Detections
Analytics

Ensure Azure Active Directory (Azure AD) has been enabled in Azure Kubernetes Cluster

MEDIUM

Description

Azure Active Directory (Azure AD) has been disabled in Azure Kubernetes Cluster, this may make infrastructure non-compliant.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Kubernetes Services.
  2. Choose the cluster you wish to edit.
  3. Under Settings, choose Cluster configuration.
  4. For Authentication and Authorization, select one of the Azure AD options and configure as needed.

In Terraform -
For current Azure Provider versions:

  1. In the azurerm_kubernetes_cluster resource, create an azure_active_directory_role_based_access_control block.
  2. Set azure_rbac_enabled to true and configure as needed.

For Azure Provider versions prior to 2.90.x:

  1. In the azurerm_kubernetes_cluster resource, create a role_based_access_control block.
  2. Set enabled to true.
  3. Create a nested azure_active_directory block and configure as needed.

References:
https://learn.microsoft.com/en-us/azure/aks/managed-aad
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_active_directory_role_based_access_control
https://registry.terraform.io/providers/hashicorp/azurerm/2.89.0/docs/resources/kubernetes_cluster#role_based_access_control

Policy Details

Rule Reference ID: AC_AZURE_0159
CSP: Azure
Remediation Available: Yes
Domain: Compliance Validation
Resource: azurerm_kubernetes_cluster
Resource Category: Compute
Resource Type: Azure Kubernetes Service (AKS)

Frameworks