# Improper Access Control (CWE-284)

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

**Stack:** Kubernetes

- Prevalence: Hoch Häufig ausgenutzt
- Impact: Hoch 3 Regeln mit hohem Schweregrad
- Prevention: Dokumentiert 4 Fix-Beispiele

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Access control involves determining which subjects can access which objects. When access control is implemented incorrectly, it can lead to unauthorized access to sensitive data or functionality.

## Prevention

Präventionsstrategien für Improper Access Control basierend auf 1 Shoulder-Erkennungsregeln.

### Kubernetes

Define NetworkPolicy resources to restrict pod-to-pod traffic and enforce network segmentation

## Warning Signs

- [MEDIUM] Workload has no NetworkPolicy for network segmentation
- [MEDIUM] Kubernetes deployments without associated NetworkPolicy resources

## Consequences

- Anwendungsdaten lesen
- Anwendungsdaten ändern
- Nicht autorisierten Code ausführen
- Privilegien erlangen

## Mitigations

- Auf allen Ressourcen ordnungsgemäße Zugriffskontrollen implementieren
- Das Prinzip der geringsten Rechte anwenden
- Zugriffskontrollen serverseitig erzwingen, nicht nur in der UI

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, kubernetes, yaml, python

## Rules by Language

### Kubernetes (1 rules)

- **Missing Network Policy** [MEDIUM]: Detects Kubernetes deployments without associated NetworkPolicy resources.
  - Remediation: Define a NetworkPolicy to control pod network access.

```yaml
kind: NetworkPolicy
spec:
  podSelector: {}
  policyTypes: [Ingress]
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-284/missing-network-policy

### Yaml (1 rules)

- **Missing Network Policy** [MEDIUM]: Detects Kubernetes deployments without associated NetworkPolicy resources.
  - Remediation: Define a NetworkPolicy to control pod network access.

```yaml
kind: NetworkPolicy
spec:
  podSelector: {}
  policyTypes: [Ingress]
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-284/missing-network-policy