DocumentationAPI ReferenceRelease Notes

Supported Services and Risks

Suggest Edits

Panoptica continually scans your cloud resources for potential risks, security issues and vulnerabilities across dozens of key services. This catalog provides a complete list of the services Panoptica scans across multiple cloud providers and platforms, and the hundreds of risks Panoptica can detect in those services. The results of these scans show up in different aspects of the Panoptica platform:

  • To view the services Panoptica has identified in your environment, see Cloud Inventory.
  • To view the risks Panoptica has identified, see Security Posture.
  • To view those risks prioritized and contextualized, see Attack Paths.

The catalog is sorted by provider, service name, and category. In Chrome or Edge, use the Table of Contents to the right to navigate to the information you're looking for. Firefox and Safari, however, are unable to expand a section to display an anchor link within, like Chrome and Edge can. If you're using Firefox or Safari, click the cloud provider header in the Table of Contents (AWS, Azure, GCP, etc.), then select the service you want to expand in the main section.

Amazon Web Services (AWS) - click to collapse

Amazon Web Services (AWS)

Click on a service name below to view a table of the risks Panoptica detects in AWS, along with brief descriptions and attack scenarios.

    AWS Certificate Manager

    AWS Certificate Manager

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsACM Certificate Without Minimum Of 2048-bit Key For RSA CertificateAn ACM certificate that does not use a minimum of 2048-bit key for RSA certificate."A key length of 1024 bit is not considered secure, as it can be cracked using brute-force methods. Upgrade your certificates to 2048-bit or 4096-bit RSA certificates which are using stronger encryption algorithms."
    Neglected ResourceACM Certificate Expires In 30 DaysAn ACM certificate is going to expire in 30 days.It is not a best practice to have an expired certificate. An expired certificate can be accidentally deployed to another resource, leading to application errors and credibility damage. Renew the certificate as soon as possible.
    Neglected ResourceACM Certificate Pending ValidationAn ACM certificate with 'PENDING_VALIDATION' status.When an ACM certificate is not validted within 72 hours, it becomes invalid and you have to create a new certificate request.
    Neglected ResourceExpired ACM CertificateAn expired ACM certificate.It is not a best practice to have an expired certificate. An expired certificate can cause an accidental deployment to another resource, leading to application errors and credibility damage.
    Neglected ResourceInvalid ACM CertificateAn ACM certificate with 'FAILED' or 'VALIDATION_TIMED_OUT' status.It is not a best practice to have invalid certificates. Invalid certificates should be deleted.
    Neglected ResourceUnused ACM CertificateUnused ACM CertificateIt is not a best practice to have unused certificates. Unused certificates should be used or removed.
    Amazon CloudFront

    Amazon CloudFront

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsCloudFront Distribution Lacking WAF ProtectionThis risk highlights a CloudFront distribution that is not protected by a Web Application Firewall (WAF). Without WAF protection, your distribution may be vulnerable to common web exploits that could affect availability or compromise security. To enhance your distribution's security, it's recommended to attach a properly configured WAF to your CloudFront distribution."A WAF helps protect web applications by filtering and monitoring traffic. It usually protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection. An attacker can use this opportunity to attack your application."
    Insecure ConfigurationsCloudFront Distribution Permitting Insecure HTTP ConnectionsThis risk underscores a CloudFront distribution that allows insecure HTTP connections. Such connections could expose your data to potential risks during transmission. It's advised to enforce secure HTTPS connections for your CloudFront distribution to ensure the security and integrity of your data.An attacker can gain access to traffic between your CloudFront distribution and the application viewers.
    Insecure ConfigurationsCloudFront Distribution with Logging DisabledThis risk signifies a CloudFront distribution that has logging disabled. Without logging, it can be challenging to monitor and troubleshoot your distribution's activity. It's highly recommended to enable and properly configure logging for your CloudFront distribution to ensure effective operations and prompt issue resolution.CloudFront distribution logging is used to track all the requests. It is necessary for investigating activities and for auditing purposes.
    Insecure ConfigurationsCloudFront Operating with Unencrypted Origin Server ConnectionThis risk identifies a CloudFront distribution configured to operate with an unencrypted connection to the origin server. Such a configuration can expose your data to unnecessary risks during transmission. It's highly advised to secure the connection to your origin server with encryption, such as HTTPS, to uphold the integrity and confidentiality of your data.An attacker can gain access to traffic between your CloudFront distribution and an origin server.
    Insecure ConfigurationsCloudFront With Insecure TLS CiphersA CloudFront distribution that does not use secure TLS (Transport Layer Security) protocol versions.It is recommended to use the latest version of TLS if possible. Older versions (prior to TLS 1.2) may be deprecated or may contain known vulnerabilities that an attacker can use.
    Amazon DocumentDB

    Amazon DocumentDB

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDocumentDB Audit Logs Export DisabledDocumentDB cluster without export audit logs to Cloudwatch.Without comprehensive auditing, there's a higher risk of undetected security breaches or unauthorized access to your system.
    Insecure ConfigurationsDocumentDB Cluster has Short Retention PeriodDocumentDB cluster has less than 7 days backup retention period.A backup retention period ensures that you have a reliable copy of your data in case of accidental deletion, corruption, or other data loss events.
    Insecure ConfigurationsDocumentDB without Deletion ProtectionDeletion protection is disabled.Disabling deletion protection in a DocumentDB can introduce several security risks. Deletion protection is a feature that prevents accidental or unauthorized data deletions, and disabling it can make your database more vulnerable to various threats.
    Insecure ConfigurationsDocumentDB Without Storage EncryptionAn attacker with access to the DocumentDB can access sensitive data stored in the DB.This risk indicates an Amazon DocumentDB that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Amazon DynamoDB

    Amazon DynamoDB

    CategoryRisk NameDescriptionAttack Scenario
    Neglected ResourceDynamoDB Table Without Continuous BackupA DynamoDB table without continuous backups for the point-in-time recovery feature.It is a best practice to enable continuous backups for your DynamoDB tables. DynamoDB continuous backups, powered by Point-in-time Recovery (PITR) feature, will help you protect your DynamoDB data against accidental writes, deletes, or any loss of data.
    Amazon EC2

    Amazon EC2

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDefault Security Group AssignmentThe EC2 instance uses the default Security Group.An attacker might exploit misconfuguration or wide allowed outbound IP range to obtain network access to the EC2 instance.
    Insecure ConfigurationsEC2 Classic Instance Not Operating Within a VPCThis risk underscores an EC2 Classic instance that is not operating within a Virtual Private Cloud (VPC). Operating outside of a VPC may expose your EC2 instance to unnecessary security risks and limit control over network configuration. It's strongly advised to migrate your EC2 Classic instances to a VPC, providing an additional layer of security and increased control over networking aspects, to bolster your system security.Current workloads might be interrupted.
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata.When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf.
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication.This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0.
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Public ExposurePublic AWS EBS SnapshotPublicly shared Elastic Block Store (EBS) volume snapshot with all other AWS accounts.An attacker can use the public shared EBS snapshot in its own account and potentially expose sensitive data.
    Neglected ResourceUnassociated Elastic IP AddressThe Elastic IP is unused, not associated with any resource in the cloud environment.An attacker might leverage the neglected Elastic IP to bypass security mechanisms or direct traffic to a malicious server.
    Public ExposurePublic AWS AMIPublicly shared AWS AMI with all other AWS accounts.An attacker can attach the public shared AMI to a machine in the attacker's AWS account and inspect the image.
    Amazon Elastic Container Registry

    Amazon Elastic Container Registry

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsPrivate ECR Repository Allows Anonymous Users To Pull ImagesPrivate ECR repository allowing anyone to pull images.An attacker can pull images from a private repository.
    Insecure ConfigurationsPrivate ECR Repository Allows Anonymous Users To Push ImagesPrivate ECR repository with permissions to push images.An attacker can push a malicious image to the repository.
    Insecure ConfigurationsPrivate ECR Repository Without KMS KeyPrivate ECR repository without KMS encryption.KMS provides more control over the repository encryption.
    Insecure ConfigurationsPublic ECR Repository Allows Anonymous Users AccessPublic ECR repository enables any user to perform ECR actions.
    Insecure ConfigurationsPublic ECR Repository Allows Anonymous Users To Push ImagesPublic ECR repository with permissions to push images.An attacker can push a malicious image to the repository.
    Amazon ECS

    Amazon ECS

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata."When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. \nThe metadata information is available by making a request to the IP address of 169.254.169.254. \nThe current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf."
    Insecure ConfigurationsECS Container Operating in Elevated Privilege ModeThis risk signifies an ECS container that's operating in a privileged mode. When a container is run in privileged mode, it holds potential access to all devices on the host system, thereby posing a significant security risk. This unrestricted access could lead to unauthorized activities or data breaches if the container were to be compromised. It's highly recommended to review the necessity of privileged mode for this container. If not required, a prompt action to modify the container's access privileges is advised to uphold system security and integrity.An attacker with access to the container can gain unauthorized access to other resources in the enviornment.
    Insecure ConfigurationsECS Container with Elevated System Administrator CapabilitiesThis risk underscores an ECS container configured with CAP_SYS_ADMIN capabilities. This configuration grants the container nearly unrestricted system-level permissions equivalent to the root user on the host, which can significantly amplify the potential impact of a security breach if the container is compromised. It's essential to reassess the necessity of such elevated privileges. If these superuser capabilities are not necessary for the container's operations, it is strongly advised to reduce its permissions promptly, thereby bolstering system security and reducing potential attack vectors."CAP_SYS_ADMIN is equivalent to root. An attacker with access to the container can gain root privileges."
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication."This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0."
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Amazon EKS

    Amazon EKS

    CategoryRisk NameDescriptionAttack Scenario
    Credentials ExposureEKS Cluster Operating Without Secrets EncryptionThis risk identifies an EKS cluster that is operating without secrets encryption. The absence of encryption could expose your sensitive information and make it vulnerable to unauthorized access or breaches. It's strongly advised to enable secrets encryption for your EKS cluster to enhance the protection of sensitive data. OWASP K08:2022 Secrets Management FailuresBy default, Kubernetes secrets are stored in Base64 encoding in the etcd. An attacker with access to the cluster etcd, will be able to use the stored secrets and compromise your cluster.
    Insecure ConfigurationsEKS Cluster Running With Logging Configurations DisabledThis risk signifies an EKS cluster that is operating with disabled logging configurations. Proper logging provides crucial insights into your system's operations and potential issues. A disabled logging configuration could hinder problem detection and system monitoring. It's highly recommended to enable and configure appropriate logging for your EKS cluster to ensure efficient operations and issue resolution. OWASP K05:2022 Inadequate Logging and MonitoringLogging provides audit and diagnostic logs directly from EKS to CloudWatch Logs in your account. These logs make it easy for you to secure and run your clusters.
    Public ExposurePublicly Accessible EKS API Server EndpointThis risk underscores an EKS API Server Endpoint that is publicly accessible. Public access to your API Server Endpoint could potentially expose your system to unauthorized access and possible security threats. It's advised to review and restrict access to your EKS API Server Endpoint, limiting it to necessary IP ranges or secure VPN connections, to bolster system security. OWASP K09:2022 Misconfigured Cluster ComponentsAn attacker can access the Kubernetes API server from external IP address and use it as an optional entry point into the environment.
    Amazon EFS

