecure ConfigurationsNeptune DB Storage Encrypted Enabled
    Insecure ConfigurationsNeptune IAM Database Authentication DisabledIAM Database Authentication in Amazon Neptune provides an additional layer of security for accessing your Neptune database. Instead of using a traditional username and password for database authentication, IAM Database Authentication allows you to use AWS Identity and Access Management (IAM) credentials to authenticate to your Neptune database.Attackers might attempt to break traditional authentication methods by brute force or password guessing attacks.
    Insecure ConfigurationsNeptune without Deletion ProtectionDeletion protection is disabled.Disabling deletion protection in Neptune DB can introduce several security risks. Deletion protection is a feature that prevents accidental or unauthorized data deletions, and disabling it can make your database more vulnerable to various threats.
    Insecure ConfigurationsNeptune Without Storage EncryptionAn attacker with access to the Neptune database can access sensitive data that stored in it.This risk indicates an Amazon Neptune database that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    AWS OpenSearch

    AWS OpenSearch

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsNode-to-Node Encryption is Disabled for Amazon OpenSearch DomainNode-to-node encryption disabled in Amazon OpenSearch Domain.An attacker who has gained access to the data stored in the domain node can easily read it.
    Insecure ConfigurationsAmazon OpenSearch Domain Allows Unencrypted HTTP TrafficAmazon OpenSearch domain is configured to allow unencrypted HTTP traffic.An attacker can easily intercept and manipulate unencrypted HTTP traffic, potentially stealing sensitive information.
    Public ExposureAmazon OpenSearch Domain is Publicly AccessibleAmazon OpenSearch Domain is set to public, potentially exposing it to unauthorized access and attacks.An attacker may target a publicly accessible domain endpoint and use attacks such as Denial of Service or Brute-force, among others.
    Insecure ConfigurationsEncryption at Rest is Disabled for Amazon OpenSearch DomainEncryption at rest is disabled for Amazon OpenSearch Domain, increasing the risk of unauthorized access to your data. If enabled, the feature encrypts the following aspects of a domain: All indexes (including those in UltraWarm storage); OpenSearch logs; Swap files; All other data in the application directory; Automated snapshotsAn attacker who has gained access to the data stored in the domain can easily read it.
    Insecure ConfigurationsAutomatic Software Updates Feature are Disabled for Amazon OpenSearch DomainAmazon OpenSearch Domain's automatic software updates are turned off.An attacker can abuse outdated software to exploit known vulnerailities.
    Amazon RDS

    Amazon RDS

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata."When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf."
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication."This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0."
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Data SecurityRDS Cluster Without Configured Backup RetentionThis risk signifies an Amazon RDS cluster not configured for backup retention. A lack of backup retention can lead to data loss in case of system failures or errors. It's highly recommended to configure a suitable backup retention policy to protect data and ensure the possibility of recovery in the event of unexpected issues.The backup retention period determines the period for which you can perform a point-in-time recovery.
    Data SecurityRDS Database Instance Publicly AccessibleThis risk identifies an Amazon RDS database instance configured to allow public access, making it potentially reachable by any AWS user or internet user. Publicly accessible database instances pose a heightened risk of unauthorized data access and potential data breaches. It's recommended to validate whether such public access is necessary and, if not, promptly restrict the access to enhance the security of your data.An attacker can access the DB leading to data exposure.
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata."When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf."
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication."This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0."
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Data SecurityRDS Cluster Database Snapshot Publicly SharedThis risk signifies a publicly shared Amazon RDS cluster database snapshot, making it accessible to any AWS user. Publicly sharing snapshots elevates the risk of unauthorized access, data misuse, or breaches. The necessity of this public sharing should be verified; if not required, immediate action to restrict the sharing is advised to minimize potential security risks.DB cluster snapshot is public and available for any Amazon Web Services account to copy or restore.
    Data SecurityRDS Cluster Database Snapshot Without EncryptionThis risk highlights an Amazon RDS cluster database snapshot that is without encryption. Encryption serves as a vital security layer, safeguarding sensitive data from unauthorized access and potential breaches. An unencrypted snapshot increases the likelihood of data misuse if it's unintentionally accessed or shared. Prompt action to apply encryption is recommended to ensure the security of the snapshot's data.An attacker can access the data stored in the RDS cluster database snapshot without decrypting it.
    Data SecurityRDS Database Cluster Snapshot Externally SharedThis risk signifies an Amazon RDS database cluster snapshot shared with an external AWS account, potentially risking exposure of sensitive data. Uncontrolled or untrusted accounts might misuse or further expose this data, leading to potential breaches and compliance issues. Immediate investigation and appropriate action, such as revoking sharing if it violates security policies, are recommended to mitigate potential risks.An attacker with access to the external account can copy the database cluster snapshot and create a RDS database cluster.
    Data SecurityRDS Database Snapshot Externally SharedThis risk signifies an Amazon RDS database snapshot shared with an external AWS account, potentially risking exposure of sensitive data. Uncontrolled or untrusted accounts might misuse or further expose this data, leading to potential breaches and compliance issues. Immediate investigation and appropriate action, such as revoking sharing if it violates security policies, are recommended to mitigate potential risks.An attacker with access to the external account can copy the database snapshot and create a RDS database.
    Data SecurityRDS Database Snapshot Publicly SharedThis risk signifies a publicly shared Amazon RDS database snapshot, making it accessible to any AWS user. Publicly sharing snapshots elevates the risk of unauthorized access, data misuse, or breaches. The necessity of this public sharing should be verified; if not required, immediate action to restrict the sharing is advised to minimize potential security risks.DB snapshot is public and available for any Amazon Web Services account to copy or restore it.
    Data SecurityRDS Database Snapshot Without EncryptionThis risk highlights an Amazon RDS database snapshot that is without encryption. Encryption serves as a vital security layer, safeguarding sensitive data from unauthorized access and potential breaches. An unencrypted snapshot increases the likelihood of data misuse if it's unintentionally accessed or shared. Prompt action to apply encryption is recommended to ensure the security of the snapshot's data.An attacker can access the data stored in an RDS snapshot without decrypting it.
    Inadequate Logging & BackupRDS instance without configured backup retentionThis risk signifies an Amazon RDS instance not configured for backup retention. A lack of backup retention can lead to data loss in case of system failures or errors. It's highly recommended to configure a suitable backup retention policy to protect data and ensure the possibility of recovery in the event of unexpected issues.The backup retention period determines the period for which you can perform a point-in-time recovery.
    Amazon Redshift

    Amazon Redshift

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityRedshift Cluster Publicly AccessibleThis risk points to an Amazon Redshift cluster configured to be publicly accessible, potentially making it reachable by any internet user. Publicly accessible Redshift clusters can significantly raise the risk of unauthorized data access and potential data breaches. It's recommended to validate the need for such public access and, if unnecessary, promptly restrict access to strengthen your data security.An attacker can access Redshift cluster through the cluster endpoint.
    Data SecurityRedshift Cluster Without EncryptionThis risk identifies an Amazon Redshift cluster that has not been configured for encryption, a crucial security measure to protect sensitive data from unauthorized access. Unencrypted Redshift clusters present an increased risk of data exposure or misuse. Implementing encryption to secure your data and adhere to best practices and compliance regulations is strongly recommended.An attacker can access the data stored in your Redshift cluster.
    Insecure ConfigurationsRedshift is Using Default PortUsing the default port (5439) in AWS Redshift indicates a potential security vulnerability due to the default configuration, which could expose the database clusters to increased risk of unauthorized access and attacks targeting known default ports.An attacker scans for open ports and identifies an AWS Redshift cluster using the default port 5439, exploits this known configuration by attempting brute-force or dictionary attacks to gain unauthorized access to the database, potentially leading to data theft or manipulation.
    Public ExposureAWS RedShift Enhanced VPC Routing is DisabledAWS Redshift enhanced VPC routing is disabled.When using AWS Redshift enhanced VPC routing, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your virtual private cloud (VPC) based on the Amazon VPC service. If enhanced VPC routing is not turned on, Amazon Redshift routes traffic through the internet, including traffic to other services within the AWS network.
    Inadequate Logging & BackupRedshift User Activity Logging is DisabledAWS Redshift logs information about connections and user activities in your database are disabled.An attacker exploits the lack of AWS Redshift user activity logging, enabling them to perform unauthorized actions within the database without leaving a trace, potentially leading to data breaches or unauthorized modifications.
    Inadequate Logging & BackupRedshift has Short Retention PeriodAWS Redshift Cluster has less than 7 days backup retention period.A backup retention period ensures that you have a reliable copy of your data in case of accidental deletion, corruption, or other data loss events.
    Insufficient EncryptionRedshift SSL is DisabledRedshift cluster is not configured to require SSL.If SSL is disabled, an attacker could intercept the unencrypted database traffic, potentially capturing sensitive data such as passwords and queries.
    Insecure ConfigurationsRedShift uses default Master UsernameRedshift uses default master username.An attacker can exploit widely known default credentials to gain unauthorized entry into the system.
    Insufficient EncryptionRedshift Cluster Uses Default KMS
    Amazon Route 53

    Amazon Route 53

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsPublic Route53 Hosted Zone Holding Private DNS RecordThis risk points to a Route53 hosted zone that is public yet contains private DNS records. This configuration can lead to unintended exposure of internal resource information, heightening the risk of unauthorized access and potential breaches. A prompt review of the hosted zone's configuration to ensure appropriate privacy for DNS records is strongly recommended.All DNS in a public hosted zone can be queried from any external internet IP address. An attacker can resolve these records and gain information about your environment.
    Insecure ConfigurationsRoute53 Without Auto Renew DomainA Route 53 domain with the auto renew feature not enabled.With the auto renew feature enabled, your domains won't get expired. Expired domains leave your application exposed to multiple attacks, so it is best practice to enable the feature.
    Insecure ConfigurationsRoute53 Without Domain Transfer LockA Route 53 domain with Transfer Lock set to false.An attacker may be able to transfer your domain to another domain name registrar, and hijack your domain.
    Neglected ResourceRoute53 Domain Expires In 30 DaysA Route 53 domain is going to be expired in 30 days.Expired domains leave your application exposed to multiple attacks. Extend the expiration date as soon as possible.
    Neglected ResourceRoute53 Domain Expires In 7 DaysA Route 53 domain is going to expire in 7 days.Expired domains leave your application exposed to multiple attacks. Extend the expiration date as soon as possible.
    Neglected ResourceRoute53 With Expired DomainAn expired domain name is registered in Route 53.An attacker can hijack the expired domain and use it for malicious purposes. In addition, an expired domain can cause failures or downtime in your application.
    Amazon S3

    Amazon S3

    CategoryRisk NameDescriptionAttack Scenario
    Permissive AccessCross-Account S3 Bucket AccessThis risk indicates that an Amazon S3 bucket is configured to permit access from users in different AWS accounts. If not strictly controlled, cross-account access can elevate the risk of unauthorized data access or leakage. It's advisable to scrutinize the necessity of this access configuration and promptly modify the bucket's access policies to enhance your data security if not required.An attacker from any AWS account can define this S3 bucket as their target bucket for the service logs or configuration.
    Data SecurityS3 Bucket Contains Potentially Public ObjectsThis risk identifies an Amazon S3 bucket that contains objects that may be publicly accessible, thereby potentially enabling any internet user to access them. Potentially shared objects in an S3 bucket can heighten the risk of unauthorized data access and potential data breaches. It's recommended to review these objects and their access controls, and if public access is not necessary, promptly update their permissions to secure your data.An attacker can maybe access some objects in the bucket leading to data exposure.
    Data SecurityS3 Bucket Encrypted with AWS S3 Managed KeyS3 bucket encrypted with AWS S3 managed key.Using AWS S3 managed key to encrypt an S3 bucket in AWS is not recommended due to limited control over key management. Managing your own KMS keys allows for better security practices, ensures isolation of resources, and facilitates compliance with industry standards. Creating and using customer-managed keys provides a more robust and customizable approach to data encryption in AWS S3.
    Data SecurityS3 Bucket Publicly AccessibleThis risk points to an Amazon S3 bucket configured as publicly accessible, potentially making it reachable by any internet user. Publicly accessible S3 buckets significantly reduce the risk of unauthorized data access and potential breaches. It's recommended to validate the need for such public access, and if it's not necessary, promptly restrict access to improve your data security.An attacker can access the bucket and objects leading to data exposure.
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata.When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf.
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication.This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0.
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    AWS Sagemaker

    AWS Sagemaker

    CategoryRisk NameDescriptionAttack Scenario
    Insufficient EncryptionSagemaker Endpoint Configuration without Encryption KeySagemaker Endpoint Configuration without Encryption Key. Encrypting your AWS SageMaker endpoint configuration with a KMS key is a crucial step in securing your machine learning application. It protects sensitive data at rest, ensuring that unauthorized users cannot access your model's configurations or the data it processes.An attacker can access your model's configurations or the data it processes.
    Public ExposurePublicly Accessible AWS Sagemaker DomainAWS Sagemaker domain with public access enabled.An attacker can access the resource. Allowing unrestricted, public access to cloud services could open an application up to external attack.
    Insufficient EncryptionAWS Sagemaker Domain without Customer KMS KeyAWS Sagemaker domain is not encrypted using a KMS key.An attacker can access your EFS volume attached to the domain.
    Public ExposureSagemaker Notebook Instance with Direct Internet AccessSagemaker notebook instance with direct internet access, when your notebook allows direct internet access, SageMaker provides a network interface that allows the notebook to communicate with the internet through a VPC managed by SageMaker.An attacker can access your notebook instance.
    Permissive AccessSagemaker Notebook Instance with Root AccessSagemaker notebook instance with root access.An attacker who gains access to the notebook instance can find a way to get root access to that instance, and then it will have full control over that instance. Using that full control, he might be able to steal important data or even continue his attack using lateral movement techniques.
    Insufficient EncryptionSageMaker Notebook Instance not encrypted using a KMS KeySageMaker notebook instance without KMS key. Encrypting your AWS SageMaker notebook with a KMS key is a vital security practice that safeguards your sensitive data, code, and intellectual property. It enforces robust access controls, ensuring that only authorized personnel can decrypt and interact with your content.An attacker can access your sensitive data.
    AWS Secrets Manager

    AWS Secrets Manager

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsSecret Manager Secret Not Rotated Over 30 DaysSecret not rotated for over 30 days.An attacker with access to the secret can get its content and elevate his privileges.
    Amazon VPC

