Detections
Analytics

Ensure DENY-with-negative-matching exist for Istio Authorization Object

MEDIUM

Description

Istio best practices include using ALLOW with a positive pattern and DENY with a negative pattern. Using the inverse could cause policy mismatches. For more information, see the Istio documentation.
References:
https://istio.io/latest/docs/ops/best-practices/security/#use-allow-with-positive-matching-and-deny-with-negative-match-patterns

Remediation

To follow this security format, update your Istio YAML files have any DENY action configured to use only matching fields with positive attributes such as notPaths or notValues rather than negative attributes such as paths or values. This makes the security configuration clearer and can avoid a double-negative loophole in the policy logic.

Policy Details

Rule Reference ID: AC_K8S_0122
CSP: Kubernetes
Remediation Available: No
Domain: Infrastructure Security
Resource: kubernetes_istio_authorization_policy
Resource Category: Virtual Network
Resource Type: Istio

Frameworks