The required feature described as a wish
Description: CloudStack does not provide a built-in mechanism to restrict per-account or per-user access to a defined set of source IP addresses or CIDR ranges. Any IP address that can reach the management plane can attempt to authenticate as any account.
Affected Components: Management UI / API
Impact: Without source IP allowlisting, a stolen API key or compromised credential set can be used from any network location globally. There is no network-level control to limit the blast radius of a credential compromise. High-privilege service accounts are particularly at risk, as they can be accessed from unexpected locations without raising any flags.
Steps to Reproduce:
- This finding is not directly reproducible since it reflects the absence of a control.
Recommended Remediation: Implement a per-account or per-user source CIDR allowlist field in the data model. Requests originating from IPs outside the defined allowlist should be rejected and logged as a security event.
The required feature described as a wish
Description: CloudStack does not provide a built-in mechanism to restrict per-account or per-user access to a defined set of source IP addresses or CIDR ranges. Any IP address that can reach the management plane can attempt to authenticate as any account.
Affected Components: Management UI / API
Impact: Without source IP allowlisting, a stolen API key or compromised credential set can be used from any network location globally. There is no network-level control to limit the blast radius of a credential compromise. High-privilege service accounts are particularly at risk, as they can be accessed from unexpected locations without raising any flags.
Steps to Reproduce:
Recommended Remediation: Implement a per-account or per-user source CIDR allowlist field in the data model. Requests originating from IPs outside the defined allowlist should be rejected and logged as a security event.