    Amazon VPC

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDefault Security Group
    Insecure ConfigurationsSecurity Group with Inappropriately Configured CIDR IPThis risk highlights a Security Group with a misconfigured CIDR IP, which may expose your resources to unintended networks, leading to potential unauthorized access. A swift review and correction of CIDR IP configurations in your security groups is strongly recommended to uphold network security.The Instances that are connected to this security group, can be accidentally exposed to the Internet and compromised.
    Public ExposureSecurity Group Allows Access From Any IP (0.0.0.0/0)A security group with an inbound network rule that allows incoming connection from any IP address (0.0.0.0/0) to any port.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group Permits Connections From Any IP (0.0.0.0/0)This risk points to an AWS Security Group configured to allow incoming connections from any IP address, denoted by the range 0.0.0.0/0. This unrestricted access can lead to potential unauthorized access and data breaches. It's recommended to validate the need for such open access, and if it is not required, promptly implement stricter access control based on specific IP addresses or ranges.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Exposed RDP PortThis risk identifies a Security Group that has the RDP port (3389) open to the public, posing a significant security risk. Unauthorized access to the RDP port can potentially allow cyber attackers to control your AWS resources. It's crucial to review and restrict access to the RDP port, limiting it to specific, necessary IP ranges or secure VPN connections, to strengthen your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Exposed Telnet PortThis risk underscores a Security Group that has the Telnet port (23) open to the public. An open Telnet port can be a significant security vulnerability as it can allow unauthorized access to your AWS resources. This exposure could potentially lead to unauthorized data access, data breaches, or unwanted modifications. It's highly advised to review and tighten access to the Telnet port, limiting it to necessary IP ranges or more secure protocols. Swift action to restrict this access will greatly enhance your AWS security posture and reduce potential cyber attack vectors.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open Cassandra PortThis risk signifies a Security Group that has the Cassandra port (9142) open to the public. This can allow unauthorized access to your Cassandra databases, potentially leading to data breaches or malicious alterations. It's highly recommended to review and limit the port access to necessary IP ranges or secure connections, enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group With Open Kubernetes Kubelet Port (10250)A security group with an inbound network rule that allows incoming connection from any IP address (0.0.0.0/0) to Kubernetes Kubelet port (10250).An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open MySQL/MariaDB PortThis risk points to a Security Group that has the MySQL/MariaDB port (3306) open to the public. This can allow unauthorized access to your MySQL/MariaDB databases, potentially leading to data breaches or malicious alterations. It's highly recommended to review and limit the port access to necessary IP ranges or secure connections, greatly enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open Redis PortThis risk signifies a Security Group with an open Redis port (6379), providing public access. This could potentially expose your Redis databases to unauthorized access and possible security breaches. A swift action to review and restrict access to the Redis port, limiting it to necessary IP ranges or secure VPN connections, is advised to fortify your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Kafka PortThis risk identifies a Security Group with an open Kafka port (9092), providing public access. This configuration could potentially expose your Kafka servers to unauthorized access and potential security threats. It's advised to promptly review and restrict access to the Kafka port, limiting it to necessary IP ranges or secure VPN connections, to improve your overall system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Kibana PortThis risk signifies a Security Group with an open Kibana port (5601), providing public access. This could potentially expose your Kibana instances to unauthorized access and potential security threats. It's advised to promptly review and restrict access to the Kibana port, limiting it to necessary IP ranges or secure VPN connections, to improve your overall system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Memcached PortThis risk highlights a Security Group configured with an open Memcached port (11211), allowing public access. This configuration can potentially expose your Memcached servers to unauthorized access and data breaches. It's recommended to promptly review and restrict access to the Memcached port, limiting it to necessary IP ranges or secure connections, thereby fortifying your server security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Redshift PortThis risk points to a security group configuration that leaves the Amazon Redshift port (5439) open to the public. An exposed Redshift port can increase the risk of unauthorized access and potential data breaches. It's recommended to verify the need for such a configuration and, if unnecessary, promptly restrict access to this port to enhance the security of your Redshift clusters.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible RPC PortThis risk highlights a Security Group configured with an open RPC port (135), making it publicly accessible. This configuration can potentially allow unauthorized access to your AWS resources. Open RPC ports are known to be vectors for certain types of cyber attacks, potentially leading to data breaches or unauthorized modifications. It's strongly recommended to review and limit access to the RPC port, confining it to necessary IP ranges or secure connections. Immediate action to secure this access will substantially enhance your AWS security and reduce potential cyber threats.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Exposed MSSQL PortThis risk signifies a Security Group configured with an open MSSQL port (1433), granting public access. This unrestricted access can potentially expose your SQL Server databases to unauthorized access and malicious activities. It's advised to immediately review and restrict the MSSQL port access to specific, necessary IP ranges or secure connections, enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Exposed Splunkd PortThis risk identifies a Security Group that has the Splunkd port (8089) open to the public. This configuration potentially leaves your Splunkd services vulnerable to unauthorized access and cyber threats. It's strongly recommended to review and limit access to the Splunkd port, confining it to specific, trusted IP ranges or secure VPN connections, to enhance your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted FTP PortsThis risk highlights a Security Group that has FTP ports (20/21) open to the public. An open FTP port can allow unauthorized access to your AWS resources, potentially leading to data breaches, misuse, or unwarranted changes. It's strongly recommended to review and tighten access to these FTP ports, limiting them to specific, necessary IP ranges or secure connections. Prompt action to restrict this access will significantly enhance your AWS security and reduce exposure to potential cyber threats.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted PostgreSQL PortThis risk highlights a Security Group with an open PostgreSQL port (5432). This configuration can expose your PostgreSQL databases to unauthorized access and potential malicious activities. Promptly reviewing and restricting access to the PostgreSQL port, confining it to necessary IP ranges or secure connections, is strongly recommended to enhance your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted SMB Port AccessThis risk category identifies a Security Group that has the SMB port (445) openly accessible to the public. An open SMB port can provide an entry point for unauthorized access to your AWS resources, potentially leading to data breaches or malicious modifications. This port is often targeted for exploits like the WannaCry ransomware attack. It's strongly recommended to review and restrict access to the SMB port, confining it to specific, necessary IP ranges or secure VPN connections. Taking immediate action to limit this access will significantly enhance your AWS security posture and reduce potential attack surfaces.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted SSH Port AccessThis risk identifies a Security Group that has the SSH port (22) open to the public, potentially permitting unauthorized access to your AWS resources. It's crucial to review and restrict access to the SSH port, confining it to specific, necessary IP ranges or secure VPN connections, to bolster your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured DocDB PortThis risk indicates a Security Group that has the DocDB port (27017) open to the public. This configuration potentially leaves your DocumentDB databases exposed to unauthorized access and potential malicious actions. A swift review and restriction of access to the DocDB port, confining it to specific, trusted IP ranges or secure connections, is strongly recommended to uphold your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured Elasticsearch PortsThis risk highlights a Security Group with Elasticsearch ports (9200/9300) open to the public. These open ports can potentially expose your Elasticsearch clusters to unauthorized access and possible cyber threats. Immediate review and restriction of access to these ports, limiting them to necessary IP ranges or secure connections, is strongly advised to bolster your cluster security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured OracleDB PortThis risk highlights a Security Group that has the OracleDB port (1521) open to the public. This configuration potentially leaves your Oracle databases exposed to unauthorized access and cyber attacks. A swift review and restriction of access to the OracleDB port, confining it to specific, trusted IP ranges or secure connections, is strongly recommended to uphold your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    SNS (Simple Notification Service)

    SNS (Simple Notification Service)

    CategoryRisk NameDescriptionAttack Scenario
    Data SecuritySNS Topic Encryption is Not EnabledThe absence of encryption for SNS topics exposes transmitted messages to risks of unauthorized access, interception, and tampering, compromising the confidentiality, integrity, and privacy of sensitive information within the messages.In an environment where an SNS topic lacks encryption, an attacker can gain unauthorized access. Through this access, an attacker can intercept messages transmitted through the unencrypted SNS topic, enabling them to extract sensitive information.
    Data SecuritySNS Topic is Encrypted With a Default KeyUsing the default key for encrypting SNS topics presents limitations in effective key management. Default key does not allow the ability to create, rotate, disable or enable the encryption key used to protect the data.The default key used for encryption in AWS lacks the necessary mechanisms to provide secure end-to-end encryption and prevent a Man-in-the-Middle attack on SNS topics. This makes it vulnerable to interception and manipulation by an attacker.
    Insecure ConfigurationsSNS Topic Data-in-Transit is Not EnforcedAn SNS topic without HTTPS enforcment.Without HTTPS, a network-based attacker can eavesdrop on network traffic or manipulate it using an attack such as man-in-the-middle.
    Permissive AccessSNS Topic Policy Allows 'SNS:Publish' for All Principals Without ConditionsThe security finding of an SNS topic policy allowing unrestricted 'SNS:Publish' access increses the risk of unauthorized message dissemination, abuse, compromised data integrity, and non-compliance with security regulations.An attacker identifies the SNS topic with the open publishing access and leverages this vulnerability to send unauthorized messages to the topic. With the ability to publish messages without restrictions, the attacker can disseminate malicious content, such as phishing links, malware payloads, or false information to the subscribers of the topic.
    Permissive AccessSNS Topics Administrative Actions Are Publicly ExecutablePreventing public execution of administrative actions on SNS topics is essential to maintain messaging system security, safeguard sensitive data, prevent service disruptions, and ensure compliance by restricting unauthorized users from performing administrative operations.An attacker identifies a publicly accessible SNS topic and discovers that administrative actions can be executed without authentication. With this control, the attacker can modify topic settings, change access permissions, or delete the topic altogether.
    Insecure ConfigurationsSNS Topics Are Publicly AccessibleEnsuring that SNS is not publicly accessible is important to protect against unauthorized access, data breaches, and other security threats.An attack targeting the Simple Notification Service (SNS) public access could involve unauthorized actors exploiting the open access configuration of an SNS topic. By identifying a publicly accessible SNS topic, the attackers can abuse it to send messages or notifications to a large number of recipients, potentially causing disruptions, spamming users, or spreading malicious content.
    SQS (Simple Queue Service)

    SQS (Simple Queue Service)

    CategoryRisk NameDescriptionAttack Scenario
    Data SecuritySQS Queue is Not Encrypted With a Customer-Managed KeySQS (Simple Queue Service) not being encrypted with a customer-managed key increases the risk of unauthorized access and potential exposure of sensitive data.When SQS is not encrypted with a customer-managed key, the messages stored in SQS are still encrypted using AWS-managed keys. Without customer-managed key encryption. KMS key allows a more granular control over the SQS data encryption/decryption process.
    Data SecuritySQS Server-Side Encryption is Not EnabledDisabling AWS SQS Server-Side Encryption (SSE) exposes data to vulnerabilities, non-compliance with data protection regulations, compromises data integrity, and undermines trust in the service.When Server-Side Encryption (SSE) is not enforced in SQS, an attacker with unauthorized access can intercept and read unencrypted messages stored in the queue, leading to data exposure.
    Insecure ConfigurationsSQS Data-in-Transit Encryption is Not EnforcedNot enforcing data-in-transit encryption in SQS (Simple Queue Service) increases the risk of data interception and unauthorized access during the transmission of messages.The transmitted messages are vulnerable to interception by malicious actors. Attackers can eavesdrop on network traffic or manipulate it, using an attack such as man-in-the-middle.
    Permissive AccessSQS Policy Allows All Actions From All Principals Without a ConditionAllowing all actions from all principals without conditions in AWS SQS eliminates access control, increases the risk of unauthorized operations, data breaches, compliance violations, and operational disruptions.In a scenario where there is a lack of access control in AWS SQS, allowing all actions from all principals without conditions, any AWS identity or entity has unrestricted access to perform any action on the SQS queues. This absence of granular access controls and restrictions allows an attacker to exploit this lack of control by gaining unauthorized access to sensitive data within the queues.
    Insecure ConfigurationsSQS Policy Allows Public AccessSQS (Simple Queue Service) policy that allows public access increases the risk of unauthorized users gaining access to the queue and potentially manipulating or retrieving sensitive messages.When an SQS (Simple Queue Service) policy is misconfigured to allow public access, unauthorized individuals can exploit this vulnerability. Attackers can manipulate and retrieve sensitive messages from the queue without any authentication or authorization checks.
Microsoft Azure - click to collapse

Microsoft Azure

Click on a service name below to view a table of the risks Panoptica detects in Azure, along with brief descriptions and attack scenarios.


    Azure AI Search Service

    Azure AI Search Service

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposureAzure AI Search with Public Network AccessAzure AI Search is publicly accessible.An attacker might focus on azure ai search app that is publicly accessible, aiming to exploit vulnerabilities such as Denial of Service, Brute-force attacks, and others.
    Azure App Service

    Azure App Service

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsAzure Function Cross-origin Resource Sharing (CORS) Feature not ImplementedCross-Origin Resource Sharing (CORS) is a security feature that allows or restricts web applications running at one origin (domain) to make requests for resources from a different origin, subject to certain constraints, to prevent unauthorized access to data. This finding signifies an Azure Function without Cross-Origin Resource Sharing enforcement.An attacker could exploit permissive CORS policies set on a web application to make unauthorized cross-origin requests, potentially gaining access to sensitive data or performing actions on behalf of a legitimate user without their consent. For example, an attacker might trick a victim into visiting a malicious website that sends requests to a trusted web service using the victim's credentials, allowing the attacker to steal data or perform actions on the victim's behalf.
    Insecure ConfigurationsAzure Function Enables Unencrypted TrafficAn Azure Function without HTTPS enforcment.Without HTTPS, a network-based attacker can eavesdrop on network traffic or manipulate it using an attack such as man-in-the-middle.
    Insecure ConfigurationsAzure Function Support Insecure Transportation Security ProtocolAn Azure Function that uses insecure TLS (Transport Layer Security) protocols.It is recommended to use the latest version of TLS if possible. Older versions (prior to TLS 1.2) may be deprecated or may contain known vulnerabilities that an attacker can use.
    Insecure ConfigurationsFTP Service Enabled for Azure FunctionAn Azure Function S/FTP endpoint enabled.The Azure FTP deployment endpoints are publicly accessible. An attacker might attempt to brute-force the service to gain access to the app/service code base.
    Insecure ConfigurationsRemote Debugging is Enabled for Azure FunctionAn Azure Function that enables remote debugging.If remote debugging in Azure Functions is enabled without proper security controls, an attacker could potentially gain unauthorized access to the running code, extract sensitive information, inject malicious code, or disrupt the application, posing a significant security risk.
    Unsupported SoftwareAzure Function Deprecated RuntimeAzure function with a deprecated runtime.An attacker can exploit known unpatched vulnerabilities in the azure function runtime.
    Azure Application Gateway

    Azure Application Gateway

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsApplication Gateway Should have Http to Https redirectionApplication Gateway has an HTTP listener without a redirection to HTTPS defined. It is important to make sure all communication is encrypted by enabling HTTP-to-HTTPS redirection for all HTTP listeners.
    Insecure ConfigurationsApplication Gateway Allows Old TLS versionsApplication Gateway is allowing the usage of old TLS versions, such as Version 1.0 and Version 1.1An attacker can communicate with the application gateway using old and vulnerable versions of TLS such as TLS 1 and TLS1.1 which are vulnerable to downgrade attacks becuase they rely on SHA-1 hash for the integrity of exchanged messages.
    Azure Cache for Redis

    Azure Cache for Redis

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposureAzure Cache for Redis is Publicly AccessibleAzure Cache for Redis is publicly accessible to all IP's.An attacker can expose the database to anyone on the Internet, significantly increasing the risk of malicious access, data breaches, or potential service disruptions.
    Azure Container App

    Azure Container App

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsAzure Container App Allow Inbound Traffic From Any IPAzure Container App allows inbound traffic from any IP address.An attack could easily access a container app without any restrictions.
    Public ExposureAzure Container App with Public Network AccessAzure Container App is publicly accessible.An attacker might focus on a container app that is publicly accessible, aiming to exploit vulnerabilities like Denial of Service, Brute-force attacks, and others.
    Insecure ConfigurationsAzure Container App Permissive Cross-origin Resource Sharing (CORS) PolicyAzure Container App is set to allow any (wildcard) origins.An attacker could exploit permissive CORS policies set on a web application to make unauthorized cross-origin requests, potentially gaining access to sensitive data or performing actions on behalf of a legitimate user without their consent. For example, an attacker might trick a victim into visiting a malicious website that sends requests to a trusted web service using the victim's credentials, allowing the attacker to steal data or perform actions on the victim's behalf.
    Insecure ConfigurationsAzure Container App Allows Unencrypted HTTP TrafficAzure Container App without HTTPS enforcement.Without HTTPS, a network-based attacker can eavesdrop on network traffic or manipulate it using an attack such as man-in-the-middle.
    Azure Container Instance (ACI)

    Azure Container Instance (ACI)

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposurePublic Storage Account ContainerContainer with public access allowed.In some cases, an attacker will be able to access data stored in the container.
    Insecure ConfigurationsAzure Container Instance Allows 'Any' DNS Scope ReuseAzure Container Instance enables the reuse of 'Any' DNS scope, which can potentially lead to malicious subdomain takeover.An attacker can abuse this configuration to steal the subdomain.
    Public ExposureAzure Container Instance with Public Network AccessAzure Container Instance is publicly availableAn attacker might focus on a container instance that is publicly accessible, aiming to exploit vulnerabilities like Denial of Service, Brute-force attacks, and others.
    Insufficient EncryptionAzure Container Instance Encrypted with Microsoft Managed KeyAzure Container Instance disk encrypted with Microsoft Managed Key.An attacker who discovers a vulnerability in Azure's key management processes could potentially gain unauthorized access to encryption keys, enabling them to decrypt and access your Azure Container Instance data.
    Azure Cosmos DB

    Azure Cosmos DB

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityCosmos DB Connection From Public Azure Data Centers EnabledThis option configures the firewall to allow all requests from Azure, including requests from the subscriptions of other customers deployed in Azure.In a scenario where a Cosmos DB account allows connections from IP address "0.0.0.0" (representing all public data centers), an attacker with an unauthorized account could exploit this configuration by gaining access from any location. This attacker could potentially infiltrate the Cosmos DB account, extract sensitive data, launch malicious queries, or even manipulate the database's content, all while leveraging the unrestricted public IP allowance.
    Insecure ConfigurationsCosmos DB Account "Disabled Key Based Metadata Write Access" is DisabledA CosmosDB Database with "Disabled Key Based Metadata Write Access" option disabled.In a scenario where "disabled key based metadata write access" is disabled, an attacker could potentially exploit this vulnerability by gaining unauthorized access to modify or tamper with metadata using compromised keys. This could lead to unauthorized privilege escalation, data manipulation, or confusion in data organization, impacting the integrity and security of the Cosmos DB resources.
    Insecure ConfigurationsCosmos DB Account is Not Using Virtual NetworkEnabling Virtual Network integration for a Cosmos DB account is important as it adds an additional layer of security by restricting data access to specific networks, reducing exposure to potential threats.In an attack scenario, if Virtual Network integration is not enabled for a Cosmos DB account, a malicious actor could exploit the lack of network restrictions by infiltrating the account through public endpoints, potentially compromising sensitive data or executing unauthorized operations on the database.
    Inadequate Authentication & AuthorizationCosmos DB Account Local Auth is EnabledCosmos DB account local auth is enabled.An attacker with access to these static keys, could potentially perform malicious actions such as data extraction, modification, or deletion. Since the keys are long-lived and not subject to regular rotation, the compromise could persist for an extended period, leading to significant data breaches and security breaches.
    Insecure ConfigurationsCosmos DB Account with Service Managed Encryption KeyCustomer-Managed Keys (CMK) provide crucial advantage of retaining full control and ownership over their encryption keys, allowing them to enforce stricter access policies and meet regulatory compliance requirements. An attacker who discovers a vulnerability in Azure's key management processes could potentially gain unauthorized access to encryption keys, enabling them to decrypt and access sensitive data stored in Cosmos DB.
    Public ExposureCosmos DB Account Access is Allowed From All NetworksAzure Cosmos DB with public access enabled.An attacker could exploit this misconfiguration by remotely connecting to the publicly open database and exfiltrating sensitive data.
    Public ExposureCosmos DB Account is Not Using Private EndpointsA CosmosDB database without private endpoints.Not enabling Virtual Network integration for a Cosmos DB account can result in reduced security, potentially exposing data to unauthorized access.
    Azure Database for MariaDB