    Amazon EFS

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDefault Security Group
    Insecure ConfigurationsSecurity Group with Inappropriately Configured CIDR IPThis risk highlights a Security Group with a misconfigured CIDR IP, which may expose your resources to unintended networks, leading to potential unauthorized access. A swift review and correction of CIDR IP configurations in your security groups is strongly recommended to uphold network security.The Instances that are connected to this security group, can be accidentally exposed to the Internet and compromised.
    Public ExposureSecurity Group Allows Access From Any IP (0.0.0.0/0)A security group with an inbound network rule that allows incoming connection from any IP address (0.0.0.0/0) to any port.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group Permits Connections From Any IP (0.0.0.0/0)This risk points to an AWS Security Group configured to allow incoming connections from any IP address, denoted by the range 0.0.0.0/0. This unrestricted access can lead to potential unauthorized access and data breaches. It's recommended to validate the need for such open access, and if it is not required, promptly implement stricter access control based on specific IP addresses or ranges.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Exposed RDP PortThis risk identifies a Security Group that has the RDP port (3389) open to the public, posing a significant security risk. Unauthorized access to the RDP port can potentially allow cyber attackers to control your AWS resources. It's crucial to review and restrict access to the RDP port, limiting it to specific, necessary IP ranges or secure VPN connections, to strengthen your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Exposed Telnet PortThis risk underscores a Security Group that has the Telnet port (23) open to the public. An open Telnet port can be a significant security vulnerability as it can allow unauthorized access to your AWS resources. This exposure could potentially lead to unauthorized data access, data breaches, or unwanted modifications. It's highly advised to review and tighten access to the Telnet port, limiting it to necessary IP ranges or more secure protocols. Swift action to restrict this access will greatly enhance your AWS security posture and reduce potential cyber attack vectors.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open Cassandra PortThis risk signifies a Security Group that has the Cassandra port (9142) open to the public. This can allow unauthorized access to your Cassandra databases, potentially leading to data breaches or malicious alterations. It's highly recommended to review and limit the port access to necessary IP ranges or secure connections, enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group With Open Kubernetes Kubelet Port (10250)A security group with an inbound network rule that allows incoming connection from any IP address (0.0.0.0/0) to Kubernetes Kubelet port (10250).An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open MySQL/MariaDB PortThis risk points to a Security Group that has the MySQL/MariaDB port (3306) open to the public. This can allow unauthorized access to your MySQL/MariaDB databases, potentially leading to data breaches or malicious alterations. It's highly recommended to review and limit the port access to necessary IP ranges or secure connections, greatly enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open Redis PortThis risk signifies a Security Group with an open Redis port (6379), providing public access. This could potentially expose your Redis databases to unauthorized access and possible security breaches. A swift action to review and restrict access to the Redis port, limiting it to necessary IP ranges or secure VPN connections, is advised to fortify your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Kafka PortThis risk identifies a Security Group with an open Kafka port (9092), providing public access. This configuration could potentially expose your Kafka servers to unauthorized access and potential security threats. It's advised to promptly review and restrict access to the Kafka port, limiting it to necessary IP ranges or secure VPN connections, to improve your overall system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Kibana PortThis risk signifies a Security Group with an open Kibana port (5601), providing public access. This could potentially expose your Kibana instances to unauthorized access and potential security threats. It's advised to promptly review and restrict access to the Kibana port, limiting it to necessary IP ranges or secure VPN connections, to improve your overall system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Memcached PortThis risk highlights a Security Group configured with an open Memcached port (11211), allowing public access. This configuration can potentially expose your Memcached servers to unauthorized access and data breaches. It's recommended to promptly review and restrict access to the Memcached port, limiting it to necessary IP ranges or secure connections, thereby fortifying your server security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Redshift PortThis risk points to a security group configuration that leaves the Amazon Redshift port (5439) open to the public. An exposed Redshift port can increase the risk of unauthorized access and potential data breaches. It's recommended to verify the need for such a configuration and, if unnecessary, promptly restrict access to this port to enhance the security of your Redshift clusters.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible RPC PortThis risk highlights a Security Group configured with an open RPC port (135), making it publicly accessible. This configuration can potentially allow unauthorized access to your AWS resources. Open RPC ports are known to be vectors for certain types of cyber attacks, potentially leading to data breaches or unauthorized modifications. It's strongly recommended to review and limit access to the RPC port, confining it to necessary IP ranges or secure connections. Immediate action to secure this access will substantially enhance your AWS security and reduce potential cyber threats.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Exposed MSSQL PortThis risk signifies a Security Group configured with an open MSSQL port (1433), granting public access. This unrestricted access can potentially expose your SQL Server databases to unauthorized access and malicious activities. It's advised to immediately review and restrict the MSSQL port access to specific, necessary IP ranges or secure connections, enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Exposed Splunkd PortThis risk identifies a Security Group that has the Splunkd port (8089) open to the public. This configuration potentially leaves your Splunkd services vulnerable to unauthorized access and cyber threats. It's strongly recommended to review and limit access to the Splunkd port, confining it to specific, trusted IP ranges or secure VPN connections, to enhance your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted FTP PortsThis risk highlights a Security Group that has FTP ports (20/21) open to the public. An open FTP port can allow unauthorized access to your AWS resources, potentially leading to data breaches, misuse, or unwarranted changes. It's strongly recommended to review and tighten access to these FTP ports, limiting them to specific, necessary IP ranges or secure connections. Prompt action to restrict this access will significantly enhance your AWS security and reduce exposure to potential cyber threats.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted PostgreSQL PortThis risk highlights a Security Group with an open PostgreSQL port (5432). This configuration can expose your PostgreSQL databases to unauthorized access and potential malicious activities. Promptly reviewing and restricting access to the PostgreSQL port, confining it to necessary IP ranges or secure connections, is strongly recommended to enhance your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted SMB Port AccessThis risk category identifies a Security Group that has the SMB port (445) openly accessible to the public. An open SMB port can provide an entry point for unauthorized access to your AWS resources, potentially leading to data breaches or malicious modifications. This port is often targeted for exploits like the WannaCry ransomware attack. It's strongly recommended to review and restrict access to the SMB port, confining it to specific, necessary IP ranges or secure VPN connections. Taking immediate action to limit this access will significantly enhance your AWS security posture and reduce potential attack surfaces.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted SSH Port AccessThis risk identifies a Security Group that has the SSH port (22) open to the public, potentially permitting unauthorized access to your AWS resources. It's crucial to review and restrict access to the SSH port, confining it to specific, necessary IP ranges or secure VPN connections, to bolster your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured DocDB PortThis risk indicates a Security Group that has the DocDB port (27017) open to the public. This configuration potentially leaves your DocumentDB databases exposed to unauthorized access and potential malicious actions. A swift review and restriction of access to the DocDB port, confining it to specific, trusted IP ranges or secure connections, is strongly recommended to uphold your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured Elasticsearch PortsThis risk highlights a Security Group with Elasticsearch ports (9200/9300) open to the public. These open ports can potentially expose your Elasticsearch clusters to unauthorized access and possible cyber threats. Immediate review and restriction of access to these ports, limiting them to necessary IP ranges or secure connections, is strongly advised to bolster your cluster security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured OracleDB PortThis risk highlights a Security Group that has the OracleDB port (1521) open to the public. This configuration potentially leaves your Oracle databases exposed to unauthorized access and cyber attacks. A swift review and restriction of access to the OracleDB port, confining it to specific, trusted IP ranges or secure connections, is strongly recommended to uphold your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Amazon ElastiCache

    Amazon ElastiCache

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityElasticache User (Not Default) Access String Allows Access to All Keys and CommandsAllowing access to all keys and commands through the Elasticache User Access String provides overly broad and unrestricted access, which can lead to unauthorized data manipulation or misuse.An attacker gains access to the Elasticache User Access String with permissions for all keys and commands. They could potentially launch a series of malicious operations, such as deleting critical data, injecting harmful commands, or exfiltrating sensitive information, posing a significant security threat to the system's integrity and confidentiality.
    Data SecurityElasticache User without AuthenticationWhen a user in Elasticache lacks authentication, a significant security vulnerability arises as there are no authentication mechanisms in place to verify the legitimacy of user requests, potentially exposing the system to unauthorized access and misuse.An attacker could impersonate a user to gain unrestricted access to the cluster. This could lead to unauthorized data retrieval, manipulation, or even the injection of malicious data into the cache, compromising data integrity.
    Identity & Access ManagementElasticache Default User is in UserGroupsIn Elasticache, a default user is automatically configured with the user ID and name "default," and it is added to all user groups, while remaining immutable and unable to be deleted or modified. This user is granted an access string that allows it to execute all commands and access all keys, creating a potential security vulnerability by providing overly broad and unmodifiable access privileges.An attacker gains access to the cluster using the default user, taking advantage of the absence of authentication requirements and the user's full access privileges, which allows them to perform unauthorized operations.
    Identity & Access ManagementNon Default Elasticache User Not Associated With Any GroupA user not associated with any group.
    Identity & Access ManagementNon Default Elasticache User Not Associated With Any Group that Has High PermissionsA user in Elasticache who possesses a full access string or is authenticated independently (without relying on IAM) lacks the security benefits of centralized access control and proper management, thereby increasing the risk of unauthorized access, misconfigurations, and making it challenging to efficiently audit and administer user permissions.An attacker discovers an unsupervised Elasticache user, initially created without specific permissions. If this user is later added to a group with elevated privileges without proper review, the attacker seizes the moment, gaining unauthorized access to critical resources.
    Insecure ConfigurationsElasticache Encryption by Rest is disabledDisabling encryption by rest in AWS ElastiCache can potentially lead to security vulnerabilities, as sensitive data may become exposed to potential unauthorized access, data breaches, or compromises due to the absence of encryption safeguards for stored data.An attacker gains unauthorized access to the Elasticache cluster. Since Encryption at Rest is disabled, they can easily access and exfiltrate sensitive data, such as cached passwords or confidential information, potentially leading to data breaches or unauthorized data exposure.
    Insecure ConfigurationsElasticache Encryption by Transit is disabledDisabling Encryption in Transit in Elasticache creates a security problem by allowing data transmitted between clients and the cluster to be susceptible to interception, potentially compromising data confidentiality and integrity.An attacker with access to the network infrastructure or a compromised intermediary device can exploit Elasticache Encryption in Transit being disabled to intercept and eavesdrop on unencrypted data packets transmitted between clients and the cache, potentially compromising data confidentiality and integrity.
    Insecure ConfigurationsElasticache User with Password Authentication OnlyWhen a user in Elasticache relies solely on authentication by password, the security concern arises if the chosen password is weak or easily guessable, as it can create a vulnerability where malicious actors may successfully guess or crack the password, leading to unauthorized system access and potential compromises to data integrity and confidentiality.An attacker can employ brute-force or dictionary attacks to repeatedly guess the password.
    Amazon ELB

    Amazon ELB

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata.When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf.
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication.This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0.
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    AWS IAM

    AWS IAM

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementIAM User Access Key Unrotated for Over 90 DaysThis risk identifies an Amazon IAM (Identity and Access Management) user whose access key hasn't been rotated for over 90 days. Keeping access keys unrotated for prolonged periods can increase the risk of unauthorized access if the keys are compromised. It's recommended to adopt a practice of regular key rotation, ideally, every 90 days, to ensure secure access management.An attacker with access to the access key can achieve the user's privileges and perform unauthorized actions in the account.
    Identity & Access ManagementIAM User Holding Unused, Outdated Access KeysThis risk signifies an IAM user that has access keys not used for over 90 days. Outdated, unused keys can pose a significant security risk if they are compromised. It's strongly advised to review and rotate old access keys, promptly deactivating any that are unused to enhance account security.An attacker with access to the access key can achieve the user's privileges and perform unauthorized actions in the account.
    Identity & Access ManagementInactive IAM User Access KeyThis risk indicates an inactive access key associated with an Amazon IAM (Identity and Access Management) user. Despite being inactive, these keys can pose a potential security risk if they were to be reactivated without appropriate controls. It's recommended to routinely review and manage inactive keys, eliminating or rotating those that aren't needed, to maintain a robust access management system.
    Identity & Access ManagementIAM User With Old Password For Over 90 DaysUser unchanged his password in the last 90 days.Attacker can use this user for getting access to compromised environment.
    Identity & Access ManagementIAM User Without MFAThis risk identifies an Amazon IAM (Identity and Access Management) user who doesn't have Multi-Factor Authentication (MFA) enabled. MFA provides an extra layer of security by requiring more than just a password for user authentication. Without MFA, the user's account is at a higher risk of unauthorized access. Enabling MFA for all IAM users is strongly recommended to bolster account security.An attacker can bypass authentication with a password only.
    Identity & Access ManagementInactive IAM User In IAM Credential ReportInactive user is user with unused access key or user that didn't connect to aws console in the last 90 days.Attacker can use inactive user credentials that leading to environment compromised
    Identity & Access ManagementIAM Role Configured with Predictable External IDThis risk points to an IAM role that has a predictable external ID. Such easily guessed IDs can potentially allow unauthorized entities to assume the role, posing a risk of unauthorized access and potential security breaches. A review and update of all IAM role external IDs, ensuring they are complex and unpredictable, is strongly recommended to maintain secure role access."An attacker can trick a third party that can assume a role in your account, and gain unauthorized access to your resources. External ID is a unique identifier that third parties use to assume a role in your account, and its purpose is to prevent the confused deputy problem. When the external id can be easily guessed, the confused deputy remains a problem. We look for external id values that have less than three different types of characters, contain sequences such as 123, abc, qwe, and more, or that are included in the role ARN (account id, role name)."
    Identity & Access ManagementIAM Role Configured with Unrestricted Assume Role PermissionsThis risk identifies an IAM Role that has been configured to allow 'Assume Role' permissions to any AWS user. This broad configuration increases the potential of unauthorized access to the resources associated with this IAM role. It can lead to misuse of permissions, data breaches, or even alteration of your AWS services. It's highly recommended to review and restrict the 'Assume Role' permissions to specific users or roles, thereby enhancing your AWS security posture by reducing unnecessary exposure.An attacker with access to any AWS account can assume the role and use its permissions.
    AWS Key Management Service

    AWS Key Management Service

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementKMS Key Allows Anonymous AccessA key policy that allows certain actions to all users.If there are no other access mechanisms with deny statements that override this permissive key policy, an attacker will be able to perform the specified actions on your key.
    Neglected ResourceKMS Customer Managed Key Without RotationA customer-managed key with disabled key rotation.Key rotation reduces the risk of a compromised key being used by an attacker to access your encrypted resources.
    Neglected ResourceUnusable Customer Managed KeyA customer-managed KMS key that can't be used. The key is either disabled or pending deletion.It is not a best practice to have usable keys as it can harm key management processes and increase your monthly AWS bill.
    AWS Lambda

    AWS Lambda

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata."When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf."
    Insecure ConfigurationsLambda Function Security Group
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication."This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0."
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Public ExposurePublic Lambda Function Without Authentication"Lambda Function that is configured with a function URL and without authentication. OWASP A6:2017 <a href=""https://owasp.org/www-pdf-archive/OWASP-Top-10-Serverless-Interpretation-en.pdf""Security> Misconfiguration."A function URL is a dedicated HTTPS endpoint that allows access and invocation of the function from the public Internet. The configuration of the detected function also supports unauthenticated access, which allows anyone from the Internet to trigger it.
    Unsupported SoftwareLambda Function Operating on Deprecated Runtime"This risk identifies a Lambda function operating on a runtime that is deprecated or has reached end of support. Operating on such a runtime can expose the function to unpatched vulnerabilities and reduce overall performance. An immediate update to a supported runtime is recommended to ensure the security and efficiency of your Lambda function. OWASP A6:2017 <a href=""https://owasp.org/www-pdf-archive/OWASP-Top-10-Serverless-Interpretation-en.pdf""Security> Misconfiguration."An attacker can exploit known unpatched vulnerabilities in the Lambda function runtime
    Amazon Neptune

    Amazon Neptune

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsNeptune Cluster has Short Retention PeriodNeptune database has less than 7 days backup retention period.A backup retention period ensures that you have a reliable copy of your data in case of accidental deletion, corruption, or other data loss events.
    Insecure ConfigurationsNeptune DB Storage Encrypted Enabled
    Insecure ConfigurationsNeptune IAM Database Authentication DisabledIAM Database Authentication in Amazon Neptune provides an additional layer of security for accessing your Neptune database. Instead of using a traditional username and password for database authentication, IAM Database Authentication allows you to use AWS Identity and Access Management (IAM) credentials to authenticate to your Neptune database.Attackers might attempt to break traditional authentication methods by brute force or password guessing attacks.
    Insecure ConfigurationsNeptune without Deletion ProtectionDeletion protection is disabled.Disabling deletion protection in Neptune DB can introduce several security risks. Deletion protection is a feature that prevents accidental or unauthorized data deletions, and disabling it can make your database more vulnerable to various threats.
    Insecure ConfigurationsNeptune Without Storage EncryptionAn attacker with access to the Neptune database can access sensitive data that stored in it.This risk indicates an Amazon Neptune database that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Amazon RDS

