Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use System-Assigned Managed Identities for AKS Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure Kubernetes Service (AKS) clusters are using system-assigned managed identities in order to allow secure application access to other Azure cloud resources such as load balancers, managed disks, and key vaults.

Security

A system-assigned managed identity enables Azure Kubernetes Service (AKS) clusters to authenticate to other cloud services without storing credentials in code. With system-assigned managed identities you don't have to secure, manage, and rotate access credentials anymore as these are handled automatically by Microsoft Azure.

Audit

To determine if your AKS clusters are configured to use system-assigned managed identities, perform the following actions:

Checking Azure Kubernetes Service (AKS) clusters for system-assigned managed identities using Azure Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run aks list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the current subscription: 

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested AKS cluster names: 

Name                     ResourceGroup
----------------------   ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

03 Run aks show command (Windows/macOS/Linux) using the name of the Azure Kubernetes Service (AKS) cluster that you want to examine and its associated resource group as the identifier parameters to determine the identity type configured for the selected AKS cluster: 

az aks show 
  --name cc-project5-aks-cluster 
  --resource-group cloud-shell-storage-westeurope 
  --query 'identity.type'

04 The command output should return the identity type used (system-assigned or user-assigned): 

"UserAssigned"

If the aks show command output returns "UserAssigned", as shown in the output example above, the selected Azure Kubernetes Service (AKS) cluster is not using a system-assigned managed identity.

05 Repeat step no. 3 and 4 for each AKS cluster available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure Kubernetes Service (AKS) clusters are using system-assigned managed identities, perform the following actions:

Configuring Azure Kubernetes Service (AKS) clusters to use system-assigned managed identities using Azure Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run aks update command (OSX/Linux/UNIX) using the name of the AKS cluster that you want to update as the identifier parameter to update the selected cluster to use a system-assigned managed identity in control plane: 

az aks update 
  --name cc-project5-aks-cluster 
  --resource-group cloud-shell-storage-westeurope 
  --enable-managed-identity

02 The aks update command request should ask for your confirmation. Press y to confirm: 

Your cluster is already using userassigned managed identity, and you are going to update the cluster to use systemassigned managed identity.
Are you sure you want to perform this operation? (y/N): y

03 Once the update process is completed, the command output should return the information available for the modified AKS cluster: 

{
	"aadProfile": null,
	"addonProfiles": {
		"azureKeyvaultSecretsProvider": {
			"config": null,
			"enabled": false,
			"identity": null
		},
		"azurepolicy": {
			"config": null,
			"enabled": false,
			"identity": null
		}
	},
	"apiServerAccessProfile": null,
	"autoUpgradeProfile": {
		"upgradeChannel": "none"
	},
	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
		"type": "SystemAssigned",
		"userAssignedIdentities": null
	},
	"azureMonitorProfile": null,
	"currentKubernetesVersion": "1.26.3",
	"disableLocalAccounts": false,
	"diskEncryptionSetId": null,
	"dnsPrefix": "cc-project5-aks-cluster-dns",
	"enablePodSecurityPolicy": null,
	"enableRbac": true,
	"extendedLocation": null,
	"fqdn": "cc-project5-aks-cluster-dns-abcd1234.hcp.westeurope.azmk8s.io",
	"fqdnSubdomain": null,
	"httpProxyConfig": null,
	"kubernetesVersion": "1.26.3",
	"linuxProfile": null,
	"location": "westeurope",
	"maxAgentPools": 100,
	"name": "cc-project5-aks-cluster",
	"nodeResourceGroup": "MC_cloud-shell-storage-westeurope_cc-project5-aks-cluster_westeurope",
	"oidcIssuerProfile": {
		"enabled": false,
		"issuerUrl": null
	},
	"podIdentityProfile": null,
	"powerState": {
		"code": "Running"
	},
	"privateFqdn": null,
	"privateLinkResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"securityProfile": {
		"azureKeyVaultKms": null,
		"defender": null,
		"imageCleaner": null,
		"workloadIdentity": null
	},
	"servicePrincipalProfile": {
		"clientId": "msi",
		"secret": null
	},
	"sku": {
		"name": "Base",
		"tier": "Free"
	},
	"storageProfile": {
		"blobCsiDriver": null,
		"diskCsiDriver": {
			"enabled": true
		},
		"fileCsiDriver": {
			"enabled": true
		},
		"snapshotController": {
			"enabled": true
		}
	},
	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null
	}
}

04 Repeat steps no. 1 – 3 for each Azure Kubernetes Service cluster that you want to update, available within the current subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 9, 2023

Related AKS rules