Unused IAM Role Can be Assumed by External Identity
Orca has found that the role {AwsIamRole}, which can be assumed by an AWS identity which is not part of...
Blog
User with Admin and standard user roles
Service Account admin Role allows the user/identity to create, delete, and manage service accounts. Service Account User Role allows the...
User assigned with ‘Service Account User’ or ‘Service Account Token Creator’ roles at project level
Granting the 'iam.serviceAccountUser' or 'iam.serviceAserviceAccountTokenCreatorccountUser' roles to a user for a project gives the user access to all service accounts...
Unused IAM Group
Removing orphaned and unused IAM groups eliminates the risk that a forgotten group will be used accidentally to allow unauthorized...
IAM Groups with Inline Policies
IAM group '{AwsIamGroup}' is using inline policies. Ensure that your IAM groups are using managed policies instead of inline policies...
IAM Policy statement with service wildcard
This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to...
User with an admin/data owner/data editor access to BigQuery
The user {GcpUser} was granted an access to BigQuery as an Admin or Data Owner or Data Editor. This can...
Internet-Facing Ec2 Instance Has Full Access to EC2
The internet-facing asset {AwsEc2Instance} ({AwsEc2Instance.InstanceId}) was found to have full access to your EC2 resources. Instance Profiles with the AmazonEC2FullAccess...
AKS RBAC disabled
RBAC is not enabled in {AzureAksCluster}. By enabling and configuring RBAC in your Kubernetes cluster you can grant users, groups,...