Ensure Azure Kubernetes Service (AKS) local admin account is disabled

Error: Azure Kubernetes Service (AKS) local admin account is enabled

Bridgecrew Policy ID: BC_AZR_IAM_3
Checkov Check ID: CKV_AZURE_141
Bridgecrew Severity: LOW

Azure subscriptions with custom roles are overly permissive

Description

Disabling the local admin account for your Azure Kubernetes Service (AKS) cluster can help improve the security of your cluster. The local admin account has full access to all resources within the cluster, and can make any changes to the cluster and its contents.

Fix - Runtime

CLI Command

Fix - Buildtime

Terraform

  • Resource: azurerm_kubernetes_cluster
  • Argument: local_account_disabled
resource "azurerm_kubernetes_cluster" "ckv_unittest_pass" {
  name                   = "example-aks1"
  location               = azurerm_resource_group.example.location
  resource_group_name    = azurerm_resource_group.example.name
  local_account_disabled = true

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  tags = {
    Environment = "Production"
  }
}