    Azure Database for MariaDB

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsMariaDB Server is Not Using Virtual NetworksNot using virtual networks in a MariaDB account poses a security risk as it exposes the database to potential unauthorized access and data exposure, lacking the additional layer of network isolation and security controls provided by virtual networks.In a scenario where a virtual network is not configured, the communication occurs over the public internet unless there are other network-level controls in place. If the communication is not encrypted, it becomes susceptible to interception by attackers. These attackers can then execute a Man-in-the-Middle attack to intercept the traffic between the two entities.
    Insecure ConfigurationsMariaDB Server TLS /SSL DisabledMariaDB with disabled TLS/SSL option.If TLS/SSL is disabled for a MariaDB account, an attacker on the same network could intercept the unencrypted database traffic, potentially capturing sensitive data such as passwords and queries.
    Public ExposureMariaDB Server Connection From Public Azure ServicesHaving a firewall rule allowing access from Azure Public Services in MariaDB could pose a security as it might permit access from a broader range of Azure services than necessary, potentially exposing the database to unintended and unnecessary connections within the Azure network.An attacker exploits a misconfigured MariaDB firewall rule allowing access from any Azure Public Service, potentially gaining unauthorized entry through unintended services. Once inside, the attacker could perform malicious operations on the database, jeopardizing data integrity and confidentiality.
    Public ExposureMariaDB Server Has Full Public Network AccessHaving Full public network access for all in a MariaDB account poses a security risk by potentially exposing the database to unauthorized access from any address.An attacker, aware of the public network access on a MariaDB account for all, could exploit this vulnerability by launching attacks, attempting unauthorized logins, and potentially gaining control over the database, leading to unauthorized data access.
    Public ExposureMariaDB Server is Not Using Private EndpointsMariaDB without a private endpoint configured.An attacker could exploit network vulnerabilities to intercept unencrypted database communication, potentially capturing sensitive data or injecting malicious commands.
    Azure Databricks Workspace

    Azure Databricks Workspace

    CategoryRisk NameDescriptionAttack Scenario
    Insufficient EncryptionAzure Databricks Managed Service Encrypt with Microsoft Managed KeyAzure databricks managed services encrypted at rest using server-side encryption with Microsoft-managed key.An attacker who discovers a vulnerability in Azure's key management processes could potentially gain unauthorized access to encryption keys, enabling them to decrypt and access your Azure Databricks data.
    Insufficient EncryptionAzure Databricks Double Encryption for DBFS Root Should be EnabledAzure Databricks double encryption for DBFS root disabled. Enabling double encryptionprovides an additional layer of security for your data at rest.When double encryption is not enabled for DBFS root in Azure Databricks, an attacker can get your data because its protected by the default single layer of encryption, which does carry certain risks. Single-layer encryption can leave data potentially vulnerable if the encryption algorithm is compromised or if the encryption key is exposed through a security breach.
    Public ExposureAzure Databricks with Public Network AccessAzure Databricks workspace with 'public network access' enable.An attacker can access to the exposed resource.
    Public ExposureAzure Databricks Should has a Secure Cluster Connectivity Enabled (No Public IP)Azure Databricks secure cluster connectivity (No Public IP) disabled. When you enable 'No public IP' your clusters are not directly accessible from the internet, it is reducing the attack surface for potential threats.When you are not enable 'Secure Cluster Connectivity'public IP addresses are assigned to Azure Databricks clusters, an attacker can exploit it todata theft, extracting sensitive or proprietary information from the datasets processed by the cluster.
    Insecure ConfigurationsAzure Databricks is not in a Virtual NetworkUsing a Virtual Network (VNet) in Azure Databricks is essential for security and network control. It provides an isolated environment where data processing and analytics can occur away from the public internet, significantly reducing exposure to external threats. VNets allow for the implementation of precise access controls and network traffic filtering using network security groups (NSGs), ensuring that only authorized users and services can interact with the Databricks workspace.In a scenario where a virtual network is not configured, the communication occurs over the public internet unless there are other network-level controls in place. If the communication is not encrypted, it becomes susceptible to interception by attackers. These attackers can then execute a Man-in-the-Middle attack to intercept the traffic between the two entities.
    Insufficient EncryptionAzure Databricks Managed Disk Encrypt with Microsoft Managed KeyAzure databricks managed disk encrypted at rest using server-side encryption with Microsoft-managed key.An attacker who discovers a vulnerability in Azure's key management processes could potentially gain unauthorized access to encryption keys, enabling them to decrypt and access your Azure Databricks data.
    Public ExposureAzure Databricks without Private Endpoint'Private endpoint connection' is empty, this feature enables you to connect your Databricks workspace securely to Azure services or your on-premises network through a private IP address within your own virtual network (VNet). This private connection is facilitated by Azure Private Link, which ensures that data traffic between your Databricks workspace and other services traverses only through the Microsoft Azure network, avoiding exposure to the public internet.An attackers can exploit exposed public endpoints to gain unauthorized access, potentially leading to denial of service attacks and compromising the workspace.
    Azure Entra ID

    Azure Entra ID

    CategoryRisk NameDescriptionAttack Scenario
    Permissive AccessPrincipal with Role Access Review Operator Service Permission on Management GroupA Principal with permissions to discover and revoke access as needed on management group scope.An attacker could delete role assignments for all principals at management group scope.
    Permissive AccessPrincipal with high permissions in service ManagedIdentity on Management GroupA Principal with actions:* under Microsoft.ManagedIdentity.A Principal with permissions to do all actions (*) under Microsoft.ManagedIdentity on management group scope
    Permissive AccessPrincipal with high permissions in service Network on SubscriptionA Principal with actions:* under Microsoft.Network.A Principal with permissions to do all actions (*) under Microsoft.Network on subscription scope.
    Permissive AccessPrincipal with high permissions in service ServiceFabric on SubscriptionA Principal with actions:* under Microsoft.ServiceFabric.A Principal with permissions to do all actions (*) under Microsoft.ServiceFabric on subscription scope.
    Permissive AccessPrincipal with high permissions in service DataShare on SubscriptionA Principal with actions:* under Microsoft.DataShare.A Principal with permissions to do all actions (*) under Microsoft.DataShare on subscription scope.
    Permissive AccessPrincipal with high permissions in service DocumentDB on Management GroupA Principal with actions:* under Microsoft.DocumentDB.A Principal with permissions to do all actions (*) under Microsoft.DocumentDB on management group scope.
    Permissive AccessPrincipal with Permission to Write Role Definition on Management GroupA Principal with permissions to create or edit custom roles on management group scope (Microsoft.Authorization/ roleDefinitions/write).An attacker can edit a custom role assigned to themselves to gain a high-privilege role like owner, thus elevating permissions on the control and data plane at the management group scope.
    Permissive AccessPrincipal with User Access Administrator Permission on Management GroupA principal with permissions to manage user access to Azure resources on management group scope.An attacker can create a custom role, assign it to themselves, and elevate permissions on the control and data plane at management group scope.
    Permissive AccessPrincipal with high permissions in service Batch on Management GroupA Principal with actions: and/or data actions: under Microsoft.Batch.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.Batch on management group scope.
    Permissive AccessPrincipal with Role Based Access Control Administrator Permission on Management GroupA Principal with permissions to manage access to Azure resources by assigning roles using Azure RBAC on management group scope.An attacker can create a custom role, assign it to themselves, and elevate permissions on the control and data plane at management group scope.
    Permissive AccessPrincipal with high permissions in service Kubernetes on Management GroupA Principal with actions: and/or data actions: under Microsoft.Kubernetes.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.Kubernetes on management group scope.
    Permissive AccessPrincipal with high permissions in service KeyVault on SubscriptionA Principal with actions: and/or data actions: under Microsoft.KeyVault.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.KeyVault on subscription scope.
    Permissive AccessPrincipal with Owner Permissions on SubscriptionA Principal with permissions to perform all actions on subscription scope (such as write, read, delete).An attacker can perform any action on any resource on subscription scope
    Permissive AccessPrincipal with high permissions in service DataLakeAnalytics on SubscriptionA Principal with actions:* under Microsoft.DataLakeAnalytics.A Principal with permissions to do all actions (*) under Microsoft.DataLakeAnalytics on subscription scope.
    Permissive AccessPrincipal with high permissions in service Authorization on SubscriptionA Principal with actions:* under Microsoft.Authorization.A Principal with permissions to do all actions (*) under Microsoft.Authorization on subscription scope.
    Permissive AccessPrincipal with high permissions in service Storage on Management GroupA Principal with actions: and/or data actions: under Microsoft.Storage.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.Storage on management group scope.
    Permissive AccessPrincipal with high permissions in service Automation on Management GroupA Principal with actions:* under Microsoft.Automation.A Principal with permissions to do all actions (*) under Microsoft.Automation on management group scope.
    Permissive AccessPrincipal with Write Permission on Management GroupA Principal with permissions to perform all write actions on management group scope (*/write - all actions that end with write).An attacker can perform any write action on any resource on management group scope
    Permissive AccessPrincipal with high permissions in service Synapse on SubscriptionA Principal with actions:* under Microsoft.Synapse.A Principal with permissions to do all actions (*) under Microsoft.Synapse on subscription scope.
    Permissive AccessPrincipal with high permissions in service DataLakeStore on SubscriptionA Principal with actions:* under Microsoft.DataLakeStore.A Principal with permissions to do all actions (*) under Microsoft.DataLakeStore on subscription scope.
    Permissive AccessPrincipal with Read Permission on Management GroupA Principal with permissions to perform all read actions on management group scope (*/read - all actions that end with read).An attacker can perform any read action on any resource on management group scope.
    Permissive AccessPrincipal with high permissions in service DBforMYSQL on Management GroupA Principal with actions:* under Microsoft.DBforMYSQL.A Principal with permissions to do all actions (*) under Microsoft.DBforMYSQL on management group scope.
    Permissive AccessPrincipal with Delete Permission on Management GroupA Principal with permissions to perform all delete actions on management group scope (*/delete - all actions that end with delete).An attacker can perform any delete action on any resource on management group scope
    Permissive AccessPrincipal with Permission to Write Role Assignments on SubscriptionA Principal with permissions to create or edit role assignments on subscription scope (Microsoft.Authorization/ roleAssignments/write).An attacker can assign themselves a high-privilege role like owner, thereby elevating permissions on the control and data plane at the subscription scope.
    Permissive AccessPrincipal with high permissions in service Kubernetes on SubscriptionA Principal with actions: and/or data actions: under Microsoft.Kubernetes.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.Kubernetes on subscription scope.
    Permissive AccessPrincipal with high permissions in service Kusto on SubscriptionA Principal with actions:* under Microsoft.Kusto.A Principal with permissions to do all actions (*) under Microsoft.Kusto on subscription scope.
    Permissive AccessPrincipal with high permissions in service DBforMYSQL on SubscriptionA Principal with actions:* under Microsoft.DBforMYSQL.A Principal with permissions to do all actions (*) under Microsoft.DBforMYSQL on subscription scope.
    Permissive AccessPrincipal with high permissions in service DBforPostgreSQLe on Management GroupA Principal with actions:* under Microsoft.DBforPostgreSQL.A Principal with permissions to do all actions (*) under Microsoft.DBforPostgreSQL on management group scope.
    Permissive AccessPrincipal with high permissions in service ContainerService on SubscriptionA Principal with actions: and/or data actions: under Microsoft.ContainerService.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.ContainerService on subscription scope.
    Permissive AccessPrincipal with high permissions in service DataLakeAnalytics on Management GroupA Principal with actions:* under Microsoft.DataLakeAnalytics.A Principal with permissions to do all actions (*) under Microsoft.DataLakeAnalytics on management group scope.
    Permissive AccessPrincipal with Read Permission on SubscriptionA Principal with permissions to perform all read actions on subscription scope (*/read - all actions that end with read).An attacker can perform any read action on any resource on subscription scope
    Permissive AccessPrincipal with high permissions in service Communication on SubscriptionA Principal with actions:* under Microsoft.Communication.A Principal with permissions to do all actions (*) under Microsoft.Communication on subscription scope.
    Permissive AccessPrincipal with high permissions in service Cache on SubscriptionA Principal with actions:* under Microsoft.Cache.A Principal with permissions to do all actions (*) under Microsoft.Cache on subscription scope.
    Permissive AccessPrincipal with Permission to Write Role Definition on SubscriptionA Principal with permissions to create or edit custom roles on subscription scope (Microsoft.Authorization/ roleDefinitions/write).An attacker can edit a custom role assigned to themselves to gain a high-privilege role like owner, thus elevating permissions on the control and data plane at the subscription scope.
    Permissive AccessPrincipal with high permissions in service app on Management GroupA Principal with actions: and/or data actions: under Microsoft.app.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.app on management group scope.
    Permissive AccessPrincipal with high permissions in service SignalRService on Management GroupA Principal with actions: and/or data actions: under Microsoft.SignalRService.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.SignalRService on management group scope.
    Permissive AccessPrincipal with high permissions in service Communication on Management GroupA Principal with actions:* under Microsoft.Communication.A Principal with permissions to do all actions (*) under Microsoft.Communication on management group scope.
    Permissive AccessPrincipal with high permissions in service web on Management GroupA Principal with actions:* under Microsoft.web.A Principal with permissions to do all actions (*) under Microsoft.web on management group scope.
    Permissive AccessPrincipal with high permissions in service ApiManagement on Management GroupA Principal with actions:* under Microsoft.ApiManagement.A Principal with permissions to do all actions (*) under Microsoft.ApiManagement on management group scope.
    Permissive AccessPrincipal with high permissions in service DataLakeStore on Management GroupA Principal with actions:* under Microsoft.DataLakeStore.A Principal with permissions to do all actions (*) under Microsoft.DataLakeStore on management group scope.
    Permissive AccessPrincipal with high permissions in service VisualStudio on SubscriptionA Principal with actions:* under Microsoft.VisualStudio.A Principal with permissions to do all actions (*) under Microsoft.VisualStudio on subscription scope.
    Permissive AccessPrincipal with Administrator Data Plane Permissions on Management GroupA Principal with permissions to perform all data actions on management group scope (such as- write, read, delete).An attacker can perform any data action on any resource on management group scope.
    Permissive AccessPrincipal with high permissions in service ManagedIdentity on SubscriptionA Principal with actions:* under Microsoft.ManagedIdentity.A Principal with permissions to do all actions (*) under Microsoft.ManagedIdentity on subscription scope.
    Permissive AccessPrincipal with Full Administrator Permissions on SubscriptionA Principal with permissions to perform all actions and all data actions on subscription scope(all actions and all data actions- such as write, read, delete).An attacker can perform any action and data action on any resource on subscription scope
    Permissive AccessPrincipal with high permissions in service Network on Management GroupA Principal with actions:* under Microsoft.Network.A Principal with permissions to do all actions (*) under Microsoft.Network on management group scope.
    Permissive AccessPrincipal with high permissions in service Synapse on Management GroupA Principal with actions:* under Microsoft.Synapse.A Principal with permissions to do all actions (*) under Microsoft.Synapse on management group scope.
    Permissive AccessPrincipal with Administrator Data Plane Permissions on SubscriptionA Principal with permissions to perform all data actions on subscription scope (such as- write, read, delete).An attacker can perform any data action on any resource on subscription scope.
    Permissive AccessPrincipal with high permissions in service Automation on SubscriptionA Principal with actions:* under Microsoft.Automation.A Principal with permissions to do all actions (*) under Microsoft.Automation on subscription scope.
    Permissive AccessPrincipal with high permissions in service Sql on SubscriptionA Principal with actions:* under Microsoft.Sql.A Principal with permissions to do all actions (*) under Microsoft.Sql on subscription scope.
    Permissive AccessPrincipal with high permissions in service web on SubscriptionA Principal with actions:* under Microsoft.web.A Principal with permissions to do all actions (*) under Microsoft.web on subscription scope.
    Permissive AccessPrincipal with high permissions in service DataShare on Management GroupA Principal with actions:* under Microsoft.DataShare.A Principal with permissions to do all actions (*) under Microsoft.DataShare on management group scope.
    Permissive AccessPrincipal with high permissions in service CognitiveServices on Management GroupA Principal with actions: and/or data actions: under Microsoft.CognitiveServices.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.CognitiveServices on management group scope.
    Permissive AccessPrincipal with high permissions in service CognitiveServices on SubscriptionA Principal with actions: and/or data actions: under Microsoft.CognitiveServices.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.CognitiveServices on subscription scope.
    Permissive AccessPrincipal with high permissions in service Search on SubscriptionA Principal with actions:* under Microsoft.Search.A Principal with permissions to do all actions (*) under Microsoft.Search on subscription scope.
    Permissive AccessPrincipal with Owner Permissions on Management GroupA Principal with permissions to perform all actions on management group scope (such as write, read, delete).An attacker can perform any action on any resource on management group scope
    Permissive AccessPrincipal with Role Based Access Control Administrator Permission on SubscriptionA Principal with permissions to manage access to Azure resources by assigning roles using Azure RBAC on subscription scope.An attacker can create a custom role, assign it to themselves, and elevate permissions on the control and data plane at subscription scope.
    Permissive AccessPrincipal with high permissions in service Batch on SubscriptionA Principal with actions: and/or data actions: under Microsoft.Batch.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.Batch on subscription scope.
    Permissive AccessPrincipal with high permissions in service Kusto on Management GroupA Principal with actions:* under Microsoft.Kusto.A Principal with permissions to do all actions (*) under Microsoft.Kusto on management group scope.
    Permissive AccessPrincipal with high permissions in service Compute on Management GroupA Principal with actions: and/or data actions: under Microsoft.Compute.A Principal with permissions to do all actions (*) under Microsoft.Compute on management group scope.
    Permissive AccessPrincipal with high permissions in service Search on Management GroupA Principal with actions:* under Microsoft.Search.A Principal with permissions to do all actions (*) under Microsoft.Search on management group scope.
    Permissive AccessPrincipal with high permissions in service DomainRegistration on Management GroupA Principal with actions:* under Microsoft.DomainRegistration.A Principal with permissions to do all actions (*) under Microsoft.DomainRegistration on management group scope.
    Permissive AccessPrincipal with Full Administrator Permissions on Management GroupA Principal with permissions to perform all actions and all data actions on a management group scope(all actions and all data actions- such as write, read, delete).An attacker can perform any action and data action on any resource on management group scope
    Permissive AccessPrincipal with high permissions in service Cache on Management GroupA Principal with actions:* under Microsoft.Cache.A Principal with permissions to do all actions (*) under Microsoft.Cache on management group scope.
    Permissive AccessPrincipal with high permissions in service DataBricks on SubscriptionA Principal with actions:* under Microsoft.Databricks.A Principal with permissions to do all actions (*) under Microsoft.Databricks on subscription scope.
    Permissive AccessPrincipal with high permissions in service Sql on Management GroupA Principal with actions:* under Microsoft.Sql.A Principal with permissions to do all actions (*) under Microsoft.Sql on management group scope.
    Permissive AccessPrincipal with high permissions in service ApiManagement on SubscriptionA Principal with actions:* under Microsoft.ApiManagement.A Principal with permissions to do all actions (*) under Microsoft.ApiManagement on subscription scope.
    Permissive AccessPrincipal with high permissions in service SignalRService on SubscriptionA Principal with actions: and/or data actions: under Microsoft.SignalRService.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.SignalRService on subscription scope.
    Permissive AccessPrincipal with high permissions in service NetApp on SubscriptionA Principal with actions:* under Microsoft.NetApp.A Principal with permissions to do all actions (*) under Microsoft.NetApp on subscription scope.
    Permissive AccessPrincipal with Contributor Permission on SubscriptionA Principal with permissions to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries on subscription scope.An attacker with the contributor role could potentially upload malicious data to resources or download sensitive information, such as secrets, directly from existing resources within the Azure environment.
    Permissive AccessPrincipal with high permissions in service ContainerService on Management GroupA Principal with actions: and/or data actions: under Microsoft.ContainerService.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.ContainerService on management group scope.
    Permissive AccessPrincipal with Permission to Write Role Assignments on Management GroupA Principal with permissions to create or edit role assignments on management group scope (Microsoft.Authorization/ roleAssignments/write).An attacker can assign themselves a high-privilege role like owner, thereby elevating permissions on the control and data plane at the management group scope.
    Permissive AccessPrincipal with Role Access Review Operator Service Administrator Permission on SubscriptionA Principal with permissions to discover and revoke access as needed on subscription scope.An attacker could delete role assignments for all principals at subscription scope.
    Permissive AccessPrincipal with User Access Administrator Permission on SubscriptionA Principal with permissions to manage user access to Azure resources on subscription scope.An attacker can create a custom role, assign it to themselves, and elevate permissions on the control and data plane at subscription scope.
    Permissive AccessPrincipal with high permissions in service app on SubscriptionA Principal with actions: and/or data actions: under Microsoft.app.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.app on subscription scope.
    Permissive AccessPrincipal with high permissions in service VisualStudio on Management GroupA Principal with actions:* under Microsoft.VisualStudio.A Principal with permissions to do all actions (*) under Microsoft.VisualStudio on management group scope
    Permissive AccessPrincipal with high permissions in service DataBricks on Management GroupA Principal with actions:* under Microsoft.Databricks.A Principal with permissions to do all actions under Microsoft.Databricks on management group scope.
    Permissive AccessPrincipal with high permissions in service DomainRegistration on SubscriptionA Principal with actions:* under Microsoft.DomainRegistration.A Principal with permissions to do all actions (*) under Microsoft.DomainRegistration on subscription scope.
    Permissive AccessPrincipal with high permissions in service KeyVault on Management GroupA Principal with actions: and/or data actions: under Microsoft.KeyVault.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.KeyVault on management group scope.
    Permissive AccessPrincipal with high permissions in service Authorization on Management GroupA Principal with actions:* under Microsoft.Authorization.A Principal with permissions to do all actions (*) under Microsoft.Authorization on management group scope.
    Permissive AccessPrincipal with Delete Permission on SubscriptionA Principal with permissions to perform all delete actions on subscription scope (*/delete - all actions that end with delete).An attacker can perform any delete action on any resource on subscription scope
    Permissive AccessPrincipal with high permissions in service Compute on SubscriptionA Principal with actions: and/or data actions: under Microsoft.Compute.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.Compute on subscription scope.
    Permissive AccessPrincipal with high permissions in service Storage on SubscriptionA Principal with actions: and/or data actions: under Microsoft.Storage.A Principal with permissions to do all actions and/or data actions (*) under Microsoft.Storage on subscription scope.
    Permissive AccessPrincipal with high permissions in service NetApp on Management GroupA Principal with actions:* under Microsoft.NetApp.A Principal with permissions to do all actions (*) under Microsoft.NetApp on management group scope.
    Permissive AccessPrincipal with high permissions in service DBforPostgreSQL on SubscriptionA Principal with actions:* under Microsoft.DBforPostgreSQL.A Principal with permissions to do all actions (*) under Microsoft.DBforPostgreSQL on subscription scope.
    Permissive AccessPrincipal with Write Permission on SubscriptionA Principal with permissions to perform all write actions on subscription scope (*/write - all actions that end with write).An attacker can perform any write action on any resource on subscription scope.
    Permissive AccessPrincipal with high permissions in service DocumentDB on SubscriptionA Principal with actions:* under Microsoft.DocumentDB.A Principal with permissions to do all actions (*) under Microsoft.DocumentDB on subscription scope.
    Permissive AccessPrincipal with Contributor Permission on Management GroupA Principal with permissions to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries on management group scope.An attacker with the contributor role could potentially upload malicious data to resources or download sensitive information, such as secrets, directly from existing resources within the Azure environment.
    Permissive AccessPrincipal with high permissions in service ServiceFabric on Management GroupA Principal with actions:* under Microsoft.ServiceFabric.A Principal with permissions to do all actions (*) under Microsoft.ServiceFabric on management group scope.
    Azure Function