    Amazon RDS

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata."When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf."
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication."This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0."
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Data SecurityRDS Cluster Without Configured Backup RetentionThis risk signifies an Amazon RDS cluster not configured for backup retention. A lack of backup retention can lead to data loss in case of system failures or errors. It's highly recommended to configure a suitable backup retention policy to protect data and ensure the possibility of recovery in the event of unexpected issues.The backup retention period determines the period for which you can perform a point-in-time recovery.
    Data SecurityRDS Database Instance Publicly AccessibleThis risk identifies an Amazon RDS database instance configured to allow public access, making it potentially reachable by any AWS user or internet user. Publicly accessible database instances pose a heightened risk of unauthorized data access and potential data breaches. It's recommended to validate whether such public access is necessary and, if not, promptly restrict the access to enhance the security of your data.An attacker can access the DB leading to data exposure.
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata."When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf."
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication."This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0."
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    Data SecurityRDS Cluster Database Snapshot Publicly SharedThis risk signifies a publicly shared Amazon RDS cluster database snapshot, making it accessible to any AWS user. Publicly sharing snapshots elevates the risk of unauthorized access, data misuse, or breaches. The necessity of this public sharing should be verified; if not required, immediate action to restrict the sharing is advised to minimize potential security risks.DB cluster snapshot is public and available for any Amazon Web Services account to copy or restore.
    Data SecurityRDS Cluster Database Snapshot Without EncryptionThis risk highlights an Amazon RDS cluster database snapshot that is without encryption. Encryption serves as a vital security layer, safeguarding sensitive data from unauthorized access and potential breaches. An unencrypted snapshot increases the likelihood of data misuse if it's unintentionally accessed or shared. Prompt action to apply encryption is recommended to ensure the security of the snapshot's data.An attacker can access the data stored in the RDS cluster database snapshot without decrypting it.
    Data SecurityRDS Database Cluster Snapshot Externally SharedThis risk signifies an Amazon RDS database cluster snapshot shared with an external AWS account, potentially risking exposure of sensitive data. Uncontrolled or untrusted accounts might misuse or further expose this data, leading to potential breaches and compliance issues. Immediate investigation and appropriate action, such as revoking sharing if it violates security policies, are recommended to mitigate potential risks.An attacker with access to the external account can copy the database cluster snapshot and create a RDS database cluster.
    Data SecurityRDS Database Snapshot Externally SharedThis risk signifies an Amazon RDS database snapshot shared with an external AWS account, potentially risking exposure of sensitive data. Uncontrolled or untrusted accounts might misuse or further expose this data, leading to potential breaches and compliance issues. Immediate investigation and appropriate action, such as revoking sharing if it violates security policies, are recommended to mitigate potential risks.An attacker with access to the external account can copy the database snapshot and create a RDS database.
    Data SecurityRDS Database Snapshot Publicly SharedThis risk signifies a publicly shared Amazon RDS database snapshot, making it accessible to any AWS user. Publicly sharing snapshots elevates the risk of unauthorized access, data misuse, or breaches. The necessity of this public sharing should be verified; if not required, immediate action to restrict the sharing is advised to minimize potential security risks.DB snapshot is public and available for any Amazon Web Services account to copy or restore it.
    Data SecurityRDS Database Snapshot Without EncryptionThis risk highlights an Amazon RDS database snapshot that is without encryption. Encryption serves as a vital security layer, safeguarding sensitive data from unauthorized access and potential breaches. An unencrypted snapshot increases the likelihood of data misuse if it's unintentionally accessed or shared. Prompt action to apply encryption is recommended to ensure the security of the snapshot's data.An attacker can access the data stored in an RDS snapshot without decrypting it.
    Amazon Redshift

    Amazon Redshift

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityRedshift Cluster Publicly AccessibleThis risk points to an Amazon Redshift cluster configured to be publicly accessible, potentially making it reachable by any internet user. Publicly accessible Redshift clusters can significantly raise the risk of unauthorized data access and potential data breaches. It's recommended to validate the need for such public access and, if unnecessary, promptly restrict access to strengthen your data security.An attacker can access Redshift cluster through the cluster endpoint.
    Data SecurityRedshift Cluster Without EncryptionThis risk identifies an Amazon Redshift cluster that has not been configured for encryption, a crucial security measure to protect sensitive data from unauthorized access. Unencrypted Redshift clusters present an increased risk of data exposure or misuse. Implementing encryption to secure your data and adhere to best practices and compliance regulations is strongly recommended.An attacker can access the data stored in your Redshift cluster.
    Amazon Route 53

    Amazon Route 53

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsPublic Route53 Hosted Zone Holding Private DNS RecordThis risk points to a Route53 hosted zone that is public yet contains private DNS records. This configuration can lead to unintended exposure of internal resource information, heightening the risk of unauthorized access and potential breaches. A prompt review of the hosted zone's configuration to ensure appropriate privacy for DNS records is strongly recommended.All DNS in a public hosted zone can be queried from any external internet IP address. An attacker can resolve these records and gain information about your environment.
    Insecure ConfigurationsRoute53 Without Auto Renew DomainA Route 53 domain with the auto renew feature not enabled.With the auto renew feature enabled, your domains won't get expired. Expired domains leave your application exposed to multiple attacks, so it is best practice to enable the feature.
    Insecure ConfigurationsRoute53 Without Domain Transfer LockA Route 53 domain with Transfer Lock set to false.An attacker may be able to transfer your domain to another domain name registrar, and hijack your domain.
    Neglected ResourceRoute53 Domain Expires In 30 DaysA Route 53 domain is going to be expired in 30 days.Expired domains leave your application exposed to multiple attacks. Extend the expiration date as soon as possible.
    Neglected ResourceRoute53 Domain Expires In 7 DaysA Route 53 domain is going to expire in 7 days.Expired domains leave your application exposed to multiple attacks. Extend the expiration date as soon as possible.
    Neglected ResourceRoute53 With Expired DomainAn expired domain name is registered in Route 53.An attacker can hijack the expired domain and use it for malicious purposes. In addition, an expired domain can cause failures or downtime in your application.
    Amazon S3

    Amazon S3

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityCross-Account S3 Bucket AccessThis risk indicates that an Amazon S3 bucket is configured to permit access from users in different AWS accounts. If not strictly controlled, cross-account access can elevate the risk of unauthorized data access or leakage. It's advisable to scrutinize the necessity of this access configuration and promptly modify the bucket's access policies to enhance your data security if not required.An attacker from any AWS account can define this S3 bucket as their target bucket for the service logs or configuration.
    Data SecurityS3 Bucket Contains Potentially Public ObjectsThis risk identifies an Amazon S3 bucket that contains objects that may be publicly accessible, thereby potentially enabling any internet user to access them. Potentially shared objects in an S3 bucket can heighten the risk of unauthorized data access and potential data breaches. It's recommended to review these objects and their access controls, and if public access is not necessary, promptly update their permissions to secure your data.An attacker can maybe access some objects in the bucket leading to data exposure.
    Data SecurityS3 Bucket Encrypted with AWS S3 Managed KeyS3 bucket encrypted with AWS S3 managed key.Using AWS S3 managed key to encrypt an S3 bucket in AWS is not recommended due to limited control over key management. Managing your own KMS keys allows for better security practices, ensures isolation of resources, and facilitates compliance with industry standards. Creating and using customer-managed keys provides a more robust and customizable approach to data encryption in AWS S3.
    Data SecurityS3 Bucket Publicly AccessibleThis risk points to an Amazon S3 bucket configured as publicly accessible, potentially making it reachable by any internet user. Publicly accessible S3 buckets significantly reduce the risk of unauthorized data access and potential breaches. It's recommended to validate the need for such public access, and if it's not necessary, promptly restrict access to improve your data security.An attacker can access the bucket and objects leading to data exposure.
    Insecure ConfigurationsEC2 Instance Operating with Unsecured Metadata ServiceThis risk points to an EC2 instance that has metadata services enabled without the necessary security tokens. Without these tokens, the metadata services, which can hold sensitive information about the EC2 instance, are exposed to potential unauthorized access. This vulnerability can lead to security breaches and data leaks. It is strongly recommended to secure the metadata services by implementing required security tokens, ensuring proper authorization, and thereby safeguarding the integrity of the instance's metadata.When the instance is public and has a connection to the internet, the attacker can take advantage of these default configurations and get full access to the instance and its permissions. This is a default configuration that most of the developers are not aware of. The default configuration can leave your environment at increased risk in the event of a credential exposure/compromise. The metadata information is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests, and it allows an attacker to trick the instance with SSRF (server-side request forgery) vulnerability and making an HTTP/HTTPS requests on his behalf.
    Insecure ConfigurationsLoad Balancer Operating with Outdated SSLv3 ProtocolThis risk category identifies a Load Balancer that is configured to use the outdated SSLv3 protocol. The SSLv3 protocol has known vulnerabilities and its use poses a significant security risk, including susceptibility to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. It is strongly advised to update the Load Balancer's configuration to use a more secure, modern protocol such as TLS 1.2 or TLS 1.3. By doing so, you can reduce the risk of data breaches and ensure secure, encrypted communication.This version has a flaw that could allow an attacker to decrypt information, such as authentication cookies. This vulnerability is known as POODLE attack - man-in-the-middle exploits which take advantage of Internet and security software clients' fallback to SSL 3.0.
    Insecure ConfigurationsRDS Database Instance Without EncryptionAn attacker with access to the RDS DB can access sensitive data stored in the DB.This risk indicates an Amazon RDS database instance that lacks encryption, a critical security measure to safeguard sensitive data from unauthorized access. Unencrypted database instances raise the risk of data exposure or misuse, mainly if accessed by unauthorized entities. Implementing encryption to secure your data and comply with best practices and regulations is strongly recommended.
    AWS Secrets Manager

    AWS Secrets Manager

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsSecret Manager Secret Not Rotated Over 30 DaysSecret not rotated for over 30 days.An attacker with access to the secret can get its content and elevate his privileges.
    Amazon VPC

    Amazon VPC

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsDefault Security Group
    Insecure ConfigurationsSecurity Group with Inappropriately Configured CIDR IPThis risk highlights a Security Group with a misconfigured CIDR IP, which may expose your resources to unintended networks, leading to potential unauthorized access. A swift review and correction of CIDR IP configurations in your security groups is strongly recommended to uphold network security.The Instances that are connected to this security group, can be accidentally exposed to the Internet and compromised.
    Public ExposureSecurity Group Allows Access From Any IP (0.0.0.0/0)A security group with an inbound network rule that allows incoming connection from any IP address (0.0.0.0/0) to any port.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group Permits Connections From Any IP (0.0.0.0/0)This risk points to an AWS Security Group configured to allow incoming connections from any IP address, denoted by the range 0.0.0.0/0. This unrestricted access can lead to potential unauthorized access and data breaches. It's recommended to validate the need for such open access, and if it is not required, promptly implement stricter access control based on specific IP addresses or ranges.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Exposed RDP PortThis risk identifies a Security Group that has the RDP port (3389) open to the public, posing a significant security risk. Unauthorized access to the RDP port can potentially allow cyber attackers to control your AWS resources. It's crucial to review and restrict access to the RDP port, limiting it to specific, necessary IP ranges or secure VPN connections, to strengthen your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Exposed Telnet PortThis risk underscores a Security Group that has the Telnet port (23) open to the public. An open Telnet port can be a significant security vulnerability as it can allow unauthorized access to your AWS resources. This exposure could potentially lead to unauthorized data access, data breaches, or unwanted modifications. It's highly advised to review and tighten access to the Telnet port, limiting it to necessary IP ranges or more secure protocols. Swift action to restrict this access will greatly enhance your AWS security posture and reduce potential cyber attack vectors.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open Cassandra PortThis risk signifies a Security Group that has the Cassandra port (9142) open to the public. This can allow unauthorized access to your Cassandra databases, potentially leading to data breaches or malicious alterations. It's highly recommended to review and limit the port access to necessary IP ranges or secure connections, enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group With Open Kubernetes Kubelet Port (10250)A security group with an inbound network rule that allows incoming connection from any IP address (0.0.0.0/0) to Kubernetes Kubelet port (10250).An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open MySQL/MariaDB PortThis risk points to a Security Group that has the MySQL/MariaDB port (3306) open to the public. This can allow unauthorized access to your MySQL/MariaDB databases, potentially leading to data breaches or malicious alterations. It's highly recommended to review and limit the port access to necessary IP ranges or secure connections, greatly enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Open Redis PortThis risk signifies a Security Group with an open Redis port (6379), providing public access. This could potentially expose your Redis databases to unauthorized access and possible security breaches. A swift action to review and restrict access to the Redis port, limiting it to necessary IP ranges or secure VPN connections, is advised to fortify your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Kafka PortThis risk identifies a Security Group with an open Kafka port (9092), providing public access. This configuration could potentially expose your Kafka servers to unauthorized access and potential security threats. It's advised to promptly review and restrict access to the Kafka port, limiting it to necessary IP ranges or secure VPN connections, to improve your overall system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Kibana PortThis risk signifies a Security Group with an open Kibana port (5601), providing public access. This could potentially expose your Kibana instances to unauthorized access and potential security threats. It's advised to promptly review and restrict access to the Kibana port, limiting it to necessary IP ranges or secure VPN connections, to improve your overall system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Memcached PortThis risk highlights a Security Group configured with an open Memcached port (11211), allowing public access. This configuration can potentially expose your Memcached servers to unauthorized access and data breaches. It's recommended to promptly review and restrict access to the Memcached port, limiting it to necessary IP ranges or secure connections, thereby fortifying your server security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible Redshift PortThis risk points to a security group configuration that leaves the Amazon Redshift port (5439) open to the public. An exposed Redshift port can increase the risk of unauthorized access and potential data breaches. It's recommended to verify the need for such a configuration and, if unnecessary, promptly restrict access to this port to enhance the security of your Redshift clusters.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Accessible RPC PortThis risk highlights a Security Group configured with an open RPC port (135), making it publicly accessible. This configuration can potentially allow unauthorized access to your AWS resources. Open RPC ports are known to be vectors for certain types of cyber attacks, potentially leading to data breaches or unauthorized modifications. It's strongly recommended to review and limit access to the RPC port, confining it to necessary IP ranges or secure connections. Immediate action to secure this access will substantially enhance your AWS security and reduce potential cyber threats.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Exposed MSSQL PortThis risk signifies a Security Group configured with an open MSSQL port (1433), granting public access. This unrestricted access can potentially expose your SQL Server databases to unauthorized access and malicious activities. It's advised to immediately review and restrict the MSSQL port access to specific, necessary IP ranges or secure connections, enhancing your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Publicly Exposed Splunkd PortThis risk identifies a Security Group that has the Splunkd port (8089) open to the public. This configuration potentially leaves your Splunkd services vulnerable to unauthorized access and cyber threats. It's strongly recommended to review and limit access to the Splunkd port, confining it to specific, trusted IP ranges or secure VPN connections, to enhance your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted FTP PortsThis risk highlights a Security Group that has FTP ports (20/21) open to the public. An open FTP port can allow unauthorized access to your AWS resources, potentially leading to data breaches, misuse, or unwarranted changes. It's strongly recommended to review and tighten access to these FTP ports, limiting them to specific, necessary IP ranges or secure connections. Prompt action to restrict this access will significantly enhance your AWS security and reduce exposure to potential cyber threats.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted PostgreSQL PortThis risk highlights a Security Group with an open PostgreSQL port (5432). This configuration can expose your PostgreSQL databases to unauthorized access and potential malicious activities. Promptly reviewing and restricting access to the PostgreSQL port, confining it to necessary IP ranges or secure connections, is strongly recommended to enhance your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted SMB Port AccessThis risk category identifies a Security Group that has the SMB port (445) openly accessible to the public. An open SMB port can provide an entry point for unauthorized access to your AWS resources, potentially leading to data breaches or malicious modifications. This port is often targeted for exploits like the WannaCry ransomware attack. It's strongly recommended to review and restrict access to the SMB port, confining it to specific, necessary IP ranges or secure VPN connections. Taking immediate action to limit this access will significantly enhance your AWS security posture and reduce potential attack surfaces.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unrestricted SSH Port AccessThis risk identifies a Security Group that has the SSH port (22) open to the public, potentially permitting unauthorized access to your AWS resources. It's crucial to review and restrict access to the SSH port, confining it to specific, necessary IP ranges or secure VPN connections, to bolster your system security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured DocDB PortThis risk indicates a Security Group that has the DocDB port (27017) open to the public. This configuration potentially leaves your DocumentDB databases exposed to unauthorized access and potential malicious actions. A swift review and restriction of access to the DocDB port, confining it to specific, trusted IP ranges or secure connections, is strongly recommended to uphold your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured Elasticsearch PortsThis risk highlights a Security Group with Elasticsearch ports (9200/9300) open to the public. These open ports can potentially expose your Elasticsearch clusters to unauthorized access and possible cyber threats. Immediate review and restriction of access to these ports, limiting them to necessary IP ranges or secure connections, is strongly advised to bolster your cluster security.An attacker might use this misconfiguration to access assets within the AWS environment.
    Public ExposureSecurity Group with Unsecured OracleDB PortThis risk highlights a Security Group that has the OracleDB port (1521) open to the public. This configuration potentially leaves your Oracle databases exposed to unauthorized access and cyber attacks. A swift review and restriction of access to the OracleDB port, confining it to specific, trusted IP ranges or secure connections, is strongly recommended to uphold your database security.An attacker might use this misconfiguration to access assets within the AWS environment.
    SNS (Simple Notification Service)

