Ensure Azure Kubernetes Service (AKS) local admin account is disabled
Error: Azure Kubernetes Service (AKS) local admin account is enabled
Bridgecrew Policy ID: BC_AZR_IAM_3
Checkov Check ID: CKV_AZURE_141
Bridgecrew Severity: LOW
Azure subscriptions with custom roles are overly permissive
Description
Disabling the local admin account for your Azure Kubernetes Service (AKS) cluster can help improve the security of your cluster. The local admin account has full access to all resources within the cluster, and can make any changes to the cluster and its contents.
Fix - Runtime
CLI Command
Fix - Buildtime
Terraform
- Resource: azurerm_kubernetes_cluster
- Argument: local_account_disabled
resource "azurerm_kubernetes_cluster" "ckv_unittest_pass" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
local_account_disabled = true
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
tags = {
Environment = "Production"
}
}
Updated 9 months ago