id: azure-aks-network-contrib-unassigned info: name: Azure AKS Network Contributor Role Unassigned author: princechaddha severity: medium description: | Ensure that Azure Kubernetes Service (AKS) clusters are using the Network Contributor role for managing networking resources and accessing other Azure services within an Azure Virtual Network (VNet). The Network Contributor role enables seamless network management, facilitates service integration, and enhances overall security. impact: | If AKS clusters are not using the Network Contributor role, this may restrict their capabilities in managing network resources effectively, potentially leading to suboptimal service integration and security posture. remediation: | Ensure that the Network Contributor role is assigned to your AKS clusters within Azure to enable proper management of networking resources. This can be configured in the IAM settings of the Azure portal. reference: - https://docs.microsoft.com/en-us/azure/aks/manage-azure-rbac tags: cloud,devops,azure,microsoft,aks,azure-cloud-config flow: | code(1); for (let ClusterData of iterate(template.clusterList)) { ClusterData = JSON.parse(ClusterData); set("name", ClusterData.name); set("resourceGroup", ClusterData.resourceGroup); code(2); for(let subscriptionNames of iterate(template.subscription)){ set("subscription", subscriptionNames) code(3); } } self-contained: true code: - engine: - sh - bash source: | az aks list --output json --query '[*].{name:name, resourceGroup:resourceGroup}' extractors: - type: json name: clusterList internal: true json: - '.[]' - engine: - sh - bash source: | az aks show --name "$name" --resource-group "$resourceGroup" --query 'id' extractors: - type: json name: subscription internal: true json: - '.' - engine: - sh - bash source: | az role assignment list --scope "$subscription" --output json --query '[*].roleDefinitionName' matchers-condition: and matchers: - type: word words: - "Network Contributor" negative: true - type: word words: - "[]" extractors: - type: dsl dsl: - 'name + " in resource group " + resourceGroup + " does not have Network Contributor role assigned"' # digest: 4a0a00473045022012f89ba52a416adb0ddac27adf630c9f1ca7c0782dcb0a2d7a0a23dc41a96b21022100d6702536b637286fadab13c91e37e897594a889b9561335d31fa2e29bd71f51b:922c64590222798bb761d5b6d8e72950