    SNS (Simple Notification Service)

    CategoryRisk NameDescriptionAttack Scenario
    Data SecuritySNS Topic Encryption is Not EnabledThe absence of encryption for SNS topics exposes transmitted messages to risks of unauthorized access, interception, and tampering, compromising the confidentiality, integrity, and privacy of sensitive information within the messages.In an environment where an SNS topic lacks encryption, an attacker can gain unauthorized access. Through this access, an attacker can intercept messages transmitted through the unencrypted SNS topic, enabling them to extract sensitive information.
    Data SecuritySNS Topic is Encrypted With a Default KeyUsing the default key for encrypting SNS topics presents limitations in effective key management. Default key does not allow the ability to create, rotate, disable or enable the encryption key used to protect the data.The default key used for encryption in AWS lacks the necessary mechanisms to provide secure end-to-end encryption and prevent a Man-in-the-Middle attack on SNS topics. This makes it vulnerable to interception and manipulation by an attacker.
    Insecure ConfigurationsSNS Topic Data-in-Transit is Not EnforcedAn SNS topic without HTTPS enforcment.Without HTTPS, a network-based attacker can eavesdrop on network traffic or manipulate it using an attack such as man-in-the-middle.
    Insecure ConfigurationsSNS Topic Policy Allows 'SNS:Publish' for All Principals Without ConditionsThe security finding of an SNS topic policy allowing unrestricted 'SNS:Publish' access increses the risk of unauthorized message dissemination, abuse, compromised data integrity, and non-compliance with security regulations.An attacker identifies the SNS topic with the open publishing access and leverages this vulnerability to send unauthorized messages to the topic. With the ability to publish messages without restrictions, the attacker can disseminate malicious content, such as phishing links, malware payloads, or false information to the subscribers of the topic.
    Insecure ConfigurationsSNS Topics Administrative Actions Are Publicly ExecutablePreventing public execution of administrative actions on SNS topics is essential to maintain messaging system security, safeguard sensitive data, prevent service disruptions, and ensure compliance by restricting unauthorized users from performing administrative operations.An attacker identifies a publicly accessible SNS topic and discovers that administrative actions can be executed without authentication. With this control, the attacker can modify topic settings, change access permissions, or delete the topic altogether.
    Insecure ConfigurationsSNS Topics Are Publicly AccessibleEnsuring that SNS is not publicly accessible is important to protect against unauthorized access, data breaches, and other security threats.An attack targeting the Simple Notification Service (SNS) public access could involve unauthorized actors exploiting the open access configuration of an SNS topic. By identifying a publicly accessible SNS topic, the attackers can abuse it to send messages or notifications to a large number of recipients, potentially causing disruptions, spamming users, or spreading malicious content.
    SQS (Simple Queue Service)

    SQS (Simple Queue Service)

    CategoryRisk NameDescriptionAttack Scenario
    Data SecuritySQS Queue is Not Encrypted With a Customer-Managed KeySQS (Simple Queue Service) not being encrypted with a customer-managed key increases the risk of unauthorized access and potential exposure of sensitive data.When SQS is not encrypted with a customer-managed key, the messages stored in SQS are still encrypted using AWS-managed keys. Without customer-managed key encryption. KMS key allows a more granular control over the SQS data encryption/decryption process.
    Data SecuritySQS Server-Side Encryption is Not EnabledDisabling AWS SQS Server-Side Encryption (SSE) exposes data to vulnerabilities, non-compliance with data protection regulations, compromises data integrity, and undermines trust in the service.When Server-Side Encryption (SSE) is not enforced in SQS, an attacker with unauthorized access can intercept and read unencrypted messages stored in the queue, leading to data exposure.
    Insecure ConfigurationsSQS Data-in-Transit Encryption is Not EnforcedNot enforcing data-in-transit encryption in SQS (Simple Queue Service) increases the risk of data interception and unauthorized access during the transmission of messages.The transmitted messages are vulnerable to interception by malicious actors. Attackers can eavesdrop on network traffic or manipulate it, using an attack such as man-in-the-middle.
    Insecure ConfigurationsSQS Policy Allows All Actions From All Principals Without a ConditionAllowing all actions from all principals without conditions in AWS SQS eliminates access control, increases the risk of unauthorized operations, data breaches, compliance violations, and operational disruptions.In a scenario where there is a lack of access control in AWS SQS, allowing all actions from all principals without conditions, any AWS identity or entity has unrestricted access to perform any action on the SQS queues. This absence of granular access controls and restrictions allows an attacker to exploit this lack of control by gaining unauthorized access to sensitive data within the queues.
    Insecure ConfigurationsSQS Policy Allows Public AccessSQS (Simple Queue Service) policy that allows public access increases the risk of unauthorized users gaining access to the queue and potentially manipulating or retrieving sensitive messages.When an SQS (Simple Queue Service) policy is misconfigured to allow public access, unauthorized individuals can exploit this vulnerability. Attackers can manipulate and retrieve sensitive messages from the queue without any authentication or authorization checks.
Microsoft Azure - click to collapse

Microsoft Azure

Click on a service name below to view a table of the risks Panoptica detects in Azure, along with brief descriptions and attack scenarios.

    Azure App Service

    Azure App Service

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsAzure Function Cross-origin Resource Sharing (CORS) Feature not ImplementedCross-Origin Resource Sharing (CORS) is a security feature that allows or restricts web applications running at one origin (domain) to make requests for resources from a different origin, subject to certain constraints, to prevent unauthorized access to data.
    This finding signifies an Azure Function without Cross-Origin Resource Sharing enforcement.    		An attacker could exploit permissive CORS policies set on a web application to make unauthorized cross-origin requests, potentially gaining access to sensitive data or performing actions on behalf of a legitimate user without their consent. For example, an attacker might trick a victim into visiting a malicious website that sends requests to a trusted web service using the victim's credentials, allowing the attacker to steal data or perform actions on the victim's behalf.
    Insecure ConfigurationsAzure Function Enables Unencrypted TrafficAn Azure Function without HTTPS enforcment.Without HTTPS, a network-based attacker can eavesdrop on network traffic or manipulate it using an attack such as man-in-the-middle.
    Insecure ConfigurationsAzure Function Support Insecure Transportation Security ProtocolAn Azure Function that uses insecure TLS (Transport Layer Security) protocols.It is recommended to use the latest version of TLS if possible. Older versions (prior to TLS 1.2) may be deprecated or may contain known vulnerabilities that an attacker can use.
    Insecure ConfigurationsFTP Service Enabled for Azure FunctionAn Azure Function S/FTP endpoint enabled.The Azure FTP deployment endpoints are publicly accessible. An attacker might attempt to brute-force the service to gain access to the app/service code base.
    Insecure ConfigurationsRemote Debugging is Enabled for Azure FunctionAn Azure Function that enables remote debugging.If remote debugging in Azure Functions is enabled without proper security controls, an attacker could potentially gain unauthorized access to the running code, extract sensitive information, inject malicious code, or disrupt the application, posing a significant security risk.
    Unsupported SoftwareAzure Function Deprecated RuntimeAzure function with a deprecated runtime.An attacker can exploit known unpatched vulnerabilities in the azure function runtime.
    Azure Container Instance (ACI)

    Azure Container Instance (ACE)

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposurePublic Storage Account ContainerContainer with public access allowed.In some cases, an attacker will be able to access data stored in the container.
    Azure Cosmos DB

    Azure Cosmos DB

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityCosmos DB Connection From Public Azure Data Centers EnabledThis option configures the firewall to allow all requests from Azure, including requests from the subscriptions of other customers deployed in Azure.In a scenario where a Cosmos DB account allows connections from IP address "0.0.0.0" (representing all public data centers), an attacker with an unauthorized account could exploit this configuration by gaining access from any location. This attacker could potentially infiltrate the Cosmos DB account, extract sensitive data, launch malicious queries, or even manipulate the database's content, all while leveraging the unrestricted public IP allowance.
    Insecure ConfigurationsCosmos DB Account "Disabled Key Based Metadata Write Access" is DisabledA CosmosDB Database with "Disabled Key Based Metadata Write Access" option disabled.In a scenario where "disabled key based metadata write access" is disabled, an attacker could potentially exploit this vulnerability by gaining unauthorized access to modify or tamper with metadata using compromised keys. This could lead to unauthorized privilege escalation, data manipulation, or confusion in data organization, impacting the integrity and security of the Cosmos DB resources.
    Insecure ConfigurationsCosmos DB Account is Not Using Virtual NetworkEnabling Virtual Network integration for a Cosmos DB account is important as it adds an additional layer of security by restricting data access to specific networks, reducing exposure to potential threats.In an attack scenario, if Virtual Network integration is not enabled for a Cosmos DB account, a malicious actor could exploit the lack of network restrictions by infiltrating the account through public endpoints, potentially compromising sensitive data or executing unauthorized operations on the database.
    Insecure ConfigurationsCosmos DB Account Local Auth is EnabledCosmos DB account local auth is enabled.An attacker with access to these static keys, could potentially perform malicious actions such as data extraction, modification, or deletion. Since the keys are long-lived and not subject to regular rotation, the compromise could persist for an extended period, leading to significant data breaches and security breaches.
    Insecure ConfigurationsCosmos DB Account with Service Managed Encryption KeyCustomer-Managed Keys (CMK) provide crucial advantage of retaining full control and ownership over their encryption keys, allowing them to enforce stricter access policies and meet regulatory compliance requirements. An attacker who discovers a vulnerability in Azure's key management processes could potentially gain unauthorized access to encryption keys, enabling them to decrypt and access sensitive data stored in Cosmos DB.
    Public ExposureCosmos DB Account Access is Allowed From All NetworksAzure Cosmos DB with public access enabled.An attacker could exploit this misconfiguration by remotely connecting to the publicly open database and exfiltrating sensitive data.
    Public ExposureCosmos DB Account is Not Using Private EndpointsA CosmosDB database without private endpoints.Not enabling Virtual Network integration for a Cosmos DB account can result in reduced security, potentially exposing data to unauthorized access.
    Azure Database for MariaDB

    Azure Database for MariaDB

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsMariaDB Server is Not Using Virtual NetworksNot using virtual networks in a MariaDB account poses a security risk as it exposes the database to potential unauthorized access and data exposure, lacking the additional layer of network isolation and security controls provided by virtual networks.In a scenario where a virtual network is not configured, the communication occurs over the public internet unless there are other network-level controls in place. If the communication is not encrypted, it becomes susceptible to interception by attackers. These attackers can then execute a Man-in-the-Middle attack to intercept the traffic between the two entities.
    Insecure ConfigurationsMariaDB Server TLS /SSL DisabledMariaDB with disabled TLS/SSL option.If TLS/SSL is disabled for a MariaDB account, an attacker on the same network could intercept the unencrypted database traffic, potentially capturing sensitive data such as passwords and queries.
    Public ExposureMariaDB Server Connection From Public Azure ServicesHaving a firewall rule allowing access from Azure Public Services in MariaDB could pose a security as it might permit access from a broader range of Azure services than necessary, potentially exposing the database to unintended and unnecessary connections within the Azure network.An attacker exploits a misconfigured MariaDB firewall rule allowing access from any Azure Public Service, potentially gaining unauthorized entry through unintended services. Once inside, the attacker could perform malicious operations on the database, jeopardizing data integrity and confidentiality.
    Public ExposureMariaDB Server Has Full Public Network AccessHaving Full public network access for all in a MariaDB account poses a security risk by potentially exposing the database to unauthorized access from any address.An attacker, aware of the public network access on a MariaDB account for all, could exploit this vulnerability by launching attacks, attempting unauthorized logins, and potentially gaining control over the database, leading to unauthorized data access.
    Public ExposureMariaDB Server is Not Using Private EndpointsMariaDB without a private endpoint configured.An attacker could exploit network vulnerabilities to intercept unencrypted database communication, potentially capturing sensitive data or injecting malicious commands.
    Azure Function

    Azure Function

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposurePublic Unauthenticated FunctionA function with HTTP trigger and anonymous auth level. The HTTP trigger lets you invoke a function with an HTTP request, and the anonymous auth level lets you present a request without an API key.OWASP A2:2017 Broken Authentication.An attacker can invoke the function, and in some cases can escape the function, gain the function app permissions and compromise your environment.
    Azure OpenAI

    Azure OpenAI

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsAzure OpenAI with Microsoft Managed KeysCustomer-Managed Keys (CMK) provide crucial advantage of retaining full control and ownership over your encryption keys, allowing you to enforce stricter access policies and meet regulatory compliance requirements.An attacker who discovers a vulnerability in Azure's key management processes could potentially gain unauthorized access to encryption keys, enabling them to decrypt and access your Azure OpenAI data at rest such as the training data and fine-tuned models.
    Public ExposureAzure OpenAI Allow Access from All NetworksAzure OpenAI with public access enabled."Allowing unrestricted, public access to cloud services could open an application up to external attack. An Attacker can access the resource and access the models using api calls, by exploiting a different vulnerability of the service/models he can gain access to the service/models configurations and maybe even gain access to sensitive information."
    Azure Resource Management (ARM)

    Azure Resource Management (ARM)

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementRole Definition With List Storage Account Keys PermissionsA role definition with permissions to list storage account keys.An attacker with access to the role can accsses storage accounts with "allowSharedKeyAccess" set to true.
    Identity & Access ManagementPrincipal With Owner RolePrincipal is assigned with the 'Owner' rolw that gives full permissions in the subscription.An attacker with access to the principal can compromise the subscription.
    Identity & Access ManagementPrincipal With User Access Administrator RolePrincipal assigned with the 'User Access Administrator' role that enables to manage user access to Azure resources.An attacker with access to the principal can compromise the subscription.
    Azure Virtual Network

    Azure Virtual Network

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposureNetwork Security Group With Open RDP Port (3389)A network security group with RDP port (3389) open to any IP. An attacker can try to exploit RDP vulnerabilities leaving your environment at risk.
    Azure Storage Account

    Azure Storage Account

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsStorage Account With 'non-secure' ConnectionStorage account that allows requests from a non-secure connection.An attacker can have access to your data through unencrypted communications with the storage account.
    Insecure ConfigurationsStorage Account With Shared Key AccessStorage account with shared key access allowed. It is not a best practice to use shared key authorization for a storage account.An attacker with access to a storage account key can access your storage account and compromise your data.
    Public ExposureStorage Account With Blob Public Access AllowedA storage account with blob public access allowed. This setting allows public access to be configured for containers in the account but does not enable public access to your data.In some cases, an attacker will be able to access your blobs and compromise your data.
    Public ExposureStorage Account With Unrestricted Network AccessNetwork access to the storage account is not restricted.In some cases, an attacker would be able to access your storage account and the data stored in it.
Google Cloud Platform (GCP) - click to collapse

Google Cloud Platform (GCP)

Click on a service name below to view a table of the risks Panoptica detects in GCP, along with brief descriptions and attack scenarios.

