module/ConfigurationProvider/ControlConfigurations/Services/KubernetesService.json
|
{
"FeatureName": "KubernetesService", "Reference": "aka.ms/azsktcp/KubernetesService", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_KubernetesService_Deploy_Enable_Cluster_RBAC", "Description": "Cluster RBAC must be enabled in Kubernetes Service", "Id": "KubernetesService110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckClusterRBAC", "DisplayName": "Cluster RBAC must be enabled in Kubernetes Service", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Category": "Least privilege access to subscription and resources", "Rationale": "Enabling RBAC in a cluster lets you finely control access to various operations at the cluster/node/pod/namespace scopes for different stakeholders. Without RBAC enabled, every user has full access to the cluster which is a violation of the principle of least privilege. Note that Azure Kubernetes Service does not currently support other mechanisms to define authorization in Kubernetes (such as Attribute-based Access Control authorization or Node authorization).", "Recommendation": "RBAC flag must be enabled while creating the Kubernetes Service. Existing non-RBAC enabled Kubernetes Service clusters cannot currently be updated for RBAC use. Refer: https://docs.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-role-based-access-control-rbac.", "Tags": [ "SDL", "TCP", "Automated", "Deploy", "RBAC", "KubernetesService", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": false, "ControlEvaluationDetails": { "RequiredProperties": [ "IsRBACEnabled" ] }, "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave8", "SN:Kubernetes_RBAC" ] }, { "ControlID": "Azure_KubernetesService_AuthN_Enabled_Microsoft_Entra_ID", "Description": "Microsoft Entra ID (formerly AAD) should be enabled in Kubernetes Service", "Id": "KubernetesService120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAADEnabled", "DisplayName": "Microsoft Entra ID (formerly AAD) should be enabled in Kubernetes Service", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Category": "Authentication must be enabled on all user accounts and services", "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.", "Recommendation": "Using Azure Portal: Go to Azure Portal --> Kubernetes Services --> Select Kubernetes Cluster --> Settings --> Cluster configuration --> AKS-managed Microsoft Entra ID --> Enabled. Refer https://docs.microsoft.com/en-us/azure/aks/managed-aad to configure AKS-managed Microsoft Entra ID in Kubernetes clusters.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthN", "KubernetesService", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave8", "CAIPreview", "EDPreview", "SMTPreview", "SN:Kubernetes_EntraIDAuth" ] }, { "ControlID": "Azure_KubernetesService_Deploy_Use_Latest_Version", "Description": "The latest version of Kubernetes should be used", "Id": "KubernetesService150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckKubernetesVersion", "AssessmentName": "49de0b07-d877-204b-2100-fdb4d2517115", "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "49de0b07-d877-204b-2100-fdb4d2517115" ] }, "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c", "DisplayName": "[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Category": "Vulnerabilities must be remediated", "Rationale": "Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/upgrade-cluster.", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy", "KubernetesService", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "kubernetesVersion": "1.14.8,1.15.10,1.16.7" }, "CustomTags": [] }, { "ControlID": "Azure_KubernetesService_Audit_Enable_Monitoring", "Description": "Monitoring must be enabled for Azure Kubernetes Service", "Id": "KubernetesService220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMonitoringConfiguration", "DisplayName": "Monitoring must be enabled for Azure Kubernetes Service", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing enables log collection of important system events pertinent to security. Regular monitoring of audit logs can help to detect any suspicious and malicious activity early and respond in a timely manner.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "KubernetesService", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_KubernetesService_NetSec_Dont_Open_Management_Ports", "Description": "Do not leave management ports open on Kubernetes nodes unless required", "Id": "KubernetesService230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRestrictedPorts", "DisplayName": "Do not leave management ports open on Kubernetes nodes", "ControlRequirements": "Restrict network traffic flows", "Category": "Management interfaces and ports must not be open", "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Manual", "NetSec", "KubernetesService", "Baseline", "Weekly", "ExcludedControl" ], "ControlEvaluationDetails": { "RequiredProperties": [ "AKSResourceGroup" ] }, "Enabled": true, "ControlSettings": { "RestrictedPorts": "445,3389,5985,22" }, "CustomTags": [] }, { "ControlID": "Azure_KubernetesService_Audit_Enable_Diagnostic_Settings", "Description": "Diagnostics logs must be enabled on Azure Kubernetes Service", "Id": "KubernetesService250", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled on Azure Kubernetes Service", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing logs and metrics must be enabled as they provide details for investigation in case of a security breach for threats", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/aks/monitor-aks#logs and while updating the diagnostic settings ['kube-audit-admin', 'guard'] category of logs and minimum required retention period is of 90 days", "Tags": [ "Automated", "KubernetesService", "Baseline", "Audit", "Diagnostics" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "kube-audit-admin", "guard" ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_KubernetesService_DP_Disable_HTTP_Application_Routing", "Description": "HTTP application routing should be disabled in Kubernetes Service", "Id": "KubernetesService260", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckHTTPAppRouting", "DisplayName": "HTTP