kube-bench/cfg/aks-1.0/managedservices.yaml

---
controls:
version: "aks-1.0"
id: 5
text: "Managed Services"
type: "managedservices"
groups:
  - id: 5.1
    text: "Image Registry and Image Scanning"
    checks:
      - id: 5.1.1
        text: "Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

      - id: 5.1.2
        text: "Minimize user access to Azure Container Registry (ACR) (Manual)"
        type: "manual"
        remediation: |
          Azure Container Registry
          If you use Azure Container Registry (ACR) as your container image store, you need to grant
          permissions to the service principal for your AKS cluster to read and pull images. Currently,
          the recommended configuration is to use the az aks create or az aks update command to
          integrate with a registry and assign the appropriate role for the service principal. For
          detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes
          Service.
          To avoid needing an Owner or Azure account administrator role, you can configure a
          service principal manually or use an existing service principal to authenticate ACR from
          AKS. For more information, see ACR authentication with service principals or Authenticate
          from Kubernetes with a pull secret.
        scored: false

      - id: 5.1.3
        text: "Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

      - id: 5.1.4
        text: "Minimize Container Registries to only those approved (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

  - id: 5.2
    text: "Access and identity options for Azure Kubernetes Service (AKS)"
    checks:
      - id: 5.2.1
        text: "Prefer using dedicated AKS Service Accounts (Manual)"
        type: "manual"
        remediation: |
          Azure Active Directory integration
          The security of AKS clusters can be enhanced with the integration of Azure Active Directory
          (AD). Built on decades of enterprise identity management, Azure AD is a multi-tenant,
          cloud-based directory, and identity management service that combines core directory
          services, application access management, and identity protection. With Azure AD, you can
          integrate on-premises identities into AKS clusters to provide a single source for account
          management and security.
          Azure Active Directory integration with AKS clusters
          With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes
          resources within a namespace or across the cluster. To obtain a kubectl configuration
          context, a user can run the az aks get-credentials command. When a user then interacts
          with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD
          credentials. This approach provides a single source for user account management and
          password credentials. The user can only access the resources as defined by the cluster
          administrator.
          Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect
          is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID
          Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster,
          Webhook Token Authentication is used to verify authentication tokens. Webhook token
          authentication is configured and managed as part of the AKS cluster.
        scored: false

  - id: 5.3
    text: "Key Management Service (KMS)"
    checks:
      - id: 5.3.1
        text: "Ensure Kubernetes Secrets are encrypted (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

  - id: 5.4
    text: "Cluster Networking"
    checks:
      - id: 5.4.1
        text: "Restrict Access to the Control Plane Endpoint (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

      - id: 5.4.2
        text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

      - id: 5.4.3
        text: "Ensure clusters are created with Private Nodes (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

      - id: 5.4.4
        text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

      - id: 5.4.5
        text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false


  - id: 5.5
    text: "Authentication and Authorization"
    checks:
      - id: 5.5.1
        text: "Manage Kubernetes RBAC users with Azure AD (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false
      - id: 5.5.2
        text: "Use Azure RBAC for Kubernetes Authorization (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false

  - id: 5.6
    text: "Other Cluster Configurations"
    checks:
      - id: 5.6.1
        text: "Restrict untrusted workloads (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false
      - id: 5.6.2
        text: "Hostile multi-tenant workloads (Manual)"
        type: "manual"
        remediation: "No remediation"
        scored: false