    App Engine

    App Engine

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementApp Engine Service With Default Service AccountBy default App Engine service run with App Engine default service account, this service account has 'Editor' role in the project.Attacker with access to App Engine service with default service account can deploy changes to the Cloud project can also run code with read/write access to all resources within that project.
    Insecure ConfigurationsApp Engine Service with Insecure Ingress SettingsThis risk identifies a Google Cloud App Engine service configured with insecure ingress settings, potentially allowing unauthorized access. Insecure ingress settings can significantly heighten the risk of unauthorized access and potential data breaches. It's recommended to review these settings, and if the open access isn't necessary, promptly refine the ingress rules to enhance the security of your App Engine service.An attacker can send direct requets to the app from the internet.
    Public ExposureApp Engine App With Public Ingress RuleApp Engine app with public ingress rule.An attacker might use this misconfiguration to access the application running in App Engine.
    Unsupported SoftwareApp Engine Service With Legacy RuntimeApp Engine service running on legacy runtime.Legacy runtimes support language versions that are no longer maintained by open source communities. As communities stop maintaining versions, the app may be exposed to vulnerabilities for which no publicly available fix exists.
    BigQuery

    BigQuery

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementBigQuery Dataset With Cross Project AccessA BigQuery dataset with a policy binding of a service account from a different project.An attacker with access to the project that has access to the dataset can compromise your data.
    Identity & Access ManagementBigQuery Table/View With Cross Project AccessA BigQuery table or view with a policy binding of a service account from a different project.An attacker with access to the outside service account can access this table or view and compromise your data.
    Insecure ConfigurationsBigQuery Dataset Without Customer Managed Encryption Key (CMEK)A BigQuery dataset without a customer-managed encryption key (CMEK).CMEK provides more administrative control. Administrators can rotate, manage access to, and disable or destroy the key used to protect data at rest.
    Insecure ConfigurationsBigQuery Table/View Without Customer Managed Encryption Key (CMEK)A BigQuery Table or View without a customer-managed encryption key (CMEK).CMEK provides more administrative control. Administrators can rotate, manage access to, and disable or destroy the key used to protect data at rest.
    Public ExposurePublic BigQuery DatasetA publicly accessible BigQuery dataset.An attacker can access this dataset and compromise your data.
    Public ExposurePublic BigQuery Table/ViewA publicly accessible BigQuery table or view.An attacker can access this table or view and compromise your data.
    Bigtable

    Bigtable

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementBigtable Instance Allows Access Of Service Account From Another ProjectBigtable instance with a policy binding of a service account from a different project.An attacker with access from different project can compromise the environment.
    Identity & Access ManagementBigtable Table Allows Access Of Service Account From Another ProjectBigtable table with a policy binding of a service account from a different project.An attacker with access from different project can compromise the environment.
    Insecure ConfigurationsBigtable Cluster Without Customer Managed Encryption Key (CMEK)Bigtable cluster configured without CMEK.CMEK provides more administrative control. Administrators can rotate, manage access to, and disable or destroy the key used to protect data at rest.
    Cloud Run

    Cloud Run

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCloud Run Job Running with Permissive PermissionsA user / users with the roles/run.admin role can invoke or interact with the Cloud Run Job. While this approach can simplify deployment and usage, it also raises security concerns, as it may expose sensitive data or functions to potential misuse or unauthorized access.Permissive permissions present significant security risks in cloud environments, as they can lead to unauthorized access, data breaches, and potential misuse of resources.
    Identity & Access ManagementCloud Run Service Running with Permissive PermissionsA user / users with the roles/run.admin role can invoke or interact with the Cloud Run Service. While this approach can simplify deployment and usage, it also raises security concerns, as it may expose sensitive data or functions to potential misuse or unauthorized access.Permissive permissions present significant security risks in cloud environments, as they can lead to unauthorized access, data breaches, and potential misuse of resources.
    Identity & Access ManagementIAM with cloud run service admin permissionA GCP identity with admin permissions to cloud run job.An attacker with this permission has administrative access to a cloud run job.
    Identity & Access ManagementIAM with cloud run service admin permissionA GCP identity with admin permissions to cloud run service.An attacker with this permission has administrative access to a cloud run service.
    Identity & Access ManagementUnauthenticated Invocations Allowed for Cloud Run ServiceUnauthenticated invocations are enabled for this Cloud Run service. It is assigned the "allUsers" principal type with the "Cloud Run Invoker" IAM role. This effectively makes the service accessible to anyone on the internet without requiring authentication, granting anonymous access to it.This service can be accessed by an attacker without the need for authentication. This could potentially be leveraged to exploit any vulnerabilities, resulting in a Denial of Service (DoS) attack, unauthorized extraction of sensitive data, or remote execution of commands on the underlying host.
    Insecure ConfigurationsBinary Authorization Disabled for Cloud Run JobBinary Authorization offers deployment control based on policies, ensuring that only trusted and verified container images are allowed for deployment.An attacker who gains access to the Continuous Integration environment can inject malicious code or tamper with legitimate code during the build and deployment (CI-CD) process. This can introduce vulnerabilities, backdoors, or other security weaknesses into the software, which may go undetected until the compromised code is deployed.
    Insecure ConfigurationsBinary Authorization Disabled for Cloud Run ServiceBinary Authorization offers deployment control based on policies, ensuring that only trusted and verified container images are allowed for deployment.An attacker who gains access to the Continuous Integration environment can inject malicious code or tamper with legitimate code during the build and deployment (CI-CD) process. This can introduce vulnerabilities, backdoors, or other security weaknesses into the software, which may go undetected until the compromised code is deployed.
    Insecure ConfigurationsCloud Run Job is Using the Compute Engine Default Service AccountCloud Run job uses the compute engine default service account. This account is automatically created when a new project is set up By default, this service account has broad IAM permissions and it is automatically associated with every Cloud Run job.An attacker with access to the default service account token could access each and every Cloud Run job and its associated management API operating within the same GCP project.
    Insecure ConfigurationsCloud Run Service is Using the Compute Engine Default Service AccountCloud Run service uses the compute engine default service account. This account is automatically created when a new project is set up. By default, this service account has broad IAM permissions and is automatically associated with every Cloud Run service.An attacker with access to the default service account token could access each and every Cloud Run service and its associated management API operating within the same GCP project.
    Public ExposureCloud Run Service Publicly AccessibleThis risk signifies a publicly accessible Cloud Run Service, making it accessible to any Internet user. Publicly accessible services raise the risk of unauthorized access, misuse, and breaches. The necessity of this public service should be verified; if not required, immediate action to restrict this service is advised to minimize potential security risks.Depending on the application deployed, an attacker can exploit vulnerabilities to gain unauthorized access, manipulate and steal sensitive data, and even execute malicious actions that compromise the entire system.
    Compute Engine

    Compute Engine

    CategoryRisk NameDescriptionAttack Scenario
    Credentials ExposureCompute Engine Instance With Cleartext Chargify KeyChargify Key Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Jenkins PasswordJenkins Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext MySQL PasswordMySQL Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext NewRelic KeyNewRelic Key Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext OAuth KeyOAuth Key Discovered in CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Postgres PasswordPostgres Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext RabbitMQ PasswordRabbitMQ Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Salesforce CredentialsSalesforce Credentials Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Segment TokenSegment Token Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext SMTP PasswordSMTP Password Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Cleartext Vero SecretVero Secret Discovered In CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Sensitive Generic SecretSensitive Generic Secret Found in CleartextAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Credentials ExposureCompute Engine Instance With Sensitive Generic Secret In MetadataSensitive Generic Secret Found in MetadataAn attacker can use the exposed keys to access unauthorized resources while bypassing existing security controls.
    Identity & Access ManagementIAM principal with set IAM policy permission on compute instancesA GCP Identity with permissions to set an IAM policy for compute instances.An attacker with the setIamPolicy on a compute instance will be able to modify the IAM policy of the instance, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project instances' policies. This method could range from full access to a specific instance to full administrator access to the project.
    Insecure ConfigurationsCompute Engine Instance With Interactive Serial Console EnabledVM interactive serial console is enabled and does not support IP-based access restrictions.Attacker can attempt to connect to the instance's serial console from any IP address.
    Insecure ConfigurationsCompute Engine Instance With IP Forwarding EnabledVM instance with a configuration that enables IP forwarding.Attacker can attempt to send and receive packets with differenct source and destination.
    Insecure ConfigurationsCompute Engine Instance With Project Wide SSH KeysVM instance with a configuration that allows project-wide SSH keys.Attacker can attempt to connect to an instance using the SSH keys configured for the project.
    Insecure ConfigurationsUnused Compute Engine DiskUnused disk by any instance is found.An attacker can access the unused disk, leading to data exposure.
    Unsupported SoftwareDeprecated Compute Engine Image
    Unsupported SoftwareCompute Engine Instance With Deprecated ImageA deprecated image.An attacker can exploit the deprecated image and create an instance using it.
    Dataproc

    Dataproc

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsAPI access to all Google Cloud services in same project is allowedDataproc cluster configured to allow API access to all Google Cloud services in the same project.An attacker with access to compute engine can access google cloud services without scope limitation, leading to potentially exploit various services.
    Insecure ConfigurationsDataproc Cluster Without Customer Managed Encryption Key (CMEK)A Dataproc cluser configured without CMEK.CMEK provides more administrative control. Administrators can rotate, manage access to, and disable or destroy the key used to protect data at rest.
    Public ExposurePublic Dataproc ClusterA public Dataproc cluster.An attacker can access Dataproc instances from the internet.
    Unsupported SoftwareDataproc Cluster With Unsupported Image VersionA Dataproc cluster with an unsupported image version.An attacker can exploit known unpatched vulnerabilities in unsupported images.
    Function

    Function

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCompute Engine Instance Default Service Account With Owner RoleCompute Engine default service account with owner permissions on the project.An attacker with access to a compute engine that is attached to the default service account will have full access to the project.
    Identity & Access ManagementCompute Instance Default Service Account With Editor RoleCompute Engine default service account with editor permissions on the project.An attacker with access to a compute engine that is attached to the default service account will be able to perform unauthorized actions in your project.
    Identity & Access ManagementService Account With Editor RoleService Account with editor permissions on the project.An attacker with access to the service account will be able to perform most of the actions in the project.
    Identity & Access ManagementService Account With Owner RoleService Account with owner permissions on the project.An attacker with access to the service account will be able to perform any action in the project.
    Identity & Access ManagementUser With Editor RoleUser with editor permissions on the project.An attacker with access to the user will be able to perform most of the actions in the project.
    Identity & Access ManagementUser With Owner RoleUser with owner permissions on the project.An attacker with access to the user will be able to perform any action in the project.
    Insecure ConfigurationsCloud Function With HTTP Only (not HTTPS)GCP function with HTTP trigger set to require HTTP only (and not HTTPS). OWASP A6:2017 Security Misconfiguration.An attacker can invoke the function via HTTP, gain the function app permissions and compromise your environment.
    Public ExposureCloud Function Allows Anonymous AccessThe function allows access for anonymous users. OWASP A2:2017 Broken Authentication.An anonymous attacker can run actions against the function and might damage internal services or expose sensetive data.
    Public ExposureCloud Function Can Be Invoked By Anonymous UsersThe function can be invoked by anonymous users. OWASP A6:2017 Security Misconfiguration.An anonymous attacker can invoke the function and might damage internal services or expose sensetive data.
    Unsupported SoftwareGCP Function With Deprecated RuntimeGCP function with a deprecated runtime. OWASP A6:2017 Security Misconfiguration.An attacker can exploit known unpatched vulnerabilities in the gcp function runtime.
    GKE (Google Kubernetes Engine)

    GKE (Google Kubernetes Engine)

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsGKE Cluster is AlphaGKE alpha cluster. OWASP K09:2022 Misconfigured Cluster ComponentsAlpha clusters are short-lived clusters that run stable Kubernetes releases with all Kubernetes APIs and features enabled. Alpha clusters are limited and do not receive security updates.
    Insecure ConfigurationsGKE Cluster With Application Layer Secrets Encryption DisabledGKE cluster with application-layer secrets encryption disabled. OWASP K08:2022 Secrets Management FailuresAn attacker can gain access to an offline copy of etcd, where secrets are stored.
    Insecure ConfigurationsGKE Cluster With Client CertificateGKE cluster with client certificate. OWASP K06:2022 Broken Authentication MechanismsAn attacker can use the base64 certifcate public certificate to authenticate to the cluster endpoint. Certificates do not rotate automatically. and are difficult to revoke.
    Insecure ConfigurationsGKE Cluster With 'Cloud Logging' Option DisabledGKE cluster with "Cloud Logging" option disabled. OWASP K05:2022 Inadequate Logging and MonitoringLogging provides audit and diagnostic logs in your account. Collecting logs are critical for clusters as it significantly accelerates the troubleshooting process.
    Insecure ConfigurationsGKE Cluster With 'Control plane authorized networks' Option DisabledGKE cluster with "Control plane authorized networks" option disabled. OWASP K07:2022 Missing Network Segmentation ControlsAn attacker can access the cluster's control plane endpoint through HTTPS.
    Insecure ConfigurationsGKE Cluster With Default Service Account Attached To Node PoolGKE cluster with a default service account attacked to the node pool. OWASP K09:2022 Misconfigured Cluster ComponentsBy default, nodes are given the compute engine default service account. This account has more permissions than are required to run your Kubernetes Engine cluster, allowing attackers to use these permissions to compromise your environment.
    Insecure ConfigurationsGKE Cluster With 'Legacy authorization' Option EnabledGKE cluster with "Legacy authorization" option enabled. OWASP K06:2022 Broken Authentication MechanismsBy default, ABAC is disabled for clusters created using GKE version 1.8 and later as RBAC has significant security advantages over ABAC.
    Insecure ConfigurationsGKE Cluster With Network Policy DisabledGKE cluster with network policy disabled. OWASP K07:2022 Missing Network Segmentation ControlsAn attacker can access any pod in the cluster without network restrictions. Network policy is used to create Pod-level firewall rules. These firewall rules determine which Pods and Services can access one another inside your cluster.
    Insecure ConfigurationsGKE Cluster With Shielded Nodes DisabledGKE cluster with shielded nodes disabled. OWASP K09:2022 Misconfigured Cluster ComponentsAn attacker can exploit a vulnerability in a Pod to exfiltrate bootstrap credentials and impersonate nodes in a cluster giving the attacker access to cluster secrets.
    Insecure ConfigurationsGKE Cluster Without Automatic Node UpgradeGKE cluster with no automatic node upgrade enabled. OWASP K09:2022 Misconfigured Cluster ComponentsNode auto-upgrades help you keep the nodes in your cluster up-to-date with the cluster control plane version when your control plane is updated on your behalf.
    Insecure ConfigurationsGKE Cluster With 'secure boot' Option DisabledGKE cluster with 'secure boot' option disabled. OWASP K09:2022 Misconfigured Cluster ComponentsSecure boot helps protect nodes against boot-level and kernel-level malware and rootkits.
    KMS (Cloud Key Management)