application routing should be disabled in Kubernetes Service", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Enabling HTTP application routing creates publicly accessible DNS names for application endpoints which makes applications deployed to your cluster vulnerable to various network attacks.", "Recommendation": "Go to Azure Portal --> your Kubernetes Service --> Settings --> Networking --> Network options --> 'Enable HTTP application routing' option --> Uncheck checkbox.", "Tags": [ "SDL", "TCP", "Automated", "DP", "KubernetesService", "NetSec", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_KubernetesService_AuthN_Disable_Local_Accounts", "Description": "Local accounts should be disabled in Kubernetes Service", "Id": "KubernetesService270", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckLocalAccountsDisabled", "DisplayName": "Local accounts should be disabled in Kubernetes Service", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Category": "Authentication must be enabled on all user accounts and services", "Rationale": "Disable local accounts with AAD authentication enabled on the kubernete cluster to avoid non-auditable access to the cluster access and improve cluster security.", "Recommendation": "Using Azure Portal: Go to Azure Portal --> Kubernetes Services --> Select Kubernetes Cluster --> Settings --> Cluster configuration --> Authentication and Authorization options --> Authentication and Authorization option --> Select 'Azure AD Authentication with Kubernetes RBAC' --> Cluster admin ClusterRoleBinding option --> Click 'choose AAD Group' --> select group and click Select --> Uncheck Kubernetes local accounts option --> Select Apply", "Tags": [ "Automated", "AuthN", "KubernetesService", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_KubernetesService_NetSec_Use_Authorized_IP_Address_Ranges", "Description": "Use Authorized IP address ranges to access API server in Kubernetes Service", "Id": "KubernetesService280", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "UseAuthorizedIPAddressRanges", "DisplayName": "Use Authorized IP address ranges to access API server in Kubernetes Service", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Enabling secure access to the API server using authorized IP address ranges to improve cluster security and minimize attacks.", "Recommendation": "Go to Azure Portal --> your Kubernetes Service --> Settings --> Networking --> Security options --> 'Set authorized IP ranges' option --> check checkbox. --> 'Specify IP ranges' option --> Specify IP ranges --> Click Apply. NOTE:This feature is not supported by kubernetes clusters which are using 'Basic' load balancer. Update your load balancer to 'Standard' for better security. For more info Refer:https://learn.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges#limitations", "Tags": [ "Automated", "NetSec", "KubernetesService", "Baseline" ], "ControlSettings": { "PossibleAddressSpaceSize": "3702258432", "AllowedPercentageCoverage": "2", "ItemsInAdditionalInformation": "10" }, "Enabled": true, "CustomTags": [ "Daily" ] }, { "ControlID": "Azure_KubernetesService_DP_Use_HTTPS_MCSB", "Description": "[MCSB] Kubernetes clusters should be accessible only over HTTPS", "Id": "KubernetesService290", "ControlSeverity": "High", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Kubernetes clusters should be accessible only over HTTPS", "Automated": "Yes", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "To configure SSL settings in Azure Kubernetes with the help of Azure CLI, please refer: https://learn.microsoft.com/en-us/azure/machine-learning/how-to-secure-kubernetes-online-endpoint#configure-tlsssl-in-the-azure-machine-learning-extension. NOTE: To enable an HTTPS endpoint for real-time inference, you need to provide a PEM-encoded TLS/SSL certificate and key.", "Tags": [ "DP", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "c6d87087-9ebe-b31f-b452-0bf3bbbaccd2" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_DP_Use_Authorized_IP_Address_Ranges_MCSB", "Description": "[MCSB] Authorized IP ranges should be defined on Kubernetes Services", "Id": "KubernetesService300", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Authorized IP ranges should be defined on Kubernetes Services", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Enabling secure access to the API server using authorized IP address ranges to improve security and minimize attacks.", "Recommendation": "Go to Azure Portal --> Kubernetes Service --> Settings --> Networking --> Security options --> 'Set authorized IP ranges' option --> Check checkbox. --> 'Specify IP ranges' option --> Specify IP ranges --> Click Apply. NOTE: This feature is not supported by kubernetes clusters which are using 'Basic' load balancer. Update your load balancer to 'Standard' for better security. For more info, refer:https://learn.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges#limitations", "Tags": [ "Automated", "DP", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "1a2b5b4c-f80d-46e7-ac81-b51a9fb363de" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_AuthZ_Enable_Cluster_RBAC_MCSB", "Description": "[MCSB] Role-Based Access Control (RBAC) should be used on Kubernetes Services", "Id": "KubernetesService310", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Role-Based Access Control (RBAC) should be used on Kubernetes Services", "ControlScanSource": "MDC", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Category": "Least privilege access to subscription and resources", "Rationale": "Enabling RBAC in a cluster lets you finely control access to various operations at the cluster/node/pod/namespace scopes for different stakeholders. Without RBAC enabled, every user has full access to the cluster which is a violation of the principle of least privilege. Note that Azure Kubernetes Service does not currently support other mechanisms to define authorization in Kubernetes (such as Attribute-based Access Control authorization or Node authorization).", "Recommendation": "RBAC flag must be enabled while creating the Kubernetes Service. Existing non-RBAC enabled Kubernetes Service clusters cannot currently be updated for RBAC use. Please refer: https://docs.