nuclei-templates/cloud/azure/aks/azure-aks-managed-identity-...

id: azure-aks-managed-identity-unassigned
info:
  name: Use System-Assigned Managed Identities for AKS Clusters
  author: princechaddha
  severity: medium
  description: |
    Ensure that your Azure Kubernetes Service (AKS) clusters are using system-assigned managed identities to allow secure application access to other Azure cloud resources such as load balancers, managed disks, and key vaults.
  impact: |
    Not using system-assigned managed identities for AKS clusters can lead to inadequate security control, making it difficult to manage permissions and access securely.
  remediation: |
    Ensure that all AKS clusters are configured to use system-assigned managed identities. This can be set during the AKS cluster creation or can be updated on existing clusters.
  reference:
    - https://docs.microsoft.com/en-us/azure/aks/use-managed-identity
  tags: cloud,devops,azure,microsoft,aks,azure-cloud-config

flow: |
  code(1);
  for (let AKSData of iterate(template.clusterList)) {
    AKSData = JSON.parse(AKSData);
    set("name", AKSData.name);
    set("resourceGroup", AKSData.resourceGroup);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az aks list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'

    extractors:
      - type: json
        name: clusterList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az aks show --name "$name" --resource-group "$resourceGroup" --query 'identity.type'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "UserAssigned"

    extractors:
      - type: dsl
        dsl:
          - '"AKS cluster named " + name + " in resource group " + resourceGroup + " is not using a system-assigned managed identity"'
# digest: 4a0a00473045022100ac01b4b4b7f8e4b1c218908a6744d82bf60aa4192344b0e05003817e67edb7e002201ccb5124089725f1e735d4dcafeb5ab85d4911de2d81f4c48962b6bb5619cd75:922c64590222798bb761d5b6d8e72950
accesscontrol + activedirectory + aiservices + aks + apimanagement templates 2024-08-29 13:42:10 +00:00			`id: azure-aks-managed-identity-unassigned`
			`info:`
			`name: Use System-Assigned Managed Identities for AKS Clusters`
			`author: princechaddha`
			`severity: medium`
			`description: \|`
			`Ensure that your Azure Kubernetes Service (AKS) clusters are using system-assigned managed identities to allow secure application access to other Azure cloud resources such as load balancers, managed disks, and key vaults.`
			`impact: \|`
			`Not using system-assigned managed identities for AKS clusters can lead to inadequate security control, making it difficult to manage permissions and access securely.`
			`remediation: \|`
			`Ensure that all AKS clusters are configured to use system-assigned managed identities. This can be set during the AKS cluster creation or can be updated on existing clusters.`
			`reference:`
			`- https://docs.microsoft.com/en-us/azure/aks/use-managed-identity`
			`tags: cloud,devops,azure,microsoft,aks,azure-cloud-config`

			`flow: \|`
			`code(1);`
			`for (let AKSData of iterate(template.clusterList)) {`
			`AKSData = JSON.parse(AKSData);`
			`set("name", AKSData.name);`
			`set("resourceGroup", AKSData.resourceGroup);`
			`code(2);`
			`}`

			`self-contained: true`
			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az aks list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'`

			`extractors:`
			`- type: json`
			`name: clusterList`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az aks show --name "$name" --resource-group "$resourceGroup" --query 'identity.type'`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "UserAssigned"`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"AKS cluster named " + name + " in resource group " + resourceGroup + " is not using a system-assigned managed identity"'`
chore: sign templates 🤖 2024-09-12 05:59:14 +00:00			`# digest: 4a0a00473045022100ac01b4b4b7f8e4b1c218908a6744d82bf60aa4192344b0e05003817e67edb7e002201ccb5124089725f1e735d4dcafeb5ab85d4911de2d81f4c48962b6bb5619cd75:922c64590222798bb761d5b6d8e72950`