    KMS (Cloud Key Management)

    CategoryRisk NameDescriptionAttack Scenario
    Neglected ResourceKMS Key With Rotation Period Bigger Than 90 DaysA KMS key that has a rotation period bigger than 90 days.Key rotation reduces the risk of a compromised key being used by an attacker to access your encrypted resources.
    Public ExposurePublicly Accessible KMS KeyA publicly accessible Cloud KMS key.An attacker can access your KMS key. Depending on the level of access, he might be able to use the key to decrypt data and compromise it.
    Memorystore

    Memorystore

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsMemorystore AUTH is DisabledDisabling authentication (AUTH) in Memorystore allows unrestricted access to the data store, leaving it exposed to unauthorized users and increasing the risk of data breaches and tampering.An attacker, aware that authentication (AUTH) is disabled in Memorystore, can gain unauthorized access to the data store, potentially exfiltrating sensitive data, injecting malicious content, or disrupting the service without any authentication barriers.
    Insecure ConfigurationsMemorystore Connection by Direct PeeringUsing Direct Peering establishes a direct VPC peering connection between the customer's network and Google's managed project, potentially exposing the customer's network to security risks, as this peering isn't shared with other Google Cloud services and lacks the enhanced access controls and isolation offered by Private Service Access (PSA).An attacker monitors network traffic in the customer's VPC that uses Direct Peering to connect to Memorystore for Redis. Since Direct Peering lacks the isolation and security features of Private Service Access (PSA), the attacker can potentially eavesdrop on sensitive data transmissions, such as Redis authentication credentials or sensitive cache data, leading to data exfiltration or unauthorized access.
    Insecure ConfigurationsMemorystore Encryption by Transit is DisabledDisabling encryption in Memorystore's transit data transmission exposes data to potential interception, tampering, and security breaches, posing significant risks to data confidentiality and integrity.An attacker monitoring the network traffic between a client application and a Memorystore instance with encryption in transit disabled could intercept sensitive user session data, such as login credentials, and potentially launch a man-in-the-middle attack, impersonating the client or the server, leading to data theft or manipulation.
    Insecure ConfigurationsMemorystore Encryption without CMEKNot having Customer Managed Encryption Keys (CMEK) in Memorystore's encryption setup leaves data encryption solely reliant on default Google-managed keys, potentially exposing sensitive data to unauthorized access and lacking the enhanced control and key management provided by CMEK.An attacker with sufficient knowledge of Memorystore's encryption configuration without CMEK could potentially compromise the default Google-managed keys, gaining unauthorized access to the encrypted data and bypassing the additional security controls offered by customer-managed encryption keys, leading to data exposure and potential breaches.
    Network Firewall

    Network Firewall

    CategoryRisk NameDescriptionAttack Scenario
    Public ExposureFirewall Rule Permits Connections From Any IP (0.0.0.0/0)This risk signifies a Google Cloud Platform Firewall Rule configured to allow incoming connections from any IP address, indicated by the range 0.0.0.0/0. This unrestricted access can heighten the risk of unauthorized access and potential data breaches. It's recommended to verify whether such broad access is necessary and, if not, promptly refine the access control to allow connections from specific, trusted IP addresses or ranges.An attacker might use this misconfiguration to access assets within the GCP environment.
    Project

    Project

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCompute Engine Instance Default Service Account With Owner RoleCompute Engine default service account with owner permissions on the project.An attacker with access to a compute engine that is attached to the default service account will have full access to the project.
    Identity & Access ManagementCompute Instance Default Service Account With Editor RoleCompute Engine default service account with editor permissions on the project.An attacker with access to a compute engine that is attached to the default service account will be able to perform unauthorized actions in your project.
    Identity & Access ManagementGKE cronJobs permissionsGKE any cronJobs permission.An attacker can create, delete, get, list and update any cronJob.
    Identity & Access ManagementGKE daemonSets permissionsGKE any daemonSets permission.An attacker can create, delete, get, list and update any daemonSets.
    Identity & Access ManagementGKE deployments permissionsGKE any deployments permission.An attacker can create, delete, get, list and update any deployments.
    Identity & Access ManagementGKE job permissionsGKE any jobs permission.An attacker can create, delete, get, list and update any job.
    Identity & Access ManagementGKE permissions to create any resourceGKE permissions to create any resource.An attacker can create any resource in the cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create cluster role bindingGKE permissions to create cluster role bindings.An attacker can create cluster roles binded to a risky role, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create cronjobsGKE permissions to create cronjobs.An attacker can create cronjobs containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create daemonsetsGKE permissions to create daemonsets.An attacker can create daemonsets containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create deploymentsGKE permissions to create deployments.An attacker can create a deployment with malicious components leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create ingressesGKE permissions to create ingresses.An attacker can create risky ingresses, exposing internal services and leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create jobsGKE permissions to create jobs.An attacker can create jobs containing malicious code executed within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create podsGKE permissions to create pods.An attacker can create pods containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create replicasetsGKE permissions to create replicasets.An attacker can create replicasets containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create replication controllersGKE permissions to create replication controllers.An attacker can create replication controllers containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create role bindingGKE permissions to create role bindings.An attacker can create roles binded to a risky role, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to create statefulsetsGKE permissions to create statefulsets.An attacker can create statefulsets containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to delete any resourceGKE permissions to delete any resource.An attacker can delete any resource in the cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to get any resourceGKE permissions to get any resource.An attacker can delete any resource in the cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to list any resourceGKE permissions to list any resource.An attacker can list any resource in the cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to update cronjobsGKE permissions to update cronjobs.An attacker can update cronjobs to contain containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to update daemonsetsGKE permissions to update daemonsets.An attacker can update daemonsets to contain containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to update deploymentsGKE permissions to update deployments.An attacker can update a deployment to contain malicious components leading to cluster compromise.
    Identity & Access ManagementGKE permissions to update ingressesGKE permissions to update ingresses.An attacker can update ingresses to expose internal services, which can lead to cluster compromise.
    Identity & Access ManagementGKE permissions to update jobsGKE permissions to update jobs.An attacker can update cronjobs to contain containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to update replicasetsGKE permissions to update replicasets.An attacker can update replicasets to contain containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to update replication controllersGKE permissions to update replication controllers.An attacker can update replication controllers containing containers that execute malicious code within a cluster, leading to cluster compromise.
    Identity & Access ManagementGKE permissions to update statefulsetsGKE permissions to update statefulsets.An attacker can update a statefulset to contain malicious components leading to cluster compromise.
    Identity & Access ManagementGKE pods permissionsGKE any pods permission.An attacker can create, delete, get, list and update any pod.
    Identity & Access ManagementGKE replicaSets permissionsGKE any replicasets permission.An attacker can create, delete, get, list and update any replicasets.
    Identity & Access ManagementGKE replicationControllers permissionsGKE any replicationControllers permission.An attacker can create, delete, get, list and update any replicationController.
    Identity & Access ManagementGKE secrets permissionsGKE any secrets permission.An attacker can create, delete, get, list and update any secret.
    Identity & Access ManagementGKE statefulSets permissionsGKE statefulSets permissions.An attacker can create, delete, get, list and update any statefulSet.
    Identity & Access ManagementIAM principal with set IAM policy permission on compute instancesA GCP Identity with permissions to set an IAM policy for compute instances.An attacker with the setIamPolicy on a compute instance will be able to modify the IAM policy of the instance, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project instances' policies. This method could range from full access to a specific instance to full administrator access to the project.
    Identity & Access ManagementIAM principal with set IAM policy permission on service accountsA GCP Identity with permissions to set an IAM policy for service accounts.An attacker with the setIamPolicy on a service account will be able to modify the IAM policy of the resource, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project service accounts' policies and give himself access to the strongest ones. This method could range from full access to a specific resource to full administrator access to the project depending on the permissions of the service account.
    Identity & Access ManagementIAM principal with set IAM policy permission on storage bucketsA GCP Identity with permissions to set an IAM policy for storage buckets.An attacker with the setIamPolicy on a storage bucket will be able to modify the IAM policy of the bucket, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project buckets' policies. This method could range from full access to a specific bucket to full storage access to the project.
    Identity & Access ManagementIAM with Create cloud function with service account permissionA GCP identity with permissions to create and call a cloud function with an assigned service account.An attacker with the iam.serviceAccounts.actAs, cloudfunctions.functions.create, cloudfunctions.functions.sourceCodeSet and cloudfunctions.functions.call permissions will be able to create a new cloud function with a specified service account. The function, when invoked, can access the metadata API and return the associated service account's access token. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Identity & Access ManagementIAM with Create cloud scheduler with service account permissionA GCP identity with permissions to create a cloud scheduler job.An attacker with the iam.serviceAccounts.actAs and cloudscheduler.jobs.create permissions will be able to create jobs that send requests to *.googleapis.com endpoints. These requests can be authenticated as a specific service account. To escalate privileges with this method, the attacker needs to create an HTTP request of the action he wants to perform.
    Identity & Access ManagementIAM with Create compute instance with service account permissionA GCP identity with permissions to create a new compute instance with a specified service account.An attacker with the iam.serviceAccounts.actAs and with permissions to create a new instance will be able to create an instance with a specified service account and get its access token. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Identity & Access ManagementIAM with Create Deployments permissionA GCP Identity with permissions to create a deployment in the deployment manager service.An attacker with the deploymentmanager.deployments.create permission can gain the Editor role permissions on the project. This permission lets you launch new deployments of resources into GCP as the PROJECT-NUMBER@ cloudservices.gserviceaccount.com service account, which, by default, is granted the Editor role on the project.
    Identity & Access ManagementIAM with Create service account key permissionA GCP Identity with permissions to create a service account key.An attacker with the iam.serviceAccountKeys.create permission can create a user-managed key for a Service Account that will allow him to access GCP as that Service Account. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Identity & Access ManagementIAM with Create service usage API key permissionA GCP identity with permissions to create API keys.An attacker with the serviceusage.apiKeys.create permission will be able to create an API key, that is unrestricted by default, and use it to authenticate with GCP's APIs. By that, he can gain access to the entire GCP project.
    Identity & Access ManagementIAM with Create storage HMAC keys permissionA GCP identity with permission to create HMAC keys.An attacker with the storage.hmacKeys.create permission will be able to create an hmac key for a specified service account, and use it for authentication. Depending on the service account's permissions, this method could range from no privilege escalation to full storage access.
    Identity & Access ManagementIAM with Get service account access token permissionA GCP Identity with permissions to get a service account's access tokenAn attack with the iam.serviceAccounts.getAccessToken permission will be able to get an access token that belongs to a specified service account and gain its permissions. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Identity & Access ManagementIAM with List service usage API keys permissionA GCP identity with permissions to get an existing API key.An attacker with the serviceusage.apiKeys.list and apikeys.keys.getKeyString permissions will be able to get all the API keys in the project. If there is an unrestricted key, the attacker will gain full access to the project.
    Identity & Access ManagementIAM with Set IAM policy permission on the projectA GCP Identity with permissions to set an IAM policy for the project.An attacker with the setIamPolicy on a project will be able to modify the IAM policy of the resource, granting himself additional privileges. This method could lead to full administrator access to the project.
    Identity & Access ManagementIAM with Sign service account blob permissionA GCP Identity with permission to sign a blob.An attack with the iam.serviceAccounts.signBlob permission will be able to create a signed blob that requests an access token from a specified service account. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Identity & Access ManagementIAM with Sign service account JWT permissionA GCP Identity with permission to sign a JWT (JSON web token).An attack with the iam.serviceAccounts.signJwt permission will be able to sign and request an access token of a specified service account. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Identity & Access ManagementIAM with Update cloud function with service account permissionA GCP identity with permissions to update an existing cloud function and its assigned service account.An attacker with the iam.serviceAccounts.actAs, cloudfunctions.functions.update and cloudfunctions.functions.sourceCodeSet permissions will be able to update an existing cloud function and even switch its service account to a function that accesses the metadata API and retrieves the associated service account's access token. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Identity & Access ManagementIAM with Update IAM Role permissionA GCP Identity with permissions to update an IAM role.An attacker with the iam.role.update permission and a custom role assigned will be able to add permissions to the role, and by that gain more privileges or even full privileges on the project.
    Identity & Access ManagementService Account With Editor RoleService Account with editor permissions on the project.An attacker with access to the service account will be able to perform most of the actions in the project.
    Identity & Access ManagementService Account With Owner RoleService Account with owner permissions on the project.An attacker with access to the service account will be able to perform any action in the project.
    Identity & Access ManagementUser With Editor RoleUser with editor permissions on the project.An attacker with access to the user will be able to perform most of the actions in the project.
    Identity & Access ManagementUser With Owner RoleUser with owner permissions on the project.An attacker with access to the user will be able to perform any action in the project.
    Insecure ConfigurationsProject With Interactive Serial Console EnabledProject VM interactive serial console is enabled and does not support IP-based access restrictions.Attacker can attempt to connect to the instance's serial console from any IP address.
    Pub/Sub