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-role-based-access-control-rbac.", "Tags": [ "Automated", "AuthZ", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Restrict_Hostpath_MCSB", "Description": "[MCSB] Kubernetes cluster pod hostPath volumes should only use allowed host paths", "Id": "KubernetesService320", "ControlSeverity": "High", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Kubernetes cluster pod hostPath volumes should only use allowed host paths", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Kubernetes cluster hosts can be configured for any application to reduce its potential attack surface and provide greater in-depth defense", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks.", "Automated": "Yes", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "f0debc84-981c-4a0d-924d-aa4bd7d55fef" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Install_Addon_Policy_MCSB", "Description": "[MCSB] Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", "Id": "KubernetesService330", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", "ControlScanSource": "MDC", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Azure Policy extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes clusters from one place", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks.", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "08e628db-e2ed-4793-bc91-d13e684401c3" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Disable_Privilege_Escalation_MCSB", "Description": "[MCSB] Kubernetes clusters should not allow container privilege escalation", "Id": "KubernetesService340", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes clusters should not allow container privilege escalation", "ControlScanSource": "MDC", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Privilege escalation means an attacker gains access to privileges they are not entitled to by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account. Privilege escalation is a common way for malicious users to gain initial access to a system.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks.", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "43dc2a2e-ce69-4d42-923e-ab7d136f2cfe" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Restrict_Ports_MCSB", "Description": "[MCSB] Kubernetes cluster services should listen only on allowed ports", "Id": "KubernetesService350", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster services should listen only on allowed ports", "ControlScanSource": "MDC", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Kubernetes cluster ports can be configured for any application to reduce its potential attack surface and provide greater in-depth defense", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks.", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "add45209-73f6-4fa5-a5a5-74a451b07fbe" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Disable_Auto_Mounting_MCSB", "Description": "[MCSB] Kubernetes clusters should disable automounting API credentials", "Id": "KubernetesService360", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes clusters should disable automounting API credentials", "ControlScanSource": "MDC", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks.", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "32060ac3-f17f-4848-db8e-e7cf2c9a53eb" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Restrict_Host_Info_MCSB", "Description": "[MCSB] Kubernetes cluster containers should not share host process ID or host IPC namespace", "Id": "KubernetesService370", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster containers should not share host process ID or host IPC namespace", "ControlScanSource": "MDC", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Host process ID or HostIPC can help you to use shared memory which makes applications deployed to your cluster vulnerable to various attacks", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks.", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "802c0637-5a8c-4c98-abd7-7c96d89d6010" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Restrict_AppArmor_Profiles_MCSB", "Description": "[MCSB] Kubernetes cluster containers should only use allowed AppArmor profiles", "Id": "KubernetesService380", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster containers should only use allowed AppArmor profiles", "ControlScanSource": "MDC", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "AppArmor can be configured for any application to reduce its potential attack surface and provide greater in-depth defense", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks.", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "86f91051-9d6a-47c3-a07f-bd14cb214b45" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Use_Approved_Network_MCSB", "Description": "[MCSB] Kubernetes cluster pods should only use approved host network and port range", "Id": "KubernetesService390", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster pods should only use approved host network and port range", "ControlScanSource": "MDC", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Using authorized port ranges or host networks to improve cluster security and minimize attacks.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks.", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "ebc68898-5c0f-4353-a426-4a5f1e737b12" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Dont_Allow_Privileged_Containers_MCSB", "Description": "[MCSB] Kubernetes cluster should not allow privileged containers", "Id": "KubernetesService400", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster should not allow privileged containers", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Limit access to actions that containers can perform. Provide the least number of permissions, and avoid the use of root access or privileged escalation.