55 lines
1.9 KiB
YAML
55 lines
1.9 KiB
YAML
id: azure-aks-use-private-kv
|
|
info:
|
|
name: Azure AKS Encryption at Rest Not Using Private Key Vault
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
Ensure that your Azure Kubernetes Service (AKS) clusters are configured with encryption at rest for Kubernetes secrets in etcd using a private Azure Key Vault.
|
|
impact: |
|
|
If AKS clusters use a public key vault for secret data encryption, it may expose sensitive data to unauthorized access, leading to potential security risks.
|
|
remediation: |
|
|
Configure your AKS clusters to use private Azure Key Vaults for encryption at rest by setting the 'azureKeyVaultKms.keyVaultNetworkAccess' to 'Private'.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-resource-management
|
|
tags: cloud,devops,azure,microsoft,aks,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let ClusterData of iterate(template.clusterList)) {
|
|
ClusterData = JSON.parse(ClusterData);
|
|
set("name", ClusterData.name);
|
|
set("resourceGroup", ClusterData.resourceGroup);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az aks list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: clusterList
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az aks show --name "$name" --resource-group "$resourceGroup" --query 'securityProfile.azureKeyVaultKms.keyVaultNetworkAccess'
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "Public"
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'name + " in " + resourceGroup + " does not use a private Key Vault for encryption at rest"'
|
|
# digest: 4a0a00473045022067e8d5622611de55743abd6b74c9e148e07cb58178799d6c65fdf28e9ce2858a02210087a564a96607e4caf3efba42327a1423105a475f5411de04c80b206298381bc7:922c64590222798bb761d5b6d8e72950 |