    Pub/Sub

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCompute Engine Instance Default Service Account With Owner RoleCompute Engine default service account with owner permissions on the project.An attacker with access to a compute engine that is attached to the default service account will have full access to the project.
    Identity & Access ManagementCompute Instance Default Service Account With Editor RoleCompute Engine default service account with editor permissions on the project.An attacker with access to a compute engine that is attached to the default service account will be able to perform unauthorized actions in your project.
    Identity & Access ManagementService Account With Editor RoleService Account with editor permissions on the project.An attacker with access to the service account will be able to perform most of the actions in the project.
    Identity & Access ManagementService Account With Owner RoleService Account with owner permissions on the project.An attacker with access to the service account will be able to perform any action in the project.
    Identity & Access ManagementUser With Editor RoleUser with editor permissions on the project.An attacker with access to the user will be able to perform most of the actions in the project.
    Identity & Access ManagementUser With Owner RoleUser with owner permissions on the project.An attacker with access to the user will be able to perform any action in the project.
    Insecure ConfigurationsPub/Sub Topic Without Customer Managed Encryption Key (CMEK)Pub/Sub topic without customer-managed encryption key (CMEK).With no customer-managed encryption key (CMEK), an attacker can manage message encryption and decryption process.
    IAM (Identity and Access Management)

    IAM (Identity and Access Management)

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementIAM principal with set IAM policy permission on service accountsA GCP Identity with permissions to set an IAM policy for service accounts.An attacker with the setIamPolicy on a service account will be able to modify the IAM policy of the resource, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project service accounts' policies and give himself access to the strongest ones. This method could range from full access to a specific resource to full administrator access to the project depending on the permissions of the service account.
    Identity & Access ManagementIAM with Create service account key permissionA GCP Identity with permissions to create a service account key.An attacker with the iam.serviceAccountKeys.create permission can create a user-managed key for a Service Account that will allow him to access GCP as that Service Account. This method could range from no privilege escalation to full access to the project, depending on the service account's permissions.
    Identity & Access ManagementIAM with Get service account access token permissionA GCP Identity with permissions to get a service account's access tokenAn attack with the iam.serviceAccounts.getAccessToken permission will be able to get an access token that belongs to a specified service account and gain its permissions. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Identity & Access ManagementIAM with Sign service account blob permissionA GCP Identity with permission to sign a blob.An attack with the iam.serviceAccounts.signBlob permission will be able to create a signed blob that requests an access token from a specified service account. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Identity & Access ManagementIAM with Sign service account JWT permissionA GCP Identity with permission to sign a JWT (JSON web token).An attack with the iam.serviceAccounts.signJwt permission will be able to sign and request an access token of a specified service account. Depending on the service account's permissions, this method could range from no privilege escalation to full administrator access to the account.
    Cloud SQL

    Cloud SQL

    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsCloud PostgreSQL Instance Without 'point-in-time' RecoveryPostgreSQL instance without point-in-time recovery.Point-in-time recovery helps you recover an instance to a specific point in time. For example, if an error causes a loss of data, you can recover a database to its state before the error occurred.
    Insecure ConfigurationsCloud SQL Instance Connection Logs DisabledSQL instance without connection logs enabled.The "log_connections" flag causes each attempted connection to the server to be logged, as well as successful completion of both client authentication (if necessary) and authorization. By default this option is set to "off", allowing attackers to login to the instance without leaving a trace.
    Insecure ConfigurationsCloud SQL Instance Without Automatic BackupSQL instance without automatic backup configuration.Backups protect your data from loss or damage.
    Insecure ConfigurationsCloud SQL Instance Without SSL EncryptionSQL instance without SSL encryption configured.
    Unsecured connections are allowed to connect to this instance.
    Insecure ConfigurationsGCP PostgreSQL Instance Flag 'cloudsql.allowpasswordless local_connections' is OnSetting the "cloudsql.allowpasswordless local_connections" to 'on' enables local connections without a password.An attacker gains access to the local network and connect to a user since there is no need for a password.
    Insecure ConfigurationsGCP PostgreSQL Instance Flag 'cloudsql.iam_authentication' is OffTurning off 'cloudsql.iam_authentication' in GCP PostgreSQL relies solely on traditional authentication, potentially weakening IAM security integration.An attacker who gains access to database credentials could potentially impersonate a user without the added security of IAM authentication checks. This could lead to unauthorized data access, manipulation, or even malicious actions within the database, compromising data security.
    Insecure ConfigurationsGcp Sql Instance Flag 'check_proxy_users' is Off'check_proxy_users' flag off in GCP SQL risks unauthorized access by proxy users, compromising security.An attacker who gains access to a proxy user's credentials could potentially impersonate the proxy user without proper authentication checks. This could allow the attacker to perform unauthorized actions, access sensitive data, and potentially exploit the lack of authentication verification to compromise the integrity and security of the database.
    Insecure ConfigurationsGCP SQL Instance Flag 'default_password_lifetime' is set to 0Setting 'default_password_lifetime' to 0 in GCP SQL risks prolonged use of unchanged passwords, heightening the potential for unauthorized access and security breaches.An attacker could gain access to a user's password and maintain unauthorized access indefinitely without password expiration. This increases the likelihood of undetected and prolonged data breaches.
    Insecure ConfigurationsGcp SQL Instance Flag 'disconnect_on_expired_password' is OffTurning 'disconnect_on_expired_password' off in GCP SQL allows users with expired passwords continued access, risking unauthorized and insecure access.An attacker who obtains the login credentials of a user with an expired password could continue to access the database. This could lead to unauthorized data manipulation, data theft, or even malicious actions within the database, compromising data security and integrity.
    Insecure ConfigurationsGCP SQL Instance Flag 'local_infile' is On'local_infile' flag in GCP SQL increases risk of data exposure and unauthorized access via local file loading.An attacker with access to the database could potentially exploit the feature to load malicious files from their local system into the database.
    Insecure ConfigurationsGCP SQL Instance Flag 'mysqlnative_password proxy_users' is OffThis variable controls whether the mysql_native_password built-in authentication plugin supports proxy users. It has no effect unless the check_proxy_users system variable is enabled.An attacker who gains access to a proxy user account is not authorized and connects to the account.
    Insecure ConfigurationsGCP SQL Instance Flag 'password_require_current' is OffA GCP SQL instance "password_require_current" flag is set to "off".An attacker, taking advantage of the flag being off, changes a password without the need to know the old password, thereby gaining access to the account.
    Insecure ConfigurationsGCP SQL Instance Flag 'skip_show_database' is OffTurning 'skip_show_database' off in GCP SQL risks exposing database and schema details, facilitating unauthorized enumeration and targeted attacks.An attacker could potentially use the SHOW DATABASES command to enumerate available databases and gain insights into the database schema. This knowledge could aid them in crafting more effective and targeted attacks.
    Insecure ConfigurationsGCP SQL is Not Using CMKGCP SQL instance without CMK.In a scenario where a GCP SQL instance is not using Customer-Managed Keys (CMK), an attacker who gains unauthorized access to Google's managed encryption keys or exploits vulnerabilities in Google's key management infrastructure could potentially decrypt and access sensitive data stored in the SQL database, leading to data breaches and confidentiality breaches.
    Insecure ConfigurationsGCP SQL Without Password PolicyNo password policy in GCP SQL increases the risk of weak passwords and unauthorized access, compromising data security.An attacker could potentially perform brute-force attacks or use common passwords to guess weak passwords associated with the database, granting them unauthorized access to the data and compromising the security and integrity of the system.
    Public ExposureCloud SQL Instance Allows Network Connection From Any IP (0.0.0.0/0)SQL instance with an authorized network of 0.0.0.0/0This prefix will allow any IPv4 client to pass the network firewall and make login attempts to your instance, including clients you did not intend to allow.
    Public ExposureGCP SQL is Not Using Private IpGCP SQL instance is Not Using Private Ip.Without a private IP in GCP SQL, an attacker could potentially intercept sensitive database traffic over the public network, leading to data exposure.
    Storage Bucket

    Storage Bucket

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityCloud Storage Bucket Contains Potentially Public ObjectsThis risk identifies a Google Cloud Storage bucket that contains objects that may be publicly accessible, thereby potentially enabling any internet user to access them. Potentially shared objects in a storage bucket can heighten the risk of unauthorized data access and potential data breaches. It's recommended to review these objects and their access controls, and if public access is not required, promptly update their permissions to secure your data.An attacker can maybe access some objects in the bucket leading to data exposure.
    Data SecurityStorage Bucket Publicly AccessibleThis risk points to a Google Cloud Storage bucket configured as publicly accessible, potentially making it reachable by any internet user. Publicly accessible storage buckets can significantly increase the risk of unauthorized data access and potential data breaches. It's recommended to verify whether such public access is necessary and, if not, promptly restrict access to strengthen your data security.An attacker can access this bucket and compromise your data.
    Data SecurityStorage Bucket Without EncryptionThis risk signifies a Google Cloud Storage bucket that lacks encryption, a critical security measure to protect sensitive data from unauthorized access. Unencrypted Storage buckets can raise the risk of data exposure or misuse. It's strongly advised to enable encryption to safeguard your data and comply with security best practices and regulations.An attacker can access this bucket and compromise your data
    Identity & Access ManagementIAM principal with set IAM policy permission on storage bucketsA GCP Identity with permissions to set an IAM policy for storage buckets.An attacker with the setIamPolicy on a storage bucket will be able to modify the IAM policy of the bucket, granting himself additional privileges at the resource level. If this permission is given at the project level, the attacker will be able to change all the project buckets' policies. This method could range from full access to a specific bucket to full storage access to the project.
    Identity & Access ManagementService Account With Editor RoleService Account with editor permissions on the project.An attacker with access to the service account will be able to perform most of the actions in the project.
    Identity & Access ManagementService Account With Owner RoleService Account with owner permissions on the project.An attacker with access to the service account will be able to perform any action in the project.
    Identity & Access ManagementUser With Editor RoleUser with editor permissions on the project.An attacker with access to the user will be able to perform most of the actions in the project.
    Identity & Access ManagementUser With Owner RoleUser with owner permissions on the project.An attacker with access to the user will be able to perform any action in the project.
Oracle Cloud Infrastructure (OCI) - click to collapse

Oracle Cloud Infrastructure (OCI)

Click on a service name below to view a table of the risks Panoptica detects in OCI, along with brief descriptions and attack scenarios.

    DB System

    DB System

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityOracle Autonomous Databases Publicly AccessibleAutonomous database with a cidr address of 0.0.0.0/0.An attacker might be able to access the database from any IP address.
    Data SecurityOracle Database Auto Backup DisabledDatabase without automatic backup configuration.It is a best practice to enable continuous backups for your databases.
    Data SecurityOracle Database Without EncryptionUnencrypted database.An attacker can access the data stored in your database.
    Insecure ConfigurationsAutonomous Oracle Database Without mTLSmTLS is not required for the database.mTLS helps ensure that traffic is secure and trusted in both directions between a client and server.
    Policy

    Policy

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementAdministator permissions over tenancyAdministator access over tenancy.An attacker with administrator permissions can perform any action on any resource in the environment.
    Identity & Access ManagementManage cluster-family permission in compartmentPermission to manage cluster-family in compartment.An attacker with manage cluster-family access has full access to container engine for kubernetes resources in the compartment.
    Identity & Access ManagementManage cluster-family permission in tenancyPermission to manage cluster-family in tenancy.An attacker with manage cluster-family access has full access to container engine for kubernetes resources in tenancy.
    Identity & Access ManagementManage database-family permission in compartmentPermission to manage database-family in compartment.An attacker with manage database-family access has full access to database resources in the compartment.
    Identity & Access ManagementManage database-family permission in tenancyPermission to manage database-family in tenancy.An attacker with manage database-family access has full access to database resources in tenancy.
    Identity & Access ManagementManage DNS permission in compartmentPermission to manage DNS in compartment.An attacker with manage DNS access has full access to DNS resources in the compartment.
    Identity & Access ManagementManage DNS permission in tenancyPermission to manage DNS in tenancy.An attacker with manage DNS access has full access to DNS resources in tenancy.
    Identity & Access ManagementManage instance-family permission in compartmentPermission to manage instance-family in compartment.An attacker with manage instance-family access has full access to instance resources in the compartment.
    Identity & Access ManagementManage instance-family permission in tenancyPermission to manage instance-family in tenancy.An attacker with manage instance-family access has full access to instance resources in tenancy.
    Identity & Access ManagementManage object-family permission in compartmentPermission to manage object-family in compartment.An attacker with manage object-family access has full access to bucket and object resources in the compartment.
    Identity & Access ManagementManage object-family permission in tenancyPermission to manage object-family in tenancy.An attacker with manage object-family access has full access to buckets and objects resources in tenancy.
    Identity & Access ManagementManage policies permission in tenancyPermission to manage policies in tenancy.An attacker with 'manage' permission over policies in the tenancy can exploit this permission and perform privilege escalation by creating a policy with higher permissions and assign its group to be part of it.
    Identity & Access ManagementManage users permission in tenancyPermission to manage users in tenancy.An attacker with 'manage' users permission can perform any action on users in the environment such as resetting passwords, leading to privilege escalation.
    Identity & Access ManagementUse all resources permission in tenancyPermission to use all resources in tenancy.An attacker with 'use' permission over all resources in the tenancy can exploit this permission and perform privilege escalation.
    Storage Bucket

    Storage Bucket

    CategoryRisk NameDescriptionAttack Scenario
    Data SecurityObject Storage Bucket Publicly AccessibleThis risk identifies an Oracle Cloud Storage bucket configured to be publicly accessible, potentially making it reachable by any internet user. Publicly accessible buckets significantly raise the risk of unauthorized data access and potential data breaches. It's recommended to ascertain the necessity of such public access, and if it's not required, promptly restrict access to bolster your data security.An attacker can access the bucket and objects leading to data exposure.
    Data SecurityObject Storage Bucket Without EncryptionThis risk indicates an Oracle Cloud Storage bucket not configured for encryption, a vital security measure to safeguard sensitive data from unauthorized access. Unencrypted buckets can increase the risk of data exposure or misuse. It's strongly recommended to enable encryption to secure your data and adhere to security best practices and compliance regulations.An attacker can access this bucket and compromise stored data.
    User

    User

    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementUser Without MFAThis risk highlights an Oracle Cloud user who doesn't have Multi-Factor Authentication (MFA) enabled. MFA offers an added layer of security by requiring more than just a password for user authentication. An absence of MFA exposes the user's account to a heightened risk of unauthorized access. It's strongly advised to enable MFA for all users to strengthen account security within Oracle Cloud.An attacker can bypass authentication with a password only.
Kubernetes - click to collapse

Kubernetes

Click on a service name below to view a table of the risks Panoptica detects in Kubernetes clusters, along with brief descriptions and attack scenarios.

