Specify security requirements for containers and container orchestration
This unit summarizes the Azure security baseline for Azure Kubernetes Service. For areas where there are many controls, we have only included the first five that were mentioned.
Please refer to Introduction to Microsoft Cybersecurity Reference Architecture and cloud security benchmark for more background on Microsoft Cloud Security Benchmark.
In the table below, we have included controls from the full baseline where:
- Security controls were supported but not enabled by default
- There was explicit guidance which contained action to be taken on the part of the customer
| Area | Control | Guidance Summary |
|---|---|---|
| Network security | 1.1: Protect Azure resources within virtual networks | By default, a network security group and route table are automatically created with the creation of a Microsoft Azure Kubernetes Service (AKS) cluster. AKS automatically modifies network security groups for appropriate traffic flow as services are created with load balancers, port mappings, or ingress routes. |
| 1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs | Use Microsoft Defender for Cloud and follow its network protection recommendations to secure the network resources being used by your Azure Kubernetes Service (AKS) clusters. | |
| 1.3: Protect critical web applications | Use an Azure Application Gateway enabled Web Application Firewall (WAF) in front of an AKS cluster to provide an additional layer of security by filtering the incoming traffic to your web applications. Azure WAF uses a set of rules, provided by The Open Web Application Security Project (OWASP), for attacks, such as, cross site scripting or cookie poisoning against this traffic. | |
| 1.4: Deny communications with known malicious IP addresses | Enable Microsoft Distributed Denial-of-service (DDoS) Standard protection on the virtual networks where Azure Kubernetes Service (AKS) components are deployed for protections against DDoS attacks. | |
| 1.5: Record network packets | Use Network Watcher packet capture as required for investigating anomalous activity. | |
| Logging and Monitoring | 2.1: Use approved time synchronization sources | Azure Kubernetes Service (AKS) nodes use ntp.ubuntu.com for time synchronization, along with UDP port 123 and Network Time Protocol (NTP). |
| 2.2: Configure central security log management | Enable audit logs from Azure Kubernetes Services (AKS) master components, kube-apiserver and kube-controller-manager, which are provided as a managed service. | |
| 2.3: Enable audit logging for Azure resources | Use Activity logs to monitor actions on Azure Kubernetes Service (AKS) resources to view all activity and their status. | |
| 2.4: Collect security logs from operating systems | Enable automatic installation of Log Analytics agents for collecting data from the AKS cluster nodes. Also, turn-on automatic provisioning of the Azure Log Analytics Monitoring Agent from Microsoft Defender for Cloud, as by default, automatic provisioning is off. | |
| 2.5: Configure security log storage retention | Onboard your Azure Kubernetes Service (AKS) instances to Azure Monitor and set the corresponding Azure Log Analytics workspace retention period according to your organization's compliance requirements. | |
| Identity and Access Control | 3.1: Maintain an inventory of administrative accounts | Azure Kubernetes Service (AKS) itself does not provide an identity management solution which stores regular user accounts and passwords. With Microsoft Entra integration, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster. |
| 3.2: Change default passwords where applicable | Azure Kubernetes Service (AKS) does not have the concept of common default passwords and does not provide an identity management solution where regular user accounts and passwords can be stored. With Microsoft Entra integration, you can grant role-based access to AKS resources within a namespace or across the cluster. | |
| 3.3: Use dedicated administrative accounts | Integrate user authentication for your Azure Kubernetes Service (AKS) clusters with Microsoft Entra ID. Sign in to an AKS cluster using a Microsoft Entra authentication token. | |
| 3.4: Use single sign-on (SSO) with Microsoft Entra ID | Use single sign-on for Azure Kubernetes Service (AKS) with Microsoft Entra integrated authentication for an AKS cluster. | |
| 3.5: Use multi-factor authentication for all Microsoft Entra ID based access | Integrate Authentication for Azure Kubernetes Service (AKS) with Microsoft Entra ID. | |
| Data Protection | 4.1: Maintain an inventory of sensitive Information | Guidance: Use tags on resources related to Azure Kubernetes Service (AKS) deployments to assist in tracking Azure resources that store or process sensitive information. |
| 4.2: Isolate systems storing or processing sensitive information | Logically isolate teams and workloads in the same cluster with Azure Kubernetes Service (AKS) to provide the least number of privileges, scoped to the resources required by each team. | |
| 4.3: Monitor and block unauthorized transfer of sensitive information | Use a third-party solution from Azure Marketplace on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals. | |
| 4.4: Encrypt all sensitive information in transit | Create an HTTPS ingress controller and use your own TLS certificates (or optionally, Let's Encrypt) for your Azure Kubernetes Service (AKS) deployments. | |
| 4.5: Use an active discovery tool to identify sensitive data | Data identification, classification, and loss prevention features are not yet available for Azure Storage or compute resources. Implement third-party solution if required for compliance purposes. Microsoft manages the underlying platform and treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. | |
| Vulnerability Management | 5.1: Run automated vulnerability scanning tools | Use Microsoft Defender for Cloud to monitor your Azure Container Registry including Azure Kubernetes Service (AKS) instances for vulnerabilities. Enable the Container Registries bundle in Microsoft Defender for Cloud to ensure that Microsoft Defender for Cloud is ready to scan images that get pushed to the registry. |