    Azure Function

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposurePublic Unauthenticated FunctionA function with HTTP trigger and anonymous auth level. The HTTP trigger lets you invoke a function with an HTTP request, and the anonymous auth level lets you present a request without an API key. OWASP A2:2017 Broken Authentication.An attacker can invoke the function, and in some cases can escape the function, gain the function app permissions and compromise your environment.
    Azure MySQL Flex

    Azure MySQL Flex

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposureAzure DB For MySQL is Publicly AccessibleAzure Database for MySQL haspublic network access setting enabled and a firewall rule that allow access from all IPs.Anyone on the web can access the DB. Access is usually done using a key, but if the key gets compromised, it could lead to a lot of issues as anyone can reach that DB. It is best to use a virtual network to limit access to only those who need it.
    Public ExposureAzure DB For MySQL is Publicly Accessible from Any Azure ServiceAzure Database for MySQL haspublic network access setting enabled and a firewall rule that allow access from any azure service, even services of different azure subscription.An attacker can create an azure account and azure subscription and any service he will deploy will have access to that DB.
    Azure OpenAI

    Azure OpenAI

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsAzure OpenAI with Microsoft Managed KeysCustomer-Managed Keys (CMK) provide crucial advantage of retaining full control and ownership over your encryption keys, allowing you to enforce stricter access policies and meet regulatory compliance requirements.An attacker who discovers a vulnerability in Azure's key management processes could potentially gain unauthorized access to encryption keys, enabling them to decrypt and access your Azure OpenAI data at rest such as the training data and fine-tuned models.
    Public ExposureAzure OpenAI Allow Access from All NetworksAzure OpenAI with public access enabled."Allowing unrestricted, public access to cloud services could open an application up to external attack. An Attacker can access the resource and access the models using api calls, by exploiting a different vulnerability of the service/models he can gain access to the service/models configurations and maybe even gain access to sensitive information."
    Azure Resource Management (ARM)

    Azure Resource Management (ARM)

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementRole Definition With List Storage Account Keys PermissionsA role definition with permissions to list storage account keys.An attacker with access to the role can accsses storage accounts with "allowSharedKeyAccess" set to true.
    Identity & Access ManagementPrincipal With Owner RolePrincipal is assigned with the 'Owner' rolw that gives full permissions in the subscription.An attacker with access to the principal can compromise the subscription.
    Identity & Access ManagementPrincipal With User Access Administrator RolePrincipal assigned with the 'User Access Administrator' role that enables to manage user access to Azure resources.An attacker with access to the principal can compromise the subscription.
    Insufficient EncryptionStorage Account Table CMK Encryption DisabledUnable to encryptStorage Account Tableswith Customer-managed key.By default, Azure Storage accounts is encrypted using service-managed keys, using of CMK in Azure Storage gives customers the flexibility to manage and rotate their encryption keys according to their security and compliance requirements, and prevent from attacker to gain access to a sensitive data.
    Insufficient EncryptionAzure Storage Account with Microsoft Managed KeyCustomer-Managed Keys (CMK) provide crucial advantage of retaining full control and ownership over your encryption keys, allowing you to enforce stricter access policies and meet regulatory compliance requirements.An attacker who discovers a vulnerability in Azure's key management processes could potentially gain unauthorized access to encryption keys, enabling them to decrypt and access your data.
    Insufficient EncryptionStorage Account Queue CMK Encryption DisabledUnable to encryptStorage Account queues with Customer-managed key.By default, Azure Storage accounts is encrypted using service-managed keys, using of CMK in Azure Storage gives customers the flexibility to manage and rotate their encryption keys according to their security and compliance requirements, and prevent from attacker to gain access to a sensitive data.
    Azure Storage Account

    Azure Storage Account

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsStorage Account With 'non-secure' ConnectionStorage account that allows requests from a non-secure connection.An attacker can have access to your data through unencrypted communications with the storage account.
    Insecure ConfigurationsStorage Account With Shared Key AccessStorage account with shared key access allowed. It is not a best practice to use shared key authorization for a storage account.An attacker with access to a storage account key can access your storage account and compromise your data.
    Public ExposureStorage Account With Blob Public Access AllowedA storage account with blob public access allowed. This setting allows public access to be configured for containers in the account but does not enable public access to your data.In some cases, an attacker will be able to access your blobs and compromise your data.
    Public ExposureStorage Account With Unrestricted Network AccessNetwork access to the storage account is not restricted.In some cases, an attacker would be able to access your storage account and the data stored in it.
    Azure Virtual Machine

    Azure Virtual Machine

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsVM is not using managed disksVM is not using managed disk, unmanaged disk is deprecated and can't be created any more but can still exist until the end of 2025. Managed disk are more secure by default and more resilient
    Insecure ConfigurationsVM Secure Boot is DisabledVM secure boot is disabled, it is best to enable secure boot as part of the trusted launch feature for best protection against boot level malwaresAn attacker might be able to load undetectable rootkit or malicious code to the bootloader to run as part of the boot process of the machine.
    Insecure ConfigurationsVM is not part of zone or availability-setAzure VM is not part of any availability zone or set, availability zones and sets protects the VM from failures and creates better resiliency, connectivity and availabilityAn attacker can have easier time causing DoS if availability zones and availability sets are not in used.
    Inadequate Logging & BackupVM Boot Diagnostics is DisabledVM boot diagnostics is disabled, This can help with understanding and following the events that happened incase of a secure incidents or when VM is compromisedN/A
    Insecure ConfigurationsLinux VMs Should not Use PasswordsLinux VM is allowing authentication using passwords. Keys alone should be used as passwords are more vulnerable, brute force for exampleA weak password can be compromised by an attacker which can then can use that password to SSH to the machine.
    Insecure ConfigurationsVM vTPM is DisabledVM vTPM is disabled, vTPM validates your VM pre-boot and boot integrity. It generates and securely stores encryption keys.If vTPM is disabled, an attacker might be able to compromise the boot process of the VM.
    Azure Virtual Network

    Azure Virtual Network

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposureNetwork Security Group With Open RDP Port (3389)A network security group with RDP port (3389) open to any IP. An attacker can try to exploit RDP vulnerabilities leaving your environment at risk.
    Azure VM Scale Set

    Azure VM Scale Set

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsVMSS is not using managed disksVirtual machine scale-set (VMSS) is not using managed disk, unmanaged disk is deprecated and can't be created any more but can still exist until the end of 2025. Managed disk are more secure by default and more resilient. VMSS should be utilizing managed disks provided by azure.
    Microsoft Entra ID Autorization Policy

    Microsoft Entra ID Autorization Policy

    CategoryRisk NameDescriptionAttack Scenario
    Inadequate Authentication & AuthorizationEntra ID Conditional Access Mfa for All Users is not Configured ProperlyThe conditional access policy that enforces multifactor authentication for all users is not configured propely.An attacker can exploit the lack of enforecement of this condtional access policy and perform an identity related attack such as password spray, replay, and phishing.
    Inadequate Authentication & AuthorizationEntra ID Tenant doesn't Enable Conditional Policy for MFA for All usersThe conditional access policy that enforces multifactor authentication for all users is not enabled.An attacker can exploit the lack of enforecement of this condtional access polic and perform an identity related attack such as password spray, replay, and phishing.
    Inadequate Authentication & AuthorizationEntra ID Tenant without security defaultsAn Entra Id tenant that doesn't enable security defaults. Security Defaults is a free option available with Entra ID which includes several security settings such as requriring all users to register for mfa.An attacker can exploit the lack of security defaults and perform an identity related attack such as password spray, replay, and phishing.
Google Cloud Platform (GCP) - click to collapse

Google Cloud Platform (GCP)

Click on a service name below to view a table of the risks Panoptica detects in GCP, along with brief descriptions and attack scenarios.

