AKS Security Audit Toolbox


In this article, I would like to share with you a list of security tools to audit the security of your AKS clusters.

Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.https://github.com/vchinnipilli/kubestriker

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. https://github.com/aquasecurity/kube-hunter

Kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as: run as non-root ; use a read-only root filesystem ; don’t run privileged ; and more! https://github.com/Shopify/kubeaudit

Kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. https://github.com/aquasecurity/kube-bench

Kubiscan is a tool for scanning Kubernetes cluster for risky permissions in Kubernetes’s Role-based access control (RBAC) authorization model. https://github.com/cyberark/KubiScan

Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System. https://github.com/octarinesec/kube-scan

Rback – A simple « RBAC in Kubernetes » visualizer. No matter how complex the setup, rback queries all RBAC related information of an Kubernetes cluster in constant time and generates a graph representation of service accounts, (cluster) roles, and the respective access rules in dot format. https://github.com/mhausenblas/rback

ExtensiveRoleCheck is a Python tool that scans the Kubernetes RBAC for risky roles. https://github.com/cyberark/kubernetes-rbac-audit

Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster. https://github.com/inguardians/peirates

Kubetap is a kubectl plugin that enables an operator to easily deploy intercepting proxies for Kubernetes Services. https://github.com/soluble-ai/kubetap

kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc). https://github.com/sysdiglabs/kube-psp-advisor

Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes applications. https://github.com/kinvolk/inspektor-gadget

Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition. https://github.com/appvia/krane

KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. https://github.com/stackrox/kube-linter

Kubeletctl is a command line tool that implement kubelet’s API. https://github.com/cyberark/kubeletctl

MKIT is a Managed Kubernetes Inspection Tool that leverages FOSS tools to query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster. https://github.com/darkbitio/mkit

Conmachi is a tool written in Golang intended to be used to collect information about a container environment and list potential security issues. It can be statically compiled so that it can be dropped into a container environment and run without any dependencies. https://github.com/nccgroup/ConMachi

Ktunnel is a CLI tool that establishes a reverse tunnel between a kubernetes cluster and your local machine. It lets you expose your machine as a service in the cluster or expose it to a specific deployment. You can also use the client and server without the orchestration part. Although ktunnel is identified with kubernetes, it can also be used as a reverse tunnel on any other remote system https://github.com/omrikiei/ktunnel

Dostainer – Kubernetes Resource Exhaustion PoC Container https://github.com/uchi-mata/dostainer

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. It doesn’t scan the entire image registries and doesn’t require preliminary integration with CI/CD pipelines. https://github.com/Portshift/Kubei

Kubernetes Cluster dumps -Full cluster export into jsons using both native and specialized exports- https://github.com/alexivkin/kubepwn/blob/master/Tools/kubernetes-cluster-dump.sh


Encrypted customer managed keys policy for AKS


Azure Kubernetes Service (AKS) now supports a new Azure policy to ensure OS and data disks are encrypted via customer managed keys. This feature enhances security by supporting the creation of a policy to audit the usage of customer managed keys on OS and data disks, or denying the creation of resources not using customer managed keys on OS and data disks.

AKS CMK Deny Policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json


Identify Public Storage Account


By default, a storage account allows public access to be configured for containers in the account, but does not enable public access to your data. Public access to blob data is never permitted unless you take the additional step to explicitly configure the public access setting for a container.

Microsoft introduced a new protection feature to help avoid public access on storage account. The feature introduces a new property named allowBlobPublicAccess.

Microsoft recommends that you disallow public access to a storage account unless your scenario requires it. Disallowing public access helps to prevent data breaches caused by undesired anonymous access.

In this article, I will you show you how you can identify these storage accounts with an Azure Graph query:

| where type =~ 'Microsoft.Storage/storageAccounts'
| extend allowBlobPublicAccess = parse_json(properties).allowBlobPublicAccess
| project name, resourceGroup, allowBlobPublicAccess

Few months ago, I written an article to show you how you can identify these storage accounts with an audit Azure Policy: https://zigmax.net/identifier-les-comptes-de-stockage-publiques/ (This article is written in French).