    Cluster Role

    Cluster Role
    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCluster Role With Attach Pods PermissionsOWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create CronJobs PermissionsA cluster role that allows to create cronjobs in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create DaemonSets PermissionsA cluster role that allows to create daemonsets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Deployments PermissionsA cluster role that allows to create deployments in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Jobs PermissionsA cluster role that allows to create jobs in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Mutating Webhook Configuration PermissionsA cluster role that allows create mutating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role with Create or Wildcard Permissions to the LocalSubjectAccessReview ResourceA Cluster role with Create or Wildcard Permissions to the LocalSubjectAccessReview Resource.An attacker with access to this cluster role can map users and their associated permissions within a namespace in the cluster.
    Identity & Access ManagementCluster Role with Create or Wildcard Permissions to the SubjectAccessReview ResourceA Cluster role with Create or Wildcard Permissions to the SubjectAccessReview Resource.An attacker with access to this cluster role can map users and their associated permissions within the cluster.
    Identity & Access ManagementCluster Role with Create or Wildcard Permissions to the TokenRequest ResourceA Cluster role with Create or Wildcard Permissions to the TokenRequest Resource.An attacker with access to this cluster role can request tokens for any service account in the cluster. Service account tokens are used to authenticate requests to the Kubernetes API server, and if an attacker has access to those tokens, they can use them to impersonate service accounts and gain access to privileged resources and actions. This could give the attacker the ability to modify or delete any resource in the cluster, potentially leading to a full compromise of the cluster.
    Identity & Access ManagementCluster Role With Create ReplicaSets PermissionsA cluster role that allows to create replicasets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Replication Controllers PermissionsA cluster role that allows to create replicationcontrollers in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create RoleBinding PermissionsA cluster role that allows to create a role binding to any role in the cluster.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker can leverage this permission to create a binding between its identity and a strong role in the cluster.
    Identity & Access ManagementCluster Role With Create RoleBinding/ClusterRoleBinding PermissionsA cluster role in Kubernetes with permission to create a cluster role binding.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to that cluster role can escalate his privileges by binding the service account or user to the cluster-admin cluster role or a different cluster role with higher permissions.
    Identity & Access ManagementCluster Role With Create StatefulSets PermissionsA cluster role that allows to create statefulsets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Create Validating Webhook Configuration PermissionsA cluster role that allows create validating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role With Delete Deployments PermissionsA cluster role that allows to delete deployments in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Delete Mutating Webhook Configuration PermissionsA cluster role that allows delete mutating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role With Delete Namespaces PermissionsCluster role with delete namespaces in cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAttacker with delete namespace permission can delete any namespace in the cluster include the running pods in the namespace.
    Identity & Access ManagementCluster Role With Delete Validating Webhook Configuration PermissionsA cluster role that allows delete validating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role With Delete/DeleteCollection Secrets PermissionsA cluster role that allows to delete or deletecollection secrets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Exec Pods PermissionsOWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role with Full Permissions to any Resources on Non-K8s Core or Wildcard API GroupsA cluster role has full permissions for any resource on API groups other than wildcard or the K8s core API.An attacker with access to this cluster role can perform any action against the API groups defined in this cluster role. Possibly escalate his privileges and move laterally within the cluster.
    Identity & Access ManagementCluster Role with Get and Create Permissions to the Nodes/Proxy ResourceA cluster role with Get and Create permissions to the nodes/proxy resource.An attacker that has access to a principal with the Get, Create permissions on the nodes/proxy resource can communicate with the Node’s Kubelet API directly and possibly escalate it's privileges to a cluster admin.
    Identity & Access ManagementCluster Role With Patch Mutating Webhook Configuration PermissionsCluster role with patch mutating webhook configuration in cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role With Patch Validating Webhook Configuration PermissionsCluster role with patch validating webhook configuration in cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
    Identity & Access ManagementCluster Role with Permissions to Change ConfigmapsA cluster role that allows to update or patch configmaps in the cluster.An attacker with access to this cluster role can alter configmaps in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Change Service AccountsA cluster role with permissions to change service accounts.An attacker with access to this cluster role can alter service accounts in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Create ConfigmapsA cluster role that allows to create configmaps in the cluster.An attacker with access to this cluster role can create configmaps in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Create NodesA cluster role with permissions to create nodes.An attacker with access to this cluster role can create nodes in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Create Service AccountsA cluster role with permissions to create service accounts.An attacker with access to this cluster role can create service acconts in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Delete ConfigmapsA cluster role that allows to delete configmaps in the cluster.An attacker with access to this cluster role can delete configmaps in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Delete NodesA cluster role with permissions to delete nodes.An attacker with access to this cluster role can delete nodes in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Delete Service AccountsA cluster role with permissions to delete service accounts.An attacker with access to this cluster role can delete service accounts in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Read ConfigmapsA cluster role with permissions to read or list Configmaps.An attack with access to this cluster role can read or list configmaps in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Read Service AccountsA cluster role with permissions to read service accounts.An attacker with access to this cluster role can read service accounts in the cluster.
    Identity & Access ManagementCluster Role with Permissions to Update NodesA cluster role with permissions to update nodes.An attacker with access to this cluster role can update nodes in the cluster.
    Identity & Access ManagementCluster Role With Update CronJobs PermissionsA cluster role that allows to update cronjobs in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update DaemonSets PermissionsA cluster role that allows to update daemonsets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update Deployments PermissionsA cluster role that allows to update deployments in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update Jobs PermissionsA cluster role that allows to update jobs in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update ReplicaSets PermissionsA cluster role that allows to update replicasets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update Replication Controllers PermissionsA cluster role that allows to update replicationcontrollers in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update StatefulSets PermissionsA cluster role that allows to update statefulsets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Update\Patch Secrets PermissionsA cluster role that allows to update or patch secrets in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With View Secrets PermissionsA cluster role that allows to list and view all secrets in the cluster.OWASP K03:2022 Overly Permissive RBAC ConfigurationsOnce there is a single account in the cluster with the cluster-admin role binding, an attacker with access to that cluster role can steal the admin’s token and escalate his privileges to the highest cluster privileges.
    Identity & Access ManagementCluster Role With View Secrets PermissionsA cluster role that allows to get any secret in the cluster.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker can leverage this permission to obtain a secret value and move lateraly inside the cluster.
    Identity & Access ManagementCluster Role With Wildcard Create PermissionsA cluster role that allows to create any resource in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard CronJobs PermissionA cluster role that allows to perform any action on cronjobs in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard DaemonSets PermissionsA cluster role that allows to perform any action on daemonsets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Delete Collection PermissionsA cluster role that allows to deletecollection of any resource in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Delete PermissionsA cluster role that allows to delete any resource in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Deployments PermissionsA cluster role that allows to perform any action on deployments in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Impersonate PermissionsA cluster role that allows to impersonate any resource in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Jobs PermissionA cluster role that allows to perform any action on jobs in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard List PermissionsA cluster role that allows to list any resource in the Kubernetes cluster, including secrets.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to this cluster role can escalate privileges by listing powerful secrets and using their value. It is possible to obtain a secret token belongs to a service account with cluster-admin privileges.
    Identity & Access ManagementCluster Role With Wildcard Mutating Webhook Configurations PermissionsA cluster role that allows any action on mutating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized
    Identity & Access ManagementCluster Role with Wildcard Permissions to any Resources on Non-K8s Core or Wildcard API GroupsA cluster role with wildcard permissions for any resource on API groups other than wildcard or the K8s core API.An attacker with access to this cluster role can perform any action against the API groups defined in this cluster role. Possibly escalate his privileges and move laterally within the cluster.
    Identity & Access ManagementCluster Role With Wildcard Pods PermissionsA cluster role that allows to perform any action on pods in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard ReplicaSets PermissionA cluster role that allows to perform any action on replicasets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Replication Controllers PermissionA cluster role that allows to perform any action on replicationcontrollers in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Secrets PermissionsA cluster role with a wildcard in the verbs section on secrets resource.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to that cluster role can view or edit all secrets in the cluster, and escalate his privileges using different methods to take over the cluster control by getting an admin secret.
    Identity & Access ManagementCluster Role With Wildcard StatefulSets PermissionsA cluster role that allows to perform any action on statefulsets in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Validating Webhook Configurations PermissionsA cluster role that allows any action on validating webhook configurations resource in the cluster. OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementCluster Role With Wildcard Verbs PermissionsA cluster role with a wildcard in the verbs section.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to that cluster role can execute any action against the resources defined in that cluster role, and escalate his privileges using different methods to take over the cluster control.
    Identity & Access ManagementCluster Role With Wildcard View PermissionsA cluster role that allows to get any resource in the cluster.OWASP K03:2022 Overly Permissive RBAC Configurations
    Identity & Access ManagementUser With Impersonate Group PermissionsA user with permission to Impersonate a group.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to a service account with permissions to impersonate a privileged group may escalate his privileges to gain higher access permissions in the cluster.

    Cluster Role Binding

    Cluster Role Binding
    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCluster Role Binding Allows Unauthenticated AccessClusterRoleBinding with 'system:unauthenticated' group allow to users are related to this group to perform the actions in the matched role. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAttacker can perform action in the cluster without to authenticate.
    Identity & Access ManagementCluster role binding of service account to wildcard cluster roleOWASP K03:2022 Overly Permissive RBAC Configurations

    Deployment

    Deployment
    CategoryRisk NameDescriptionAttack Scenario
    Insecure ConfigurationsKubernetes Dashboard With 'enable-skip-login'' EnabledKubernetes-dashboard was found with an "enable-skip-login" parameter enabled.While this parameter is enabled, Users can access the Kubernetes-dashboard without providing authentication details.OWASP K09:2022 Misconfigured Cluster ComponentsAn attacker with network access to the Kubernetes-dashboard can take advantage of this configuration and get information about the cluster and its workloads.

    Pod

    Pod
    CategoryRisk NameDescriptionAttack Scenario
    Credentials ExposureContainer With Mounted SecretK8s secret is mounted inside a container path.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker might use the secret value to lateraly move inside the K8s cluster.
    Insecure ConfigurationsContainer Running As Root GroupContainer running as root group.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to the container can use different methods to escape the container and have root privileges on the host.
    Insecure ConfigurationsContainer Running As Root UserContainer running as root user.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to the container can use different methods to escape the container and have root privileges on the host.
    Insecure ConfigurationsContainer With '/etc' Path MountedA container with a risky hostPath mount - mount to the /etc folder in the host filesystem.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to that container can access the host's sensitive information and secret configuration in the host filesystem.
    Insecure ConfigurationsContainer With '/root' Path MountedA container with a risky hostPath mount - mount to the host /root folder.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to that container can access the host's sensitive information and other containers running on the same host.
    Insecure ConfigurationsContainer With '/var' Path MountedA container with a risky hostPath mount - mount to the host /var folder.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to that container can access the host's sensitive information and other containers running on the same host.
    Insecure ConfigurationsContainer With '/var/lib/kubelet/pods' Path MountedA container with a risky hostPath mount - mount to the host /var/lib folder.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to that container can access the host's sensitive information and other containers running on the same host.
    Insecure ConfigurationsContainer With AllowPrivilegeEscalationContainer running with AllowPrivilegeEscalation flag set to true.OWASP K01:2022 Insecure Workload ConfigurationsThe allowPrivilegeEscalation is part of the Pod Security Policy Parameters. The allowPrivilegeEscalation Gates whether or not a user is allowed to set the security context to allowPrivilegeEscalation=true in a container. This defaults to allowed so as not to break setuid binaries. An attacker with access to the container can gain more privileges than the container parent.
    Insecure ConfigurationsContainer With Full File System MountedA container with mount of root directory.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to that container can access the host and escape the container to gain higher privileges.
    Insecure ConfigurationsContainer With Privileged ModeContainer running in privileged mode.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to the container can access all devices on the host.
    Insecure ConfigurationsContainer With Risky Path MountedA container with a risky hostPath mount - mount to the azure.json file.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to that container can access the host configuration file and use its service principal credentials to escalate his Azure subscription privileges.
    Insecure ConfigurationsContainer With CAP_SYS_ADMIN+K60Container with CAP_SYS_ADMIN capability.OWASP K01:2022 Insecure Workload ConfigurationsCAP_SYS_ADMIN its capability that allow some sensetive action like mount, without any enabled security application attacker can get access to the host.
    Insecure ConfigurationsContainer Without Protection Against Root PrivilegedPod configuration without limition of user permission. No definition of runAsUser and runAsNonRoot values in securityContext.OWASP K01:2022 Insecure Workload ConfigurationsAttacker with access to the cluser can execute command inside container with root permmisions, also attacker can leverege his permissions to container escapes.
    Insecure ConfigurationsContainer Without Read Only FilesystemContainer without read-only file system. Read-only filesystems are a key component to preventing container breakout.OWASP K01:2022 Insecure Workload ConfigurationsA malicious process or application can write back to the host system.
    Insecure ConfigurationsContainer Without Resource LimitsA container without resource limits.OWASP K01:2022 Insecure Workload ConfigurationsAn attacker with access to a container without resource limits may cause a denial of service for the hosts it's running on.
    Insecure ConfigurationsPod With Apparmor DisabledOWASP K01:2022 Insecure Workload Configurations
    Insecure ConfigurationsPod With 'docker.sock' MountedContainer with docker.sock mounted.OWASP K01:2022 Insecure Workload ConfigurationsAttacker with access to container that has docker.sock mounted can run any container on the node, perform container escape, privilege escalation or lateral movements.
    Insecure ConfigurationsPod With Full CapabilitiesPod gets all capabilities. OWASP K01:2022 Insecure Workload ConfigurationsAttacker with access to pod with all capabilities can leverage for container escape.
    Insecure ConfigurationsPod With Log4j Vulnerable HotpatchAWS Hotpatch for Log4j Vulnerablity. This Hotpatch could be leveraged for container escape and privileged escalation OWASP K10:2022 Outdated and Vulnerable Kubernetes ComponentsAn attacker can perform conainer escape and get access to underlying host from every container in your cluster. Also, unprivileged processes can exploit the Hotpatch to escalate privileges and gain root code execution.

    Role

    Role
    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementCluster Role With View Secrets Permissions In NamespaceA role that allows to get secrets in the namespace.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker can leverage this permission to obtain a secret value and move lateraly inside the cluster.
    Identity & Access ManagementRole With Admin PermissionsA role with a wildcard in the verbs section.OWASP K03:2022 Overly Permissive RBAC ConfigurationsAn attacker with access to that role can execute any action against the resources defined in that role, and escalate his privileges using different methods in the namespace.

    Role Binding

    Role Binding
    CategoryRisk NameDescriptionAttack Scenario
    Identity & Access ManagementRole Binding Allows Anonymous AccessRoleBinding with 'system:anonymous' user allow to unauthenticated users to perform the actions in the role.Attacker can perform action in the specific namespace without to authenticate.
    Identity & Access ManagementRole Binding Allows Unauthenticated AccessRoleBinding with 'system:unauthenticated' group allow to users are related to this group to perform the actions in the matched role. OWASP K03:2022 Overly Permissive RBAC ConfigurationsAttacker can perform action in the specific namespace without to authenticate.
    Identity & Access ManagementRole Binding To Default Service AccountOWASP K03:2022 Overly Permissive RBAC Configurations

Updated 15 days ago