    App Engine

    App Engine

    CategoryRisk NameDescriptionAttack Scenario
    Permissive AccessApp Engine Service With Default Service AccountBy default App Engine service run with App Engine default service account, this service account has 'Editor' role in the project.Attacker with access to App Engine service with default service account can deploy changes to the Cloud project can also run code with read/write access to all resources within that project.
    Insecure ConfigurationsApp Engine Service with Insecure Ingress SettingsThis risk identifies a Google Cloud App Engine service configured with insecure ingress settings, potentially allowing unauthorized access. Insecure ingress settings can significantly heighten the risk of unauthorized access and potential data breaches. It's recommended to review these settings, and if the open access isn't necessary, promptly refine the ingress rules to enhance the security of your App Engine service.An attacker can send direct requets to the app from the internet.
    Public ExposureApp Engine App With Public Ingress RuleApp Engine app with public ingress rule.An attacker might use this misconfiguration to access the application running in App Engine.
    Unsupported SoftwareApp Engine Service With Legacy RuntimeApp Engine service running on legacy runtime.Legacy runtimes support language versions that are no longer> maintained by open source communities. As communities stop maintaining versions, the app may be exposed to vulnerabilities for which no publicly available fix exists.
    BigQuery

    BigQuery

    CategoryRisk NameDescriptionAttack Scenario
    Permissive AccessBigQuery Dataset With Cross Project AccessA BigQuery dataset with a policy binding of a service account from a different project.An attacker with access to the project that has access to the dataset can compromise your data.
    Permissive AccessBigQuery Table/View With Cross Project AccessA BigQuery table or view with a policy binding of a service account from a different project.An attacker with access to the outside service account can access this table or view and compromise your data.
    Insecure ConfigurationsBigQuery Dataset Without Customer Managed Encryption Key (CMEK)A BigQuery dataset without a customer-managed encryption key (CMEK).CMEK provides more administrative control. Administrators can rotate, manage access to, and disable or destroy the key used to protect data at rest.
    Insecure ConfigurationsBigQuery Table/View Without Customer Managed Encryption Key (CMEK)A BigQuery Table or View without a customer-managed encryption key (CMEK).CMEK provides more administrative control. Administrators can rotate, manage access to, and disable or destroy the key used to protect data at rest.
    Public ExposurePublic BigQuery DatasetA publicly accessible BigQuery dataset.An attacker can access this dataset and compromise your data.
    Public ExposurePublic BigQuery Table/ViewA publicly accessible BigQuery table or view.An attacker can access this table or view and compromise your data.
    Bigtable

    Bigtable

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementBigtable Instance Allows Access Of Service Account From Another ProjectBigtable instance with a policy binding of a service account from a different project.An attacker with access from different project can compromise the environment.
    Identity & Access ManagementBigtable Table Allows Access Of Service Account From Another ProjectBigtable table with a policy binding of a service account from a different project.An attacker with access from different project can compromise the environment.
    Insecure ConfigurationsBigtable Cluster Without Customer Managed Encryption Key (CMEK)Bigtable cluster configured without CMEK.CMEK provides more administrative control. Administrators can rotate, manage access to, and disable or destroy the key used to protect data at rest.
    Cloud Run

    Cloud Run

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCloud Run Job Running with Permissive PermissionsA user / users with the roles/run.admin role can invoke or interact with the Cloud Run Job. While this approach can simplify deployment and usage, it also raises security concerns, as it may expose sensitive data or functions to potential misuse or unauthorized access.Permissive permissions present significant security risks in cloud environments, as they can lead to unauthorized access, data breaches, and potential misuse of resources.
    Identity & Access ManagementCloud Run Service Running with Permissive PermissionsA user / users with the roles/run.admin role can invoke or interact with the Cloud Run Service. While this approach can simplify deployment and usage, it also raises security concerns, as it may expose sensitive data or functions to potential misuse or unauthorized access.Permissive permissions present significant security risks in cloud environments, as they can lead to unauthorized access, data breaches, and potential misuse of resources.
    Identity & Access ManagementIAM with cloud run service admin permissionA GCP identity with admin permissions to cloud run job.An attacker with this permission has administrative access to a cloud run job.
    Identity & Access ManagementIAM with cloud run service admin permissionA GCP identity with admin permissions to cloud run service.An attacker with this permission has administrative access to a cloud run service.
    Identity & Access ManagementUnauthenticated Invocations Allowed for Cloud Run ServiceUnauthenticated invocations are enabled for this Cloud Run service. It is assigned the "allUsers" principal type with the "Cloud Run Invoker" IAM role. This effectively makes the service accessible to anyone on the internet without requiring authentication, granting anonymous access to it.This service can be accessed by an attacker without the need for authentication. This could potentially be leveraged to exploit any vulnerabilities, resulting in a Denial of Service (DoS) attack, unauthorized extraction of sensitive data, or remote execution of commands on the underlying host.
    Insecure ConfigurationsBinary Authorization Disabled for Cloud Run JobBinary Authorization offers deployment control based on policies, ensuring that only trusted and verified container images are allowed for deployment.An attacker who gains access to the Continuous Integration environment can inject malicious code or tamper with legitimate code during the build and deployment (CI-CD) process. This can introduce vulnerabilities, backdoors, or other security weaknesses into the software, which may go undetected until the compromised code is deployed.
    Insecure ConfigurationsBinary Authorization Disabled for Cloud Run ServiceBinary Authorization offers deployment control based on policies, ensuring that only trusted and verified container images are allowed for deployment.An attacker who gains access to the Continuous Integration environment can inject malicious code or tamper with legitimate code during the build and deployment (CI-CD) process. This can introduce vulnerabilities, backdoors, or other security weaknesses into the software, which may go undetected until the compromised code is deployed.
    Permissive AccessCloud Run Job is Using the Compute Engine Default Service AccountCloud Run job uses the compute engine default service account. This account is automatically created when a new project is set up By default, this service account has broad IAM permissions and it is automatically associated with every Cloud Run job.An attacker with access to the default service account token could access each and every Cloud Run job and its associated management API operating within the same GCP project.
    Permissive AccessCloud Run Service is Using the Compute Engine Default Service AccountCloud Run service uses the compute engine default service account. This account is automatically created when a new project is set up. By default, this service account has broad IAM permissions and is automatically associated with every Cloud Run service.An attacker with access to the default service account token could access each and every Cloud Run service and its associated management API operating within the same GCP project.
    Public ExposureCloud Run Service Publicly AccessibleThis risk signifies a publicly accessible Cloud Run Service, making it accessible to any Internet user. Publicly accessible services raise the risk of unauthorized access, misuse, and breaches. The necessity of this public service should be verified; if not required, immediate action to restrict this service is advised to minimize potential security risks.Depending on the application deployed, an attacker can exploit vulnerabilities to gain unauthorized access, manipulate and steal sensitive data, and even execute malicious actions that compromise the entire system.
    Compute Engine

    Compute Engine

    CategoryRisk NameDescriptionAttack Scenario
    Credentials ExposureCompute Engine Instance With Cleartext Chargify KeyChargify Key Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Jenkins PasswordJenkins Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext MySQL PasswordMySQL Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext NewRelic KeyNewRelic Key Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext OAuth KeyOAuth Key Discovered in CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Postgres PasswordPostgres Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext RabbitMQ PasswordRabbitMQ Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Salesforce CredentialsSalesforce Credentials Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Segment TokenSegment Token Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext SMTP PasswordSMTP Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Vero SecretVero Secret Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Sensitive Generic SecretSensitive Generic Secret Found in CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Sensitive Generic Secret In MetadataSensitive Generic Secret Found in MetadataAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Identity & Access ManagementIAM principal with set IAM policy permission on compute instancesA GCP Identity with permissions to set an IAM policy for compute instances.An attacker with the setIamPolicy on a compute instance will be able to modify the IAM policy of the instance, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project instances' policies. This method could range from full access to a specific instance to full administrator access to the project.
    Insecure ConfigurationsCompute Engine Instance With Interactive Serial Console EnabledVM interactive serial console is enabled and does not support IP-based access restrictions.Attacker can attempt to connect to the instance's serial console from any IP address.
    Insecure ConfigurationsCompute Engine Instance With IP Forwarding EnabledVM instance with a configuration that enables IP forwarding.Attacker can attempt to send and receive packets with differenct source and destination.
    Insecure ConfigurationsCompute Engine Instance With Project Wide SSH KeysVM instance with a configuration that allows project-wide SSH keys.Attacker can attempt to connect to an instance using the SSH keys configured for the project.
    Insecure ConfigurationsUnused Compute Engine DiskUnused disk by any instance is found.An attacker can access the unused disk, leading to data exposure.
    Unsupported SoftwareDeprecated Compute Engine Image
    Unsupported SoftwareCompute Engine Instance With Deprecated ImageA deprecated image.An attacker can exploit the deprecated image and create an instance using it.
    Dataproc

    Dataproc

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsAPI access to all Google Cloud services in same project is allowedDataproc cluster configured to allow API access to all Google Cloud services in the same project.An attacker with access to compute engine can access google cloud services without scope limitation, leading to potentially exploit various services.
    Insecure ConfigurationsDataproc Cluster Without Customer Managed Encryption Key (CMEK)A Dataproc cluser configured without CMEK.CMEK provides more administrative control. Administrators can rotate, manage access to, and disable or destroy the key used to protect data at rest.
    Public ExposurePublic Dataproc ClusterA public Dataproc cluster.An attacker can access Dataproc instances from the internet.
    Unsupported SoftwareDataproc Cluster With Unsupported Image VersionA Dataproc cluster with an unsupported image version.An attacker can exploit known unpatched vulnerabilities in unsupported images.
    Function

    Function

    CategoryRisk NameDescriptionAttack Scenario
    Permissive AccessCompute Engine Instance Default Service Account With Owner RoleCompute Engine default service account with owner permissions on the project.An attacker with access to a compute engine that is attached to the default service account will have full access to the project.
    Permissive AccessCompute Instance Default Service Account With Editor RoleCompute Engine default service account with editor permissions on the project.An attacker with access to a compute engine that is attached to the default service account will be able to perform unauthorized actions in your project.
    Permissive AccessService Account With Editor RoleService Account with editor permissions on the project.An attacker with access to the service account will be able to perform most of the actions in the project.
    Service Account With Owner RoleService Account with owner permissions on the project.An attacker with access to the service account will be able to perform any action in the project.
    Permissive AccessUser With Editor RoleUser with editor permissions on the project.An attacker with access to the user will be able to perform most of the actions in the project.
    Permissive AccessUser With Owner RoleUser with owner permissions on the project.An attacker with access to the user will be able to perform any action in the project.
    Insecure ConfigurationsCloud Function With HTTP Only (not HTTPS)GCP function with HTTP trigger set to require HTTP only (and not HTTPS). OWASP A6:2017 Security Misconfiguration.An attacker can invoke the function via HTTP, gain the function app permissions and compromise your environment.
    Public ExposureCloud Function Allows Anonymous AccessThe function allows access for anonymous users. OWASP A2:2017 Broken Authentication.An anonymous attacker can run actions against the function and might damage internal services or expose sensetive data.
    Permissive AccessCloud Function Can Be Invoked By Anonymous UsersThe function can be invoked by anonymous users. OWASP A6:2017 Security Misconfiguration.An anonymous attacker can invoke the function and might damage internal services or expose sensetive data.
    Unsupported SoftwareGCP Function With Deprecated RuntimeGCP function with a deprecated runtime. OWASP A6:2017 Security Misconfiguration.An attacker can exploit known unpatched vulnerabilities in the gcp function runtime.
    GKE (Google Kubernetes Engine)

    GKE (Google Kubernetes Engine)

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsGKE Cluster is AlphaGKE alpha cluster. OWASP K09:2022 Misconfigured Cluster ComponentsAlpha clusters are short-lived clusters that run stable Kubernetes releases with all Kubernetes APIs and features enabled. Alpha clusters are limited and do not receive security updates.
    Insecure ConfigurationsGKE Cluster With Application Layer Secrets Encryption DisabledGKE cluster with application-layer secrets encryption disabled. OWASP K08:2022 Secrets Management FailuresAn attacker can gain access to an offline copy of etcd, where secrets are stored.
    Insecure ConfigurationsGKE Cluster With Client CertificateGKE cluster with client certificate. OWASP K06:2022 Broken Authentication MechanismsAn attacker can use the base64 certifcate public certificate to authenticate to the cluster endpoint. Certificates do not rotate automatically. and are difficult to revoke.
    Insecure ConfigurationsGKE Cluster With 'Cloud Logging' Option DisabledGKE cluster with "Cloud Logging" option disabled. OWASP K05:2022 Inadequate Logging and MonitoringLogging provides audit and diagnostic logs in your account. Collecting logs are critical for clusters as it significantly accelerates the troubleshooting process.
    Insecure ConfigurationsGKE Cluster With 'Control plane authorized networks' Option DisabledGKE cluster with "Control plane authorized networks" option disabled. OWASP K07:2022 Missing Network Segmentation ControlsAn attacker can access the cluster's control plane endpoint through HTTPS.
    Insecure ConfigurationsGKE Cluster With Default Service Account Attached To Node PoolGKE cluster with a default service account attacked to the node pool. OWASP K09:2022 Misconfigured Cluster ComponentsBy default, nodes are given the compute engine default service account. This account has more permissions than are required to run your Kubernetes Engine cluster, allowing attackers to use these permissions to compromise your environment.
    Insecure ConfigurationsGKE Cluster With 'Legacy authorization' Option EnabledGKE cluster with "Legacy authorization" option enabled. OWASP K06:2022 Broken Authentication MechanismsBy default, ABAC is disabled for clusters created using GKE version 1.8 and later as RBAC has significant security advantages over ABAC.
    Insecure ConfigurationsGKE Cluster With Network Policy DisabledGKE cluster with network policy disabled. OWASP K07:2022 Missing Network Segmentation ControlsAn attacker can access any pod in the cluster without network restrictions. Network policy is used to create Pod-level firewall rules. These firewall rules determine which Pods and Services can access one another inside your cluster.
    Insecure ConfigurationsGKE Cluster With Shielded Nodes DisabledGKE cluster with shielded nodes disabled. OWASP K09:2022 Misconfigured Cluster ComponentsAn attacker can exploit a vulnerability in a Pod to exfiltrate bootstrap credentials and impersonate nodes in a cluster giving the attacker access to cluster secrets.
    Insecure ConfigurationsGKE Cluster Without Automatic Node UpgradeGKE cluster with no automatic node upgrade enabled. OWASP K09:2022 Misconfigured Cluster ComponentsNode auto-upgrades help you keep the nodes in your cluster up-to-date with the cluster control plane version when your control plane is updated on your behalf.
    Insecure ConfigurationsGKE Cluster With 'secure boot' Option DisabledGKE cluster with 'secure boot' option disabled. OWASP K09:2022 Misconfigured Cluster ComponentsSecure boot helps protect nodes against boot-level and kernel-level malware and rootkits.
    KMS (Cloud Key Management)

    KMS (Cloud Key Management)

    CategoryRisk NameDescriptionAttack Scenario
    Neglected ResourceKMS Key With Rotation Period Bigger Than 90 DaysA KMS key that has a rotation period bigger than 90 days.Key rotation reduces the risk of a compromised key being used by an attacker to access your encrypted resources.
    Public ExposurePublicly Accessible KMS KeyA publicly accessible Cloud KMS key.An attacker can access your KMS key. Depending on the level of access, he might be able to use the key to decrypt data and compromise it.
    Memorystore

    Memorystore

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsMemorystore AUTH is DisabledDisabling authentication (AUTH) in Memorystore allows unrestricted access to the data store, leaving it exposed to unauthorized users and increasing the risk of data breaches and tampering.An attacker, aware that authentication (AUTH) is disabled in Memorystore, can gain unauthorized access to the data store, potentially exfiltrating sensitive data, injecting malicious content, or disrupting the service without any authentication barriers.
    Insecure ConfigurationsMemorystore Connection by Direct PeeringUsing Direct Peering establishes a direct VPC peering connection between the customer's network and Google's managed project, potentially exposing the customer's network to security risks, as this peering isn't shared with other Google Cloud services and lacks the enhanced access controls and isolation offered by Private Service Access (PSA).An attacker monitors network traffic in the customer's VPC that uses Direct Peering to connect to Memorystore for Redis. Since Direct Peering lacks the isolation and security features of Private Service Access (PSA), the attacker can potentially eavesdrop on sensitive data transmissions, such as Redis authentication credentials or sensitive cache data, leading to data exfiltration or unauthorized access.
    Insecure ConfigurationsMemorystore Encryption by Transit is DisabledDisabling encryption in Memorystore's transit data transmission exposes data to potential interception, tampering, and security breaches, posing significant risks to data confidentiality and integrity.An attacker monitoring the network traffic between a client application and a Memorystore instance with encryption in transit disabled could intercept sensitive user session data, such as login credentials, and potentially launch a man-in-the-middle attack, impersonating the client or the server, leading to data theft or manipulation.
    Insecure ConfigurationsMemorystore Encryption without CMEKNot having Customer Managed Encryption Keys (CMEK) in Memorystore's encryption setup leaves data encryption solely reliant on default Google-managed keys, potentially exposing sensitive data to unauthorized access and lacking the enhanced control and key management provided by CMEK.An attacker with sufficient knowledge of Memorystore's encryption configuration without CMEK could potentially compromise the default Google-managed keys, gaining unauthorized access to the encrypted data and bypassing the additional security controls offered by customer-managed encryption keys, leading to data exposure and potential breaches.
    Network Firewall

    Network Firewall

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposureFirewall Rule Permits Connections From Any IP (0.0.0.0/0)This risk signifies a Google Cloud Platform Firewall Rule configured to allow incoming connections from any IP address, indicated by the range 0.0.0.0/0. This unrestricted access can heighten the risk of unauthorized access and potential data breaches. It's recommended to verify whether such broad access is necessary and, if not, promptly refine the access control to allow connections from specific, trusted IP addresses or ranges.An attacker might use this misconfiguration to access assets within the GCP environment.
    Project

