Leaving public access open exposes your service to the internet
- GG_ID: GG_IAC_0024
- Severity: HIGH
- Complexity: LOW
- Categories: NETWORK
- Providers: AWS
- Potential data exposure: False
- Visible in logs: True
- User interaction required: False
- Privileges required: False
Description#
The API server of an AKS cluster is used to communicate and interact with the cluster (such as when using kubectl).
Leaving the API server exposed to the whole internet can allow an attacker to perform distributed denial of service (DDoS) attacks on the service. In case other vulnerabilities are also present in the service, this would facilitate their exploitation.
Impact#
- Denial of service.
- Could enable to exploit vulnerabilities in the cluster.
Remediation guidelines#
Restrict access to a limited IP range.