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "5d90913f-a1c5-4429-ad54-2c6c17fb3c73" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Dont_Use_Default_Namespace_MCSB", "Description": "[MCSB] Kubernetes clusters should not use the default namespace", "Id": "KubernetesService410", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes clusters should not use the default namespace", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "ff87e0b4-17df-d338-5b19-80e71e0dcc9d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Use_Allowed_Capabilities_MCSB", "Description": "[MCSB] Kubernetes cluster containers should only use allowed capabilities", "Id": "KubernetesService420", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster containers should only use allowed capabilities", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "11c95609-3553-430d-b788-fd41cde8b2db" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_AuthZ_Restrict_Admin_Capabilities_MCSB", "Description": "[MCSB] Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities", "Id": "KubernetesService430", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "ControlScanSource": "MDC", "Rationale": "Security capabilities are distinct units that can be used to control privilege escalation in your Linux OS. And CAP_SYS_ADMIN is one of them and in fact it is pretty powerfull one. It allows to perform a range of system administration operations.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks", "Tags": [ "Automated", "AuthZ", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "aba14f78-27c5-af84-848e-9105d18dfd92" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_DP_Restrict_Root_File_System_MCSB", "Description": "[MCSB] Kubernetes cluster containers should run with a read only root file system", "Id": "KubernetesService440", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster containers should run with a read only root file system", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlScanSource": "MDC", "Rationale": "Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks", "Tags": [ "Automated", "DP", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "27d6f0e9-b4d5-468b-ae7e-03d5473fd864" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Limit_Resources_MCSB", "Description": "[MCSB] Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits", "Id": "KubernetesService450", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "405c9ae6-49f9-46c4-8873-a86690f27818" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_AuthZ_Use_Approved_Ids_MCSB", "Description": "[MCSB] Kubernetes cluster pods and containers should only run with approved user and group IDs", "Id": "KubernetesService460", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster pods and containers should only run with approved user and group IDs", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "ControlScanSource": "MDC", "Rationale": "Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks", "Tags": [ "Automated", "AuthZ", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "9b795646-9130-41a4-90b7-df9eae2437c8" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_DP_Use_Allowed_Images_MCSB", "Description": "[MCSB] Kubernetes cluster containers should only use allowed images", "Id": "KubernetesService470", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster containers should only use allowed images", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlScanSource": "MDC", "Rationale": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks", "Tags": [ "Automated", "DP", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "8d244d29-fa00-4332-b935-c3a51d525417" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_DP_Use_Allowed_Images_MCSB", "Description": "[MCSB] Kubernetes clusters should gate deployment of vulnerable images", "Id": "KubernetesService480", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes cluster containers should only use allowed images", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlScanSource": "MDC", "Rationale": "Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-app#create-container-images", "Tags": [ "Automated", "DP", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "8d244d29-fa00-4332-b935-c3a51d525417" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_Audit_Resource_Logs_MCSB", "Description": "[MCSB] Resource logs in Azure Kubernetes Service should be enabled", "Id": "KubernetesService490", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Resource logs in Azure Kubernetes Service should be enabled", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/aks/monitor-aks#configure-monitoring", "Tags": [ "Automated", "Audit", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "bb318338-de6a-42ff-8428-8274c897d564" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Upgrade_Version_MCSB", "Description": "[MCSB] Kubernetes Services must be upgraded to a non-vulnerable Kubernetes version", "Id": "KubernetesService500", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Kubernetes Services must be upgraded to a non-vulnerable Kubernetes version", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version.", "Recommendation": "To upgrade Kubernetes version with the help of Azure Portal please refer: https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-portal", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "49de0b07-d877-204b-2100-fdb4d2517115" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KubernetesService_SI_Enable_Defender_Profile_MCSB", "Description": "[MCSB] Azure Kubernetes Service clusters must have Azure Defender profile enabled", "Id": "KubernetesService510", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Azure Kubernetes Service clusters must have Azure Defender profile enabled", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.", "Recommendation": "To enable defender for Azure Kubernetes Service please refer: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api#enable-the-plan", "Tags": [ "Automated", "SI", "KubernetesService", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "56a83a6e-c417-42ec-b567-1e6fcb3d09a9" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] } ] } |