    Project

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCompute Engine Instance Default Service Account With Owner RoleCompute Engine default service account with owner permissions on the project.An attacker with access to a compute engine that is attached to the default service account will have full access to the project.
    Identity & Access ManagementCompute Instance Default Service Account With Editor RoleCompute Engine default service account with editor permissions on the project.An attacker with access to a compute engine that is attached to the default service account will be able to perform unauthorized actions in your project.
    Identity & Access ManagementGKE cronJobs permissionsGKE any cronJobs permission.An attacker can create, delete, get, list and update any cronJob.
    Identity & Access ManagementGKE daemonSets permissionsGKE any daemonSets permission.An attacker can create, delete, get, list and update any daemonSets.
    Identity & Access ManagementGKE deployments permissionsGKE any deployments permission.An attacker can create, delete, get, list and update any deployments.
    Identity & Access ManagementGKE job permissionsGKE any jobs permission.An attacker can create, delete, get, list and update any job.
    Permissive AccessGKE permissions to create any resourceGKE permissions to create any resource.An attacker can create any resource in the cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to create cluster role bindingGKE permissions to create cluster role bindings.An attacker can create cluster roles binded to a risky role, leading to cluster compromise.
    Permissive AccessGKE permissions to create cronjobsGKE permissions to create cronjobs.An attacker can create cronjobs containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to create daemonsetsGKE permissions to create daemonsets.An attacker can create daemonsets containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to create deploymentsGKE permissions to create deployments.An attacker can create a deployment with malicious components leading to cluster compromise.
    Permissive AccessGKE permissions to create ingressesGKE permissions to create ingresses.An attacker can create risky ingresses, exposing internal services and leading to cluster compromise.
    Permissive AccessGKE permissions to create jobsGKE permissions to create jobs.An attacker can create jobs containing malicious code executed within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to create podsGKE permissions to create pods.An attacker can create pods containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to create replicasetsGKE permissions to create replicasets.An attacker can create replicasets containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to create replication controllersGKE permissions to create replication controllers.An attacker can create replication controllers containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to create role bindingGKE permissions to create role bindings.An attacker can create roles binded to a risky role, leading to cluster compromise.
    Permissive AccessGKE permissions to create statefulsetsGKE permissions to create statefulsets.An attacker can create statefulsets containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to delete any resourceGKE permissions to delete any resource.An attacker can delete any resource in the cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to get any resourceGKE permissions to get any resource.An attacker can delete any resource in the cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to list any resourceGKE permissions to list any resource.An attacker can list any resource in the cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to update cronjobsGKE permissions to update cronjobs.An attacker can update cronjobs to contain containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to update daemonsetsGKE permissions to update daemonsets.An attacker can update daemonsets to contain containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to update deploymentsGKE permissions to update deployments.An attacker can update a deployment to contain malicious components leading to cluster compromise.
    Permissive AccessGKE permissions to update ingressesGKE permissions to update ingresses.An attacker can update ingresses to expose internal services, which can lead to cluster compromise.
    Permissive AccessGKE permissions to update jobsGKE permissions to update jobs.An attacker can update cronjobs to contain containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to update replicasetsGKE permissions to update replicasets.An attacker can update replicasets to contain containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to update replication controllersGKE permissions to update replication controllers.An attacker can update replication controllers containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Permissive AccessGKE permissions to update statefulsetsGKE permissions to update statefulsets.An attacker can update a statefulset to contain malicious components leading to cluster compromise.
    Identity & Access ManagementGKE pods permissionsGKE any pods permission.An attacker can create, delete, get, list and update any pod.
    Identity & Access ManagementGKE replicaSets permissionsGKE any replicasets permission.An attacker can create, delete, get, list and update any replicasets.
    Identity & Access ManagementGKE replicationControllers permissionsGKE any replicationControllers permission.An attacker can create, delete, get, list and update any replicationController.
    Identity & Access ManagementGKE secrets permissionsGKE any secrets permission.An attacker can create, delete, get, list and update any secret.
    Identity & Access ManagementGKE statefulSets permissionsGKE statefulSets permissions.An attacker can create, delete, get, list and update any statefulSet.
    Permissive AccessIAM principal with set IAM policy permission on compute instancesA GCP Identity with permissions to set an IAM policy for compute instances.An attacker with the setIamPolicy on a compute instance will be able to modify the IAM policy of the instance, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project instances' policies. This method could range from full access to a specific instance to full administrator access to the project.
    Permissive AccessIAM principal with set IAM policy permission on service accountsA GCP Identity with permissions to set an IAM policy for service accounts.An attacker with the setIamPolicy on a service account will be able to modify the IAM policy of the resource, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project service accounts' policies and give himself access to the strongest ones. This method could range from full access to a specific resource to full administrator access to the project depending on the permissions of the service account.
    Permissive AccessIAM principal with set IAM policy permission on storage bucketsA GCP Identity with permissions to set an IAM policy for storage buckets.An attacker with the setIamPolicy on a storage bucket will be able to modify the IAM policy of the bucket, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project buckets' policies. This method could range from full access to a specific bucket to full storage access to the project.
    Permissive AccessIAM with Create cloud function with service account permissionA GCP identity with permissions to create and call a cloud function with an assigned service account.An attacker with the iam.serviceAccounts.actAs, cloudfunctions.functions.create, cloudfunctions.functions.sourceCodeSet and cloudfunctions.functions.call will be able to create a new cloud function with a specified service account. The function, when invoked, can access the metadata API and return the associated service account's access token. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Permissive AccessIAM with Create cloud scheduler with service account permissionA GCP identity with permissions to create a cloud scheduler job.An attacker with the iam.serviceAccounts.actAs and >cloudscheduler.jobs.create permissions will be able to create jobs that send requests to *.googleapis.com endpoints. These requests can be authenticated as a specific service account. To escalate privileges with this method, the attacker needs to create an HTTP request of the action he wants to perform.
    Permissive AccessIAM with Create compute instance with service account permissionA GCP identity with permissions to create a new compute instance with a specified service account.An attacker with the iam.serviceAccounts.actAs and with permissions to create a new instance will be able to create an instance with a specified service account and get its access token. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Permissive AccessIAM with Create Deployments permissionA GCP Identity with permissions to create a deployment in the deployment manager service.An attacker with the deploymentmanager.deployments.create permission can gain the Editor role permissions on the project. This permission lets you launch new deployments of resources into GCP as the PROJECT-NUMBER@ cloudservices.gserviceaccount.com service account, which, by default, is granted the Editor role on the project.
    Permissive AccessIAM with Create service account key permissionA GCP Identity with permissions to create a service account key.An attacker with the iam.serviceAccountKeys.create permission can create a user-managed key for a Service Account that will allow him to access GCP as that Service Account. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Permissive AccessIAM with Create service usage API key permissionA GCP identity with permissions to create API keys.An attacker with the serviceusage.apiKeys.create permission will be able to create an API key, that is unrestricted by default, and use it to authenticate with GCP's APIs. By that, he can gain access to the entire GCP project.
    Permissive AccessIAM with Create storage HMAC keys permissionA GCP identity with permission to create HMAC keys.An attacker with the storage.hmacKeys.create permission will be able to create an hmac key for a specified service account, and use it for authentication. Depending on the service account's permissions, this method could range from no privilege escalation to full storage access.
    Permissive AccessIAM with Get service account access token permissionA GCP Identity with permissions to get a service account's access tokenAn attack with the iam.serviceAccounts.getAccessToken permission will be able to get an access token that belongs to a specified service account and gain its permissions. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Permissive AccessIAM with List service usage API keys permissionA GCP identity with permissions to get an existing API key.An attacker with the serviceusage.apiKeys.list and apikeys.keys.getKeyString permissions will be able to get all the API keys in the project. If there is an unrestricted key, the attacker will gain full access to the project.
    Permissive AccessIAM with Set IAM policy permission on the projectA GCP Identity with permissions to set an IAM policy for the project.An attacker with the setIamPolicy on a project will be able to modify the IAM policy of the resource, granting himself additional privileges. This method could lead to full administrator access to the project.
    Permissive AccessIAM with Sign service account blob permissionA GCP Identity with permission to sign a blob.An attack with the iam.serviceAccounts.signBlob permission will be able to create a signed blob that requests an access token from a specified service account. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Permissive AccessIAM with Sign service account JWT permissionA GCP Identity with permission to sign a JWT (JSON web token).An attack with the iam.serviceAccounts.signJwt permission will be able to sign and request an access token of a specified service account. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Permissive AccessIAM with Update cloud function with service account permissionA GCP identity with permissions to update an existing cloud function and its assigned service account.An attacker with the iam.serviceAccounts.actAs, cloudfunctions.functions.update and cloudfunctions.functions.sourceCodeSet permissions will be able to update an existing cloud function and even switch its service account to a function that accesses the metadata API and retrieves the associated service account's access token. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Permissive AccessIAM with Update IAM Role permissionA GCP Identity with permissions to update an IAM role.An attacker with the iam.role.updatepermission and a custom role assigned will be able to add permissions to the role, and by that gain more privileges or even full privileges on the project.
    Permissive AccessService Account With Editor RoleService Account with editor permissions on the project.An attacker with access to the service account will be able to perform most of the actions in the project.
    Permissive AccessService Account With Owner RoleService Account with owner permissions on the project.An attacker with access to the service account will be able to perform any action in the project.
    Permissive AccessUser With Editor RoleUser with editor permissions on the project.An attacker with access to the user will be able to perform most of the actions in the project.
    Permissive AccessUser With Owner RoleUser with owner permissions on the project.An attacker with access to the user will be able to perform any action in the project.
    Insecure ConfigurationsProject With Interactive Serial Console EnabledProject VM interactive serial console is enabled and does not support IP-based access restrictions.Attacker can attempt to connect to the instance's serial console from any IP address.
    Pub/Sub

    Pub/Sub

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCompute Engine Instance Default Service Account With Owner RoleCompute Engine default service account with owner permissions on the project.An attacker with access to a compute engine that is attached to the default service account will have full access to the project.
    Identity & Access ManagementCompute Instance Default Service Account With Editor RoleCompute Engine default service account with editor permissions on the project.An attacker with access to a compute engine that is attached to the default service account will be able to perform unauthorized actions in your project.
    Identity & Access ManagementService Account With Editor RoleService Account with editor permissions on the project.An attacker with access to the service account will be able to perform most of the actions in the project.
    Identity & Access ManagementService Account With Owner RoleService Account with owner permissions on the project.An attacker with access to the service account will be able to perform any action in the project.
    Identity & Access ManagementUser With Editor RoleUser with editor permissions on the project.An attacker with access to the user will be able to perform most of the actions in the project.
    Identity & Access ManagementUser With Owner RoleUser with owner permissions on the project.An attacker with access to the user will be able to perform any action in the project.
    Insecure ConfigurationsPub/Sub Topic Without Customer Managed Encryption Key (CMEK)Pub/Sub topic without customer-managed encryption key (CMEK).With no customer-managed encryption key (CMEK), an attacker can manage message encryption and decryption process.
    IAM (Identity and Access Management)

    IAM (Identity and Access Management)

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementIAM principal with set IAM policy permission on service accountsA GCP Identity with permissions to set an IAM policy for service accounts.An attacker with the setIamPolicy on a service account will be able to modify the IAM policy of the resource, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project service accounts' policies and give himself access to the strongest ones. This method could range from full access to a specific resource to full administrator access to the project depending on the permissions of the service account.
    Identity & Access ManagementIAM with Create service account key permissionA GCP Identity with permissions to create a service account key.An attacker with the iam.serviceAccountKeys.create permission can create a user-managed key for a Service Account that will allow him to access GCP as that Service Account. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Identity & Access ManagementIAM with Get service account access token permissionA GCP Identity with permissions to get a service account's access tokenAn attack with the iam.serviceAccounts.getAccessToken permission will be able to get an access token that belongs to a specified service account and gain its permissions. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Identity & Access ManagementIAM with Sign service account blob permissionA GCP Identity with permission to sign a blob.An attack with the iam.serviceAccounts.signBlob permission will be able to create a signed blob that requests an access token from a specified service account. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Identity & Access ManagementIAM with Sign service account JWT permissionA GCP Identity with permission to sign a JWT (JSON web token).An attack with the iam.serviceAccounts.signJwt permission will be able to sign and request an access token of a specified service account. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Cloud SQL

    Cloud SQL

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsCloud PostgreSQL Instance Without 'point-in-time' RecoveryPostgreSQL instance without point-in-time recovery.Point-in-time recovery helps you recover an instance to a specific point in time. For example, if an error causes a loss of data, you can recover a database to its state before the error occurred.
    Insecure ConfigurationsCloud SQL Instance Connection Logs DisabledSQL instance without connection logs enabled.The "log_connections" flag causes each attempted connection to the server to be logged, as well as successful completion of both client authentication (if necessary) and authorization. By default this option is set to "off", allowing attackers to login to the instance without leaving a trace.
    Insecure ConfigurationsCloud SQL Instance Without Automatic BackupSQL instance without automatic backup configuration.Backups protect your data from loss or damage.
    Insecure ConfigurationsCloud SQL Instance Without SSL EncryptionSQL instance without SSL encryption configured.
    Unsecured connections are allowed to connect to this instance.
    Insecure ConfigurationsGCP PostgreSQL Instance Flag 'cloudsql.allowpasswordless local_connections' is OnSetting the "cloudsql.allowpasswordless local_connections" to 'on' enables local connections without a password.An attacker gains access to the local network and connect to a user since there is no need for a password.
    Insecure ConfigurationsGCP PostgreSQL Instance Flag 'cloudsql.iam_authentication' is OffTurning off 'cloudsql.iam_authentication' in GCP PostgreSQL relies solely on traditional authentication, potentially weakening IAM security integration.An attacker who gains access to database credentials could potentially impersonate a user without the added security of IAM authentication checks. This could lead to unauthorized data access, manipulation, or even malicious actions within the database, compromising data security.
    Insecure ConfigurationsGcp Sql Instance Flag 'check_proxy_users' is Off'check_proxy_users' flag off in GCP SQL risks unauthorized access by proxy users, compromising security.An attacker who gains access to a proxy user's credentials could potentially impersonate the proxy user without proper authentication checks. This could allow the attacker to perform unauthorized actions, access sensitive data, and potentially exploit the lack of authentication verification to compromise the integrity and security of the database.
    Insecure ConfigurationsGCP SQL Instance Flag 'default_password_lifetime' is set to 0Setting 'default_password_lifetime' to 0 in GCP SQL risks prolonged use of unchanged passwords, heightening the potential for unauthorized access and security breaches.An attacker could gain access to a user's password and maintain unauthorized access indefinitely without password expiration. This increases the likelihood of undetected and prolonged data breaches.
    Insecure ConfigurationsGcp SQL Instance Flag 'disconnect_on_expired_password' is OffTurning 'disconnect_on_expired_password' off in GCP SQL allows users with expired passwords continued access, risking unauthorized and insecure access.An attacker who obtains the login credentials of a user with an expired password could continue to access the database. This could lead to unauthorized data manipulation, data theft, or even malicious actions within the database, compromising data security and integrity.
    Insecure ConfigurationsGCP SQL Instance Flag 'local_infile' is On'local_infile' flag in GCP SQL increases risk of data exposure and unauthorized access via local file loading.An attacker with access to the database could potentially exploit the feature to load malicious files from their local system into the database.
    Insecure ConfigurationsGCP SQL Instance Flag 'mysqlnative_password proxy_users' is OffThis variable controls whether the mysql_native_password built-in authentication plugin supports proxy users. It has no effect unless the check_proxy_users system variable is enabled.An attacker who gains access to a proxy user account is not authorized and connects to the account.
    Insecure ConfigurationsGCP SQL Instance Flag 'password_require_current' is OffA GCP SQL instance "password_require_current" flag is set to "off".An attacker, taking advantage of the flag being off, changes a password without the need to know the old password, thereby gaining access to the account.
    Insecure ConfigurationsGCP SQL Instance Flag 'skip_show_database' is OffTurning 'skip_show_database' off in GCP SQL risks exposing database and schema details, facilitating unauthorized enumeration and targeted attacks.An attacker could potentially use the SHOW DATABASES command to enumerate available databases and gain insights into the database schema. This knowledge could aid them in crafting more effective and targeted attacks.
    Insecure ConfigurationsGCP SQL is Not Using CMKGCP SQL instance without CMK.In a scenario where a GCP SQL instance is not using Customer-Managed Keys (CMK), an attacker who gains unauthorized access to Google's managed encryption keys or exploits vulnerabilities in Google's key management infrastructure could potentially decrypt and access sensitive data stored in the SQL database, leading to data breaches and confidentiality breaches.
    Insecure ConfigurationsGCP SQL Without Password PolicyNo password policy in GCP SQL increases the risk of weak passwords and unauthorized access, compromising data security.An attacker could potentially perform brute-force attacks or use common passwords to guess weak passwords associated with the database, granting them unauthorized access to the data and compromising the security and integrity of the system.
    Public ExposureCloud SQL Instance Allows Network Connection From Any IP (0.0.0.0/0)SQL instance with an authorized network of 0.0.0.0/0This prefix will allow any IPv4 client to pass the network firewall and make login attempts to your instance, including clients you did not intend to allow.
    Public ExposureGCP SQL is Not Using Private IpGCP SQL instance is Not Using Private Ip.Without a private IP in GCP SQL, an attacker could potentially intercept sensitive database traffic over the public network, leading to data exposure.
    Storage Bucket

    Storage Bucket

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityCloud Storage Bucket Contains Potentially Public ObjectsThis risk identifies a Google Cloud Storage bucket that contains objects that may be publicly accessible, thereby potentially enabling any internet user to access them. Potentially shared objects in a storage bucket can heighten the risk of unauthorized data access and potential data breaches. It's recommended to review these objects and their access controls, and if public access is not required, promptly update their permissions to secure your data.An attacker can maybe access some objects in the bucket leading to data exposure.
    Data SecurityStorage Bucket Publicly AccessibleThis risk points to a Google Cloud Storage bucket configured as publicly accessible, potentially making it reachable by any internet user. Publicly accessible storage buckets can significantly increase the risk of unauthorized data access and potential data breaches. It's recommended to verify whether such public access is necessary and, if not, promptly restrict access to strengthen your data security.An attacker can access this bucket and compromise your data.
    Data SecurityStorage Bucket Without EncryptionThis risk signifies a Google Cloud Storage bucket that lacks encryption, a critical security measure to protect sensitive data from unauthorized access. Unencrypted Storage buckets can raise the risk of data exposure or misuse. It's strongly advised to enable encryption to safeguard your data and comply with security best practices and regulations.An attacker can access this bucket and compromise your data
    Identity & Access ManagementIAM principal with set IAM policy permission on storage bucketsA GCP Identity with permissions to set an IAM policy for storage buckets.An attacker with the setIamPolicy on a storage bucket will be able to modify the IAM policy of the bucket, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project buckets' policies. This method could range from full access to a specific bucket to full storage access to the project.
    Identity & Access ManagementService Account With Editor RoleService Account with editor permissions on the project.An attacker with access to the service account will be able to perform most of the actions in the project.
    Identity & Access ManagementService Account With Owner RoleService Account with owner permissions on the project.An attacker with access to the service account will be able to perform any action in the project.
    Identity & Access ManagementUser With Editor RoleUser with editor permissions on the project.An attacker with access to the user will be able to perform most of the actions in the project.
    Identity & Access ManagementUser With Owner RoleUser with owner permissions on the project.An attacker with access to the user will be able to perform any action in the project.
Oracle Cloud Infrastructure (OCI) - click to collapse

Oracle Cloud Infrastructure (OCI)

Click on a service name below to view a table of the risks Panoptica detects in OCI, along with brief descriptions and attack scenarios.

