Detections
Analytics

Ensure user id's are all system managed for Azure Container Group

LOW

Description

Azure Container Group identities can be managed by Azure so that there is not a lack of accountability with regards to user activity. To learn more about managed identities, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Remediation

Microsoft has provided detailed guidance on how to create and use Managed Identities with Active Directory for launching Container Instances. To learn how to create the appropriate prerequisites, then launch the services you require, see the Azure documentation below. Once the identity prerequisites are configured, you can also use Terraform.

In Terraform -

  1. In the azurerm_container_group resource, create an identity block.
  2. Set the type to SystemAssigned and add a list of identity_ids as needed.

References:
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_group#identity

Policy Details

Rule Reference ID: AC_AZURE_0187
CSP: Azure
Remediation Available: Yes
Domain: Identity and Access Management
Resource: azurerm_container_group
Resource Category: Compute
Resource Type: Azure Kubernetes Service (AKS)

Frameworks