| 5.2: Deploy automated operating system patch management solution | Security updates are automatically applied to Linux nodes to protect customer's Azure Kubernetes Service (AKS) clusters. These updates include OS security fixes or kernel updates. Note that the process to keep Windows Server nodes up to date differs from nodes running Linux as windows server nodes don't receive daily updates. | |
| 5.3: Deploy an automated patch management solution for third-party software titles | Implement a manual process to ensure Azure Kubernetes Service (AKS) cluster node's third-party applications remain patched for the duration of the cluster lifetime. This may require enabling automatic updates, monitoring the nodes, or performing periodic reboots. | |
| 5.4: Compare back-to-back vulnerability scans | Export Microsoft Defender for Cloud scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. | |
| 5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities | Use the severity rating provided by Microsoft Defender for Cloud to prioritize the remediation of vulnerabilities. | |
| Inventory and Asset Management | 6.1: Use automated asset discovery solution | Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, and so on) within your subscriptions. Ensure that you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions. |
| 6.2: Maintain asset metadata | Apply tags to Azure resources with metadata to logically organize them into a taxonomy. | |
| 6.3: Delete unauthorized Azure resources | Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track assets. | |
| 6.4: Define and maintain an inventory of approved Azure resources | Define a list of approved Azure resources and approved software for compute resources based on organizational business needs. | |
| 6.5: Monitor for unapproved Azure resources | Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions: Not allowed resource types, Allowed resource types | |
| Secure Configuration | 7.1: Establish secure configurations for all Azure resources | Use Azure Policy aliases in the "Microsoft.ContainerService" namespace to create custom policies to audit or enforce the configuration of your Azure Kubernetes Service (AKS) instances. Use built-in Azure Policy definitions. |
| 7.2: Establish secure operating system configurations | Azure Kubernetes Clusters (AKS) clusters are deployed on host virtual machines with a security optimized OS. The host OS has additional security hardening steps incorporated into it to reduce the surface area of attack and allows the deployment of containers in a secure fashion. | |
| 7.3: Maintain secure Azure resource configurations | Secure your Azure Kubernetes Service (AKS) cluster using pod security policies. Limit what pods can be scheduled to improve the security of your cluster. | |
| 7.4: Maintain secure operating system configurations | Azure Kubernetes Service (AKS) clusters are deployed on host virtual machines with a security optimized OS. The host OS has additional security hardening steps incorporated into it to reduce the surface area of attack and allows the deployment of containers in a secure fashion. | |
| 7.5: Securely store configuration of Azure resources | Use Azure Repos to securely store and manage your configurations if using custom Azure Policy definitions. Export a template of your Azure Kubernetes Service (AKS) configuration in JavaScript Object Notation (JSON) with Azure Resource Manager. | |
| Malware Defense | 8.1: Use centrally managed antimalware software | AKS manages the lifecycle and operations of agent nodes on your behalf - modifying the IaaS resources associated with the agent nodes is not supported. However, for Linux nodes you may use daemon sets to install custom software like an anti-malware solution. |
| 8.2: Pre-scan files to be uploaded to non-compute Azure resources | Pre-scan any files being uploaded to your AKS resources. Use Microsoft Defender for Cloud's threat detection for data services to detect malware uploaded to storage accounts if using an Azure Storage Account as a data store or to track Terraform state for your AKS cluster. | |
| 8.3: Ensure antimalware software and signatures are updated | AKS manages the lifecycle and operations of agent nodes on your behalf - modifying the IaaS resources associated with the agent nodes is not supported. However, for Linux nodes you may use daemon sets to install custom software like an anti-malware solution. | |
| Data Recovery | 9.1: Ensure regular automated back ups | Back up your data using an appropriate tool for your storage type such as Velero, which can back up persistent volumes along with additional cluster resources and configurations. Periodically, verify the integrity, and security, of those backups. |
| 9.2: Perform complete system backups and backup any customer-managed keys | Back up your data using an appropriate tool for your storage type such as Velero, which can back up persistent volumes along with additional cluster resources and configurations. | |
| 9.3: Validate all backups including customer-managed keys | Periodically perform data restoration of content within Velero Backup. If necessary, test restoring to an isolated virtual network. | |
| 9.4: Ensure protection of backups and customer-managed keys | Back up your data using an appropriate tool for your storage type such as Velero, which can back up persistent volumes along with additional cluster resources and configurations. | |
| Incident Response | 10.1: Create an incident response guide | Build out an incident response guide for your organization. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review. |
| 10.2: Create an incident scoring and prioritization procedure | Prioritize which alerts must be investigated first with Microsoft Defender for Cloud assigned severity to alerts. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert. | |
| 10.3: Test security response procedures | Conduct exercises to test your systems’ incident response capabilities at a regular cadence. Identify weak points and gaps and revise incident response plans as needed. | |
| 10.4: Provide security incident contact details and configure alert notifications for security incidents | Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. | |
| 10.5: Incorporate security alerts into your incident response system | Export Microsoft Defender for Cloud alerts and recommendations using its Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. | |
| Penetration Tests and Red Team Exercises | 11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings | Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies. |