    DB System

    DB System

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityOracle Autonomous Databases Publicly AccessibleAutonomous database with a cidr address of 0.0.0.0/0.An attacker might be able to access the database from any IP address.
    Data SecurityOracle Database Auto Backup DisabledDatabase without automatic backup configuration.It is a best practice to enable continuous backups for your databases.
    Data SecurityOracle Database Without EncryptionUnencrypted database.An attacker can access the data stored in your database.
    Insecure ConfigurationsAutonomous Oracle Database Without mTLSmTLS is not required for the database.mTLS helps ensure that traffic is secure and trusted in both directions between a client and server.
    Policy

    Policy

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementAdministator permissions over tenancyAdministator access over tenancy.An attacker with administrator permissions can perform any action on any resource in the environment.
    Identity & Access ManagementManage cluster-family permission in compartmentPermission to manage cluster-family in compartment.An attacker with manage cluster-family access has full access to container engine for kubernetes resources in the compartment.
    Identity & Access ManagementManage cluster-family permission in tenancyPermission to manage cluster-family in tenancy.An attacker with manage cluster-family access has full access to container engine for kubernetes resources in tenancy.
    Identity & Access ManagementManage database-family permission in compartmentPermission to manage database-family in compartment.An attacker with manage database-family access has full access to database resources in the compartment.
    Identity & Access ManagementManage database-family permission in tenancyPermission to manage database-family in tenancy.An attacker with manage database-family access has full access to database resources in tenancy.
    Identity & Access ManagementManage DNS permission in compartmentPermission to manage DNS in compartment.An attacker with manage DNS access has full access to DNS resources in the compartment.
    Identity & Access ManagementManage DNS permission in tenancyPermission to manage DNS in tenancy.An attacker with manage DNS access has full access to DNS resources in tenancy.
    Identity & Access ManagementManage instance-family permission in compartmentPermission to manage instance-family in compartment.An attacker with manage instance-family access has full access to instance resources in the compartment.
    Identity & Access ManagementManage instance-family permission in tenancyPermission to manage instance-family in tenancy.An attacker with manage instance-family access has full access to instance resources in tenancy.
    Identity & Access ManagementManage object-family permission in compartmentPermission to manage object-family in compartment.An attacker with manage object-family access has full access to bucket and object resources in the compartment.
    Identity & Access ManagementManage object-family permission in tenancyPermission to manage object-family in tenancy.An attacker with manage object-family access has full access to buckets and objects resources in tenancy.
    Identity & Access ManagementManage policies permission in tenancyPermission to manage policies in tenancy.An attacker with 'manage' permission over policies in the tenancy can exploit this permission and perform privilege escalation by creating a policy with higher permissions and assign its group to be part of it.
    Identity & Access ManagementManage users permission in tenancyPermission to manage users in tenancy.An attacker with 'manage' users permission can perform any action on users in the environment such as resetting passwords, leading to privilege escalation.
    Identity & Access ManagementUse all resources permission in tenancyPermission to use all resources in tenancy.An attacker with 'use' permission over all resources in the tenancy can exploit this permission and perform privilege escalation.
    Storage Bucket

    Storage Bucket

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityObject Storage Bucket Publicly AccessibleThis risk identifies an Oracle Cloud Storage bucket configured to be publicly accessible, potentially making it reachable by any internet user. Publicly accessible buckets significantly raise the risk of unauthorized data access and potential data breaches. It's recommended to ascertain the necessity of such public access, and if it's not required, promptly restrict access to bolster your data security.An attacker can access the bucket and objects leading to data exposure.
    Data SecurityObject Storage Bucket Without EncryptionThis risk indicates an Oracle Cloud Storage bucket not configured for encryption, a vital security measure to safeguard sensitive data from unauthorized access. Unencrypted buckets can increase the risk of data exposure or misuse. It's strongly recommended to enable encryption to secure your data and adhere to security best practices and compliance regulations.An attacker can access this bucket and compromise stored data.
    User

    User

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementUser Without MFAThis risk highlights an Oracle Cloud user who doesn't have Multi-Factor Authentication (MFA) enabled. MFA offers an added layer of security by requiring more than just a password for user authentication. An absence of MFA exposes the user's account to a heightened risk of unauthorized access. It's strongly advised to enable MFA for all users to strengthen account security within Oracle Cloud.An attacker can bypass authentication with a password only.
Kubernetes - click to collapse

Kubernetes

Click on a service name below to view a table of the risks Panoptica detects in Kubernetes clusters, along with brief descriptions and attack scenarios.

    API Endpoint

    API Endpoint
    CategoryRisk NameDescriptionAttack Scenario
    Public ExposurePublicly Exposed AssetPublic API endpoint with authentication issues that has a PII in the response.An attacker can leverage the authentication issue to access the endpoint and obtain the PII returned in the response.

    Cluster Role

    Cluster Role
    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCluster Role With Attach Pods PermissionsOWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create CronJobs PermissionsA cluster role that allows to create cronjobs in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create DaemonSets PermissionsA cluster role that allows to create daemonsets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Deployments PermissionsA cluster role that allows to create deployments in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Jobs PermissionsA cluster role that allows to create jobs in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Mutating Webhook Configuration PermissionsA cluster role that allows create mutating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role with Create or Wildcard Permissions to the LocalSubjectAccessReview ResourceA Cluster role with Create or Wildcard Permissions to the LocalSubjectAccessReview Resource.An attacker with access to this cluster role can map users and their associated permissions within a namespace in the cluster.
    Identity & Access ManagementCluster Role with Create or Wildcard Permissions to the SubjectAccessReview ResourceA Cluster role with Create or Wildcard Permissions to the SubjectAccessReview Resource.An attacker with access to this cluster role can map users and their associated permissions within the cluster.
    Identity & Access ManagementCluster Role with Create or Wildcard Permissions to the TokenRequest ResourceA Cluster role with Create or Wildcard Permissions to the TokenRequest Resource.An attacker with access to this cluster role can request tokens for any service account in the cluster. Service account tokens are used to authenticate requests to the Kubernetes API server, and if an attacker has access to those tokens, they can use them to impersonate service accounts and gain access to privileged resources and actions. This could give the attacker the ability to modify or delete any resource in the cluster, potentially leading to a full compromise of the cluster.
    Identity & Access ManagementCluster Role With Create ReplicaSets PermissionsA cluster role that allows to create replicasets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Replication Controllers PermissionsA cluster role that allows to create replicationcontrollers in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create RoleBinding PermissionsA cluster role that allows to create a role binding to any role in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker can leverage this permission to create a binding between its identity and a strong role in the cluster.
    Identity & Access ManagementCluster Role With Create RoleBinding/ClusterRoleBinding PermissionsA cluster role in Kubernetes with permission to create a cluster role binding. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to that cluster role can escalate his privileges by binding the service account or user to the cluster-admin cluster role or a different cluster role with higher permissions.
    Identity & Access ManagementCluster Role With Create StatefulSets PermissionsA cluster role that allows to create statefulsets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Validating Webhook Configuration PermissionsA cluster role that allows create validating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role With Delete Deployments PermissionsA cluster role that allows to delete deployments in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Delete Mutating Webhook Configuration PermissionsA cluster role that allows delete mutating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role With Delete Namespaces PermissionsCluster role with delete namespaces in cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAttacker with delete namespace permission can delete any namespace in the cluster include the running pods in the namespace.
    Identity & Access ManagementCluster Role With Delete Validating Webhook Configuration PermissionsA cluster role that allows delete validating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role With Delete/DeleteCollection Secrets PermissionsA cluster role that allows to delete or deletecollection secrets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Exec Pods PermissionsOWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role with Full Permissions to any Resources on Non-K8s Core or Wildcard API GroupsA cluster role has full permissions for any resource on API groups other than wildcard or the K8s core API.An attacker with access to this cluster role can perform any action against the API groups defined in this cluster role. Possibly escalate his privileges and move laterally within the cluster.
    Identity & Access ManagementCluster Role with Get and Create Permissions to the Nodes/Proxy ResourceA cluster role with Get and Create permissions to the nodes/proxy resource.An attacker that has access to a principal with the Get, Create permissions on the nodes/proxy resource can communicate with the Node’s Kubelet API directly and possibly escalate it's privileges to a cluster admin.
    Identity & Access ManagementCluster Role With Patch Mutating Webhook Configuration PermissionsCluster role with patch mutating webhook configuration in cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role With Patch Validating Webhook Configuration PermissionsCluster role with patch validating webhook configuration in cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role with Permissions to Change ConfigmapsA cluster role that allows to update or patch configmaps in the cluster.An attacker with access to this cluster role can alter configmaps in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Change Service AccountsA cluster role with permissions to change service accounts.An attacker with access to this cluster role can alter service accounts in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Create ConfigmapsA cluster role that allows to create configmaps in the cluster.An attacker with access to this cluster role can create configmaps in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Create NodesA cluster role with permissions to create nodes.An attacker with access to this cluster role can create nodes in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Create Service AccountsA cluster role with permissions to create service accounts.An attacker with access to this cluster role can create service acconts in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Delete ConfigmapsA cluster role that allows to delete configmaps in the cluster.An attacker with access to this cluster role can delete configmaps in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Delete NodesA cluster role with permissions to delete nodes.An attacker with access to this cluster role can delete nodes in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Delete Service AccountsA cluster role with permissions to delete service accounts.An attacker with access to this cluster role can delete service accounts in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Read ConfigmapsA cluster role with permissions to read or list Configmaps.An attack with access to this cluster role can read or list configmaps in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Read Service AccountsA cluster role with permissions to read service accounts.An attacker with access to this cluster role can read service accounts in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Update NodesA cluster role with permissions to update nodes.An attacker with access to this cluster role can update nodes in the cluster.
    Identity & Access ManagementCluster Role With Update CronJobs PermissionsA cluster role that allows to update cronjobs in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update DaemonSets PermissionsA cluster role that allows to update daemonsets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update Deployments PermissionsA cluster role that allows to update deployments in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update Jobs PermissionsA cluster role that allows to update jobs in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update ReplicaSets PermissionsA cluster role that allows to update replicasets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update Replication Controllers PermissionsA cluster role that allows to update replicationcontrollers in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update StatefulSets PermissionsA cluster role that allows to update statefulsets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update\Patch Secrets PermissionsA cluster role that allows to update or patch secrets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With View Secrets PermissionsA cluster role that allows to list and view all secrets in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsOnce there is a single account in the cluster with the cluster-admin role binding, an attacker with access to that cluster role can steal the admin’s token and escalate his privileges to the highest cluster privileges.
    Identity & Access ManagementCluster Role With View Secrets PermissionsA cluster role that allows to get any secret in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker can leverage this permission to obtain a secret value and move lateraly inside the cluster.
    Identity & Access ManagementCluster Role With Wildcard Create PermissionsA cluster role that allows to create any resource in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard CronJobs PermissionA cluster role that allows to perform any action on cronjobs in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard DaemonSets PermissionsA cluster role that allows to perform any action on daemonsets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Delete Collection PermissionsA cluster role that allows to deletecollection of any resource in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Delete PermissionsA cluster role that allows to delete any resource in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Deployments PermissionsA cluster role that allows to perform any action on deployments in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Impersonate PermissionsA cluster role that allows to impersonate any resource in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Jobs PermissionA cluster role that allows to perform any action on jobs in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard List PermissionsA cluster role that allows to list any resource in the Kubernetes cluster, including secrets. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to this cluster role can escalate privileges by listing powerful secrets and using their value. It is possible to obtain a secret token belongs to a service account with cluster-admin privileges.
    Identity & Access ManagementCluster Role With Wildcard Mutating Webhook Configurations PermissionsA cluster role that allows any action on mutating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized
    Identity & Access ManagementCluster Role with Wildcard Permissions to any Resources on Non-K8s Core or Wildcard API GroupsA cluster role with wildcard permissions for any resource on API groups other than wildcard or the K8s core API.An attacker with access to this cluster role can perform any action against the API groups defined in this cluster role. Possibly escalate his privileges and move laterally within the cluster.
    Identity & Access ManagementCluster Role With Wildcard Pods PermissionsA cluster role that allows to perform any action on pods in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard ReplicaSets PermissionA cluster role that allows to perform any action on replicasets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Replication Controllers PermissionA cluster role that allows to perform any action on replicationcontrollers in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Secrets PermissionsA cluster role with a wildcard in the verbs section on secrets resource. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to that cluster role can view or edit all secrets in the cluster, and escalate his privileges using different methods to take over the cluster control by getting an admin secret.
    Identity & Access ManagementCluster Role With Wildcard StatefulSets PermissionsA cluster role that allows to perform any action on statefulsets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Validating Webhook Configurations PermissionsA cluster role that allows any action on validating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Verbs PermissionsA cluster role with a wildcard in the verbs section. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to that cluster role can execute any action against the resources defined in that cluster role, and escalate his privileges using different methods to take over the cluster control.
    Identity & Access ManagementCluster Role With Wildcard View PermissionsA cluster role that allows to get any resource in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementUser With Impersonate Group PermissionsA user with permission to Impersonate a group. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to a service account with permissions to impersonate a privileged group may escalate his privileges to gain higher access permissions in the cluster.

    Cluster Role Binding

    Cluster Role Binding
    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCluster Role Binding Allows Unauthenticated AccessClusterRoleBinding with 'system:unauthenticated' group allow to users are related to this group to perform the actions in the matched role. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAttacker can perform action in the cluster without to authenticate.
    Identity & Access ManagementCluster role binding of service account to wildcard cluster roleOWASP K03:2022 Overly Permissive RBAC Configurations

    Deployment

    Deployment
    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsKubernetes Dashboard With 'enable-skip-login'' EnabledKubernetes-dashboard was found with an "enable-skip-login" parameter enabled.While this parameter is enabled, Users can access the Kubernetes-dashboard without providing authentication details. OWASP K09:2022 Misconfigured Cluster ComponentsAn attacker with network access to the Kubernetes-dashboard can take advantage of this configuration and get information about the cluster and its workloads.

