Detections
Analytics

Enable role-based access control (RBAC) within Azure Kubernetes Services

MEDIUM

Description

Description:

Ensure that RBAC is enabled on all Azure Kubernetes Services Instances

Rationale:

Azure Kubernetes Services has the capability to integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. This should be utilized to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls not just of the overarching AKS instance but also the individual resources managed within Kubernetes.

If RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished presenting more permissions than needed to users requiring access to Kubernetes resources in AKS.

Remediation

WARNING: This setting cannot be changed after AKS deployment, cluster will require recreation.

Policy Details

Rule Reference ID: AC_AZURE_0156
CSP: Azure
Remediation Available: Yes
Domain: Identity and Access Management
Resource: azurerm_kubernetes_cluster
Resource Category: Compute
Resource Type: Azure Kubernetes Service (AKS)

Frameworks