Detections
Analytics

Ensure ALLOW-with-positive-matching exist for Istio Authorization Object

MEDIUM

Description

Istio best practices include using ALLOW with a positive pattern and DENY with a negative pattern. Using the inverse could cause policy mismatches. For more information, see the Istio documentation.
References:
https://istio.io/latest/docs/ops/best-practices/security/#use-allow-with-positive-matching-and-deny-with-negative-match-patterns

Remediation

To follow this security format, update your Istio YAML files have any ALLOW action configured to use only matching fields with positive attributes such as paths or values rather than negative attributes such as notPaths or notValues. This makes the security configuration clearer and can avoid a double-negative loophole in the policy logic.

Policy Details

Rule Reference ID: AC_K8S_0049
CSP: Kubernetes
Remediation Available: No
Domain: Infrastructure Security
Resource: kubernetes_istio_authorization_policy
Resource Category: Virtual Network
Resource Type: Istio

Frameworks