    Pod

    Pod
    CategoryRisk NameDescriptionAttack Scenario
    Credentials ExposureContainer With Mounted SecretK8s secret is mounted inside a container path.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker might use the secret value to laterally move inside the K8s cluster.
    Insecure ConfigurationsContainer Running As Root GroupContainer running as root group.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker with access to the container can use different methods to escape the container and have root privileges on the host.
    Insecure ConfigurationsContainer Running As Root UserContainer running as root user. OWASP K01:2022 Insecure Workload Configurations An attacker with access to the container can use different methods to escape the container and have root privileges on the host.
    Insecure ConfigurationsContainer With '/etc' Path MountedA container with a risky hostPath mount - mount to the /etc folder in the host filesystem.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker with access to that container can access the host's sensitive information and secret configuration in the host filesystem.
    Insecure ConfigurationsContainer With '/root' Path MountedA container with a risky hostPath mount - mount to the host /root folder.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker with access to that container can access the host's sensitive information and other containers running on the same host.
    Insecure ConfigurationsContainer With '/var' Path MountedA container with a risky hostPath mount - mount to the host /var folder.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker with access to that container can access the host's sensitive information and other containers running on the same host.
    Insecure ConfigurationsContainer With '/var/lib/kubelet/pods' Path MountedA container with a risky hostPath mount - mount to the host /var/lib folder. OWASP K01:2022 Insecure Workload Configurations An attacker with access to that container can access the host's sensitive information and other containers running on the same host.
    Insecure ConfigurationsContainer With AllowPrivilegeEscalationContainer running with AllowPrivilegeEscalation flag set to true.
    OWASP K01:2022 Insecure Workload Configurations
    The allowPrivilegeEscalation is part of the Pod Security Policy Parameters. The allowPrivilegeEscalation Gates whether or not a user is allowed to set the security context to allowPrivilegeEscalation=true in a container. This defaults to allowed so as not to break setuid binaries. An attacker with access to the container can gain more privileges than the container parent.
    Insecure ConfigurationsContainer With Full File System MountedA container with mount of root directory.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker with access to that container can access the host and escape the container to gain higher privileges.
    Insecure ConfigurationsContainer With Privileged ModeContainer running in privileged mode.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker with access to the container can access all devices on the host.
    Insecure ConfigurationsContainer With Risky Path MountedA container with a risky hostPath mount - mount to the azure.json file.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker with access to that container can access the host configuration file and use its service principal credentials to escalate his Azure subscription privileges.
    Insecure ConfigurationsContainer With CAP_SYS_ADMIN+K60Container with CAP_SYS_ADMIN capability. OWASP K01:2022 Insecure Workload Configurations CAP_SYS_ADMIN its capability that allow some sensetive action like mount, without any enabled security application attacker can get access to the host.
    Insecure ConfigurationsContainer Without Protection Against Root PrivilegedPod configuration without limition of user permission. No definition of runAsUser and runAsNonRoot values in securityContext.
    OWASP K01:2022 Insecure Workload Configurations
    Attacker with access to the cluser can execute command inside container with root permmisions, also attacker can leverege his permissions to container escapes.
    Insecure ConfigurationsContainer Without Read Only FilesystemContainer without read-only file system. Read-only filesystems are a key component to preventing container breakout.
    OWASP K01:2022 Insecure Workload Configurations
    A malicious process or application can write back to the host system.
    Insecure ConfigurationsContainer Without Resource LimitsA container without resource limits.
    OWASP K01:2022 Insecure Workload Configurations
    An attacker with access to a container without resource limits may cause a denial of service for the hosts it's running on.
    Insecure ConfigurationsPod With Apparmor DisabledOWASP K01:2022 Insecure Workload Configurations
    Insecure ConfigurationsPod With 'docker.sock' MountedContainer with docker.sock mounted.
    OWASP K01:2022 Insecure Workload Configurations
    Attacker with access to container that has docker.sock mounted can run any container on the node, perform container escape, privilege escalation or lateral movements.
    Insecure ConfigurationsPod With Full CapabilitiesPod gets all capabilities.
    OWASP K01:2022 Insecure Workload Configurations
    Attacker with access to pod with all capabilities can leverage for container escape.
    Insecure ConfigurationsPod With Log4j Vulnerable HotpatchAWS Hotpatch for Log4j Vulnerablity. This Hotpatch could be leveraged for container escape and privileged escalation
    OWASP K10:2022 Outdated and Vulnerable Kubernetes Components
    An attacker can perform conainer escape and get access to underlying host from every container in your cluster. Also, unprivileged processes can exploit the Hotpatch to escalate privileges and gain root code execution.
    Insecure ConfigurationsPod With '/proc' hostPath MountedA pod with a risky hostPath mount - mount to the host /proc directory.
    OWASP K01:2022<a href=""https://github.com/OWASP/www-project-kubernetes-top-ten/blob/main/2022/en/src/K01-insecure-workload-configurations.md""Insecure> Workload Configurations
    Mounting the '/proc' host path could allow an attacker to modify kernel variables, access sensitive data and even container escape.
    Insecure ConfigurationsPod With 'containerd.sock' MountedA pod with a risky hostPath mount - mount to the host /var/run/containerd/containerd.sock socket.
    OWASP K01:2022<a href=""https://github.com/OWASP/www-project-kubernetes-top-ten/blob/main/2022/en/src/K01-insecure-workload-configurations.md""Insecure> Workload Configurations
    An attacker with access to a worker node's 'containerd.sock' socket can interact with the containerd daemon. This would allow him to list and terminate running containers, resulting in a denial of service (DoS).
    Insecure ConfigurationsPod With '/dev' hostPath MountedA pod with a risky hostPath mount - mount to the host /dev directory.
    OWASP K01:2022<a href=""https://github.com/OWASP/www-project-kubernetes-top-ten/blob/main/2022/en/src/K01-insecure-workload-configurations.md""Insecure> Workload Configurations
    Mounting the '/dev' host path could allow an attacker to access to host's devices and even to breakout of the container.
    Insecure ConfigurationsPod With '/sys' hostPath MountedA pod with a risky hostPath mount - mount to the host /sys directory.
    OWASP K01:2022<a href=""https://github.com/OWASP/www-project-kubernetes-top-ten/blob/main/2022/en/src/K01-insecure-workload-configurations.md""Insecure> Workload Configurations
    Mounting the '/sys' host path could allow an attacker to modify kernel variables, access sensitive data and even container escape.

    Role

    Role
    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCluster Role With View Secrets Permissions In NamespaceA role that allows to get secrets in the namespace. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker can leverage this permission to obtain a secret value and move laterally inside the cluster.
    Identity & Access ManagementRole With Admin PermissionsA role with a wildcard in the verbs section. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to that role can execute any action against the resources defined in that role, and escalate his privileges using different methods in the namespace.

    Role Binding

    Role Binding
    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementRole Binding Allows Anonymous AccessRoleBinding with 'system:anonymous' user allow to unauthenticated users to perform the actions in the role.Attacker can perform action in the specific namespace without to authenticate.
    Identity & Access ManagementRole Binding Allows Unauthenticated AccessRoleBinding with 'system:unauthenticated' group allow to users are related to this group to perform the actions in the matched role. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAttacker can perform action in the specific namespace without to authenticate.
    Identity & Access ManagementRole Binding To Default Service AccountOWASP K03:2022 Overly Permissive RBAC Configurations
Source Code Management (SCM) - click to collapse

Source Code Management (SCM)

Click on a service name below to view a table of the risks Panoptica detects in your source code, along with brief descriptions and attack scenarios.

    GitHub Organization

    GitHub Organization
    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsTwo-Factor Authentication Should Be Enforced For The OrganizationThe two-factor authentication requirement is not enabled at the organization level. Regardless of whether users are managed externally by SSO, it is highly recommended to enable this option to reduce the risk of a deliberate or accidental user creation without MFA.If an attacker gets the valid credentials for one of the organization’s users they can authenticate to your GitHub organization.
    Insecure ConfigurationsDefault Workflow Token Permission Should Be Read OnlyThe default GitHub Action workflow token permission is set to read-write. When creating workflow tokens, it is highly recommended to follow the Principle of Least Privilege and force workflow authors to specify explicitly which permissions they need.In case of token compromise (due to a vulnerability or malicious third-party GitHub actions), an attacker can use this token to sabotage various assets in your CI/CD pipeline, such as packages, pull-requests, deployments, and more.
    Insecure ConfigurationsOrganization Webhooks Should Be Configured With A SecretWebhooks are not configured with a shared secret to validate the origin and content of the request. This could allow your webhook to be triggered by any bad actor with the URL.Not using a webhook secret makes the service receiving the webhook unable to determine the authenticity of the request.This allows attackers to masquerade as your organization, potentially creating an unstable or insecure state in other systems.
    Insecure ConfigurationsOrganization Should Have Fewer Than Three OwnersOrganization owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Organizational Admins to the minimum needed (recommended maximum 3 owners).1. An organization has a permissive attitude and provides an owner role to all developers.2. One of the developers has decided to collaborate with an evil ransomware gang, and uses his high privileges to add a malicious external collaborator3. The malicious collaborator, being an owner, has a wide range of destructive operations he can do (e.g. remove security settings)
    Insecure ConfigurationsWorkflows Should Not Be Allowed To Approve Pull RequestsThe default GitHub Actions configuration allows for workflows to approve pull requests. This could allow users to bypass code-review restrictions.Attackers can exploit this misconfiguration to bypass code-review restrictions by creating a workflow that approves their own pull request and then merging the pull request without anyone noticing, introducing malicious code that would go straight ahead to production.
    Insecure ConfigurationsOrganization Should Use Single-Sign-OnIt is recommended to enable access to an organization via SAML single sign-on (SSO) by authenticating through an identity provider (IdP). This allows for central account control and for timely access revocations.Not using an SSO solution makes it more difficult to track a potentially compromised user's actions accross different systems, prevents the organization from defining a common password policy, and makes it challenging to audit different aspects of the user's behavior.
    Insecure ConfigurationsRunner Group Should Be Limited to Private RepositoriesWorkflows from public repositories are allowed to run on GitHub Hosted Runners. When using GitHub Hosted Runners, it is recommended to allow only workflows from private repositories to run on these runners. to avoid being vulnerable to malicious actors using workflows from public repositories to break into your private network. In case of inadequate security measures implemented on the hosted runner, malicious actors could fork your repository and then create a pwn-request (a pull-request from a forked repository to the base repository with malicious intentions) that create a workflow that exploits these vulnerabilities and move laterally inside your network.Hosted runners are usually part of the organization's private network and can be easily misconfigured.If the hosted runner is insecurely configured, any GitHub user could:1. Create a workflow that runs on the public hosted runner2. Exploit the misconfigurations to execute code inside the private network
    Insecure ConfigurationsOnly Admins Should Be Able To Create Public RepositoriesThe organization should be configured to prevent non-admin members creating public repositories. Creating a public repository may expose sensitive organization code, which, once exposed, may be copied, cached or stored by external parties. Therefore, it is highly recommended to restrict the option to create public repositories to admins only and reduce the risk of unintentional code exposure. NOTE: You should also verify that repositories owners can't change existing repositories visibility to be public. If allowed, a malicious user could create a private repo and change it to public. See: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization for further informationA member of the organization could inadvertently or maliciously make public an internal repository exposing confidential data.
    Insecure ConfigurationsRunner Group Should Be Limited to Selected RepositoriesNot limiting the runner group to selected repositories allows any user in the organization to execute workflows on the group's runners. In case of inadequate security measures implemented on the hosted runner, malicious insider could create a repository with a workflow that exploits the runner's vulnerabilities to move laterally inside your network.Hosted runners are usually part of the organization's private network and can be easily misconfigured.If the hosted runner is insecurely configured, any user in the organization could:1. Create a workflow that runs on the hosted runner2. Exploit the runner misconfigurations/known CVE's to execute code inside the private network
    Insecure ConfigurationsOrganization Admins Should Have Activity In The Last 6 MonthsA member with organizational admin permissions did not perform any action in the last 6 months. Admin users are extremely powerful and common compliance standards demand keeping the number of admins to a minimum. Consider revoking this member’s admin credentials by downgrading to regular user or removing the user completely.Stale admins are most likely not managed and monitored, increasing the possibility of being compromised.
    Insecure ConfigurationsGitHub Actions Should Be Limited To Verified or Explicitly Trusted ActionsIt is recommended to only use GitHub Actions by Marketplace verified creators or explicitly trusted actions. By not restricting which actions are permitted, developers may use actions that were not audited and may be malicious, thus exposing your pipeline to supply chain attacks.This misconfiguration could lead to the following attack:1. Attacker creates a repository with a tempting but malicious custom GitHub Action2. An innocent developer / DevOps engineer uses this malicious action3. The malicious action has access to the developer repository and could steal its secrets or modify its content
    Insecure ConfigurationsOrganization Webhooks Should Be Configured To Use SSLWebhooks that are not configured with SSL enabled could expose your software to man in the middle attacks (MITM).If SSL verification is disabled, any party with access to the target DNS domain can masquerade as your designated payload URL, allowing it freely read and affect the response of any webhook request.In the case of GitHub Enterprise Server instances, it may be sufficient only to control the DNS configuration of the network where the instance is deployed, as an attacker can redirect traffic to the target domain in your internal network directly to them, and this is often much easier than compromising an internet-facing domain.
    Insecure ConfigurationsOrganization Members Should Have Activity In The Last 6 MonthsA member did not perform any action in the last 6 months. Stale members can pose a potential risk if they are compromised. Consider removing the user's access completely.Stale members are most likely not managed and monitored, increasing the possibility of being compromised.
    Insecure ConfigurationsGitHub Actions Should Be Restricted To Selected RepositoriesBy not limiting GitHub Actions to specific repositories, every user in the organization is able to run arbitrary workflows. This could enable malicious activity such as accessing organization secrets, crypto-mining, etc.This misconfiguration could lead to the following attack:1. Prerequisite: the attacker is part of your GitHub organization2. Attacker creates new repository in the organization3. Attacker creates a workflow file that reads all organization secrets and exfiltrate them4. Attacker trigger the workflow5. Attacker receives all organization secrets and uses them maliciously
    Insecure ConfigurationsDefault Member Permissions Should Be RestrictedDefault repository permissions configuration is not set in the organization, thus every new repository will be accessible by default to all users. It is strongly recommended to remove the default permissions and assign them on demand.Organization members can see the content of freshly created repositories, even if they should be restricted.

    GitHub Repository

    GitHub Repository
    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDefault Branch Should Restrict Who Can Dismiss ReviewsAny user with write access to the repository can dismiss pull-request reviews. Pull-request review contains essential information on the work that needs to be done and helps keep track of the changes. Dismissing it might cause a loss of this information and should be restricted to a limited number of users.Allowing the dismissal of reviews can promote poor and vulnerable code, as important comments may be forgotten and ignored during the review process.
    Insecure ConfigurationsDefault Branch Should Limit Code Review to Code-OwnersIt is recommended to require code review only from designated individuals specified in CODEOWNERS file. Turning this option on enforces that only the allowed owners can approve a code change. This option is found in the branch protection setting of the repository.A pull request may be approved by any contributor with write access. Specifying specific code owners can ensure review is only done by individuals with the correct expertise required for the review of the changed files, potentially preventing bugs and security risks.
    Insecure ConfigurationsGitHub Advanced Security – Dependency Review Should Be Enabled For A RepositoryEnable GitHub Advanced Security dependency review to avoid introducing new vulnerabilities and detect newly discovered vulnerabilities in existing packages.A contributor may add vulnerable third-party dependencies to the repository, introducing vulnerabilities to your application that will only be detected after merge.
    Insecure ConfigurationsForking Should Not Be Allowed for This RepositoryForking a repository can lead to loss of control and potential exposure of the source code. If you do not need forking, it is recommended to turn it off in the repository configuration. If needed, forking should be turned on by admins deliberately when opting to create a fork.Forked repositories cause more code and secret sprawl in the organization as forks are independent copies of the repository and need to be tracked separately, making it more difficult to keep track of sensitive assets and contain potential incidents.
    Insecure ConfigurationsDefault Branch Should Be ProtectedBranch protection is not enabled for this repository’s default branch. Protecting branches ensures new code changes must go through a controlled merge process and allows enforcement of code review as well as other security tests. This issue is raised if the default branch protection is turned off.Any contributor with write access may push potentially dangerous code to this repository, making it easier to compromise and difficult to audit.
    Insecure ConfigurationsOSSF Scorecard Score Should Be Above 7Scorecard is an open-source tool from the OSSF that helps to asses the security posture of repositories. A low scorecard score means your repository may be at risk.A low Scorecard score can indicate that the repository is more vulnerable to attack than others, making it a prime attack target.
    Insecure ConfigurationsRepository Webhooks Should Be Configured To Use SSLWebhooks that are not configured with SSL enabled could expose your sofware to man in the middle attacks (MITM).If SSL verification is disabled, any party with access to the target DNS domain can masquerade as your designated payload URL, allowing it freely read and affect the response of any webhook request.In the case of GitHub Enterprise Server instances, it may be sufficient only to control the DNS configuration of the network where the instance is deployed, as an attacker can redirect traffic to the target domain in your internal network directly to them, and this is often much easier than compromising an internet-facing domain.
    Insecure ConfigurationsDefault Branch Should Require All Commits To Be SignedRequire all commits to be signed and verifiedA commit containing malicious code may be crafted by a malicious actor that has acquired write access to the repository to initiate a supply chain attack. Commit signing provides another layer of defense that can prevent this type of compromise.
    Insecure ConfigurationsRepository Webhooks Should Be Configured With A SecretWebhooks are not configured with a shared secret to validate the origin and content of the request. This could allow your webhook to be triggered by any bad actor with the URL.Not using a webhook secret makes the service receiving the webhook unable to determine the authenticity of the request.This allows attackers to masquerade as your repository, potentially creating an unstable or insecure state in other systems.
    Insecure ConfigurationsDefault Branch Should Require All Conversations To Be Resolved Before MergeRequire all Pull Request conversations to be resolved before merging. Check this to avoid bypassing/missing a Pull Reuqest comment.Allowing the merging of code without resolving all conversations can promote poor and vulnerable code, as important comments may be forgotten or deliberately ignored when the code is merged.
    Insecure ConfigurationsDefault Branch Deletion Protection Should Be EnabledThe history of the default branch is not protected against deletion for this repository.Rewriting project history can make it difficult to trace back when bugs or security issues were introduced, making them more difficult to remediate.
    Insecure ConfigurationsDefault Workflow Token Permission Should Be Set To Read OnlyThe default GitHub Action workflow token permission is set to read-write. When creating workflow tokens, it is highly recommended to follow the Principle of Least Privilege and force workflow authors to specify explicitly which permissions they need.In case of token compromise (due to a vulnerability or malicious third-party GitHub actions), an attacker can use this token to sabotage various assets in your CI/CD pipeline, such as packages, pull-requests, deployments, and more.
    Insecure ConfigurationsDefault Branch Should Require All Checks To Pass Before MergeBranch protection is enabled. However, the checks which validate the quality and security of the code are not required to pass before submitting new changes. The default check ensures code is up-to-date in order to prevent faulty merges and unexpected behaviors, as well as other custom checks that test security and quality. It is advised to turn this control on to ensure any existing or future check will be required to pass.Not defining a set of required status checks can make it easy for contributors to introduce buggy or insecure code as manual review, whether mandated or optional, is the only line of defense.
    Insecure ConfigurationsDefault Branch Should Restrict Who Can Push To ItBy defa