The Terraform configuration sets the access scope of a service account to cloud-platform, which allows access to most of the Google Cloud APIs. This greatly expands the attack surface accessible to any compromised Compute Engine instance and violates the least privilege principle.

Example 1: The following example shows a Terraform configuration that sets the access scope (scopes) of the service account to cloud-platform.

resource "google_compute_instance" "compute-instance-demo" {
    name         = "name-demo"
    machine_type = "e2-micro"
    ...
    service_account {
        email  = "foobar.service.account@example.com"
        scopes = ["cloud-platform"]
    }
}

An Amazon S3 bucket is created without server-side encryption. Encryption mitigates data breaches by making data unreadable to anyone without the proper credentials. Encryption at rest can help satisfy some industrial and government compliance requirements such as GDPR, HIPAA, and PCI.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

An Amazon S3 bucket is created without server-side encryption. Encryption mitigates data breaches by making data unreadable to anyone without the proper credentials. As such, encryption at rest is a measure to meet some industrial and government compliance requirements such as GDPR, HIPAA, and PCI.

The IAM-based access control reduces human errors and promotes efficiency. Enabling the OS Login permits the use of IAM roles to automate the lifecycle management of Linux accounts for accessing all Compute Engine instances in the same project or organization.

Example 1: The following example shows a Terraform configuration that disables the use of IAM roles to manage SSH access by setting enable-oslogin to false in the metadata argument.

resource "google_compute_instance" "compute-instance-demo" {
  ...
  metadata = {
    enable-oslogin = false
    ...
  }
  ...
}

By default, Attribute-Based Access Control (ABAC) is disabled on new clusters that run GKE version 1.8 and later. ABAC can statically grant a specific user or a group access to a resource in addition to those provided by Role-Based Access Control (RBAC) or Identity and Access Management (IAM). This complicates authorization administration and undermines the centralized access control.

Example 1: The following example shows a Terraform configuration that enables legacy ABAC authorization on a GKE cluster by setting enable_legacy_abac to true.

resource "google_container_cluster" "container_cluster_demo" {
...
  enable_legacy_abac = true
...
}

A wildcard configuration for lambda principals violates the least privilege principle and allows an attacker to invoke the lambda from any account.

Example 1: The following example Ansible task defines a wildcard lambda principal.

- name: Create Lambda policy statement for S3 event notification
  community.aws.lambda_policy:
    action: lambda:InvokeFunction
    function_name: functionName
    principal: *
    statement_id: lambda-s3-demobucket-access-log
    source_arn: arn:aws:s3:us-west-2:123456789012:demobucket
    source_account: 123456789012
    state: present

A publicly accessible Amazon RDS instance unnecessarily broadens an organization's attack surface. Services open to interaction with the public are subjected to almost continuous scanning and probing by attackers.

Example 1: The following Ansible task sets up an RDS instance with public access because publicly_accessible is set to true.

- name: createdb
  community.aws.rds_instance:
    db_instance_identifier: test-db
    engine: aurora
    instance_type: db.t2.small
    username: "{{ username }}"
    password: "{{ password }}"
    cluster_id: test-cluster
    publicly_accessible: true

Publicly accessible resources are susceptible to distributed denial of service (DDoS) attacks and expose data to unauthorized access and potential theft.

Publicly accessible resources are susceptible to distributed denial of service (DDoS) attacks and expose data to unauthorized access and potential theft.

Publicly accessible resources are susceptible to distributed denial of service (DDoS) attacks and expose data to unauthorized access and potential theft.