Enable Federal Information Process Standard (FIPS) for AKS Cluster Node Pools

Risk Level: Medium (should be achieved)

Ensure that Federal Information Process Standard (FIPS) is enabled for your Azure Kubernetes Service (AKS) cluster node pools. The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that sets the minimum security requirements for cryptographic modules in information technology products and systems. Azure Kubernetes Service (AKS) enables you to create Linux and Windows node pools with FIPS 140-2 enabled. Deployments that run on FIPS-enabled node pools can use these cryptographic modules to enhance security and assist in meeting security controls as part of FedRAMP compliance.

Security

Federal Information Process Standard (FIPS) should be enabled for AKS cluster node pools to ensure compliance with government regulations and security standards. FIPS provides a strong cryptographic foundation, protecting sensitive data and enhancing the overall security posture of the ASK cluster.

Audit

To determine if your AKS clusters are configured with FIPS-enabled node pools, perform the following operations:

The list of supported OS versions is available here.
Checking for FIPS-enabled AKS cluster node pools using Microsoft Azure Portal (Azure Console) is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription:

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names:

Name                    ResourceGroup
----------------------  ------------------------------
cc-data-mining-cluster  cloud-shell-storage-westeurope
cc-project5-cluster     cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to determine if the selected AKS cluster has FIPS-enabled node pools:

az aks show
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --output table
  --query='agentPoolProfiles[].{Name:name,enableFips:enableFips}'

07 The command output should return the FIPS feature status (True for enabled, False for disabled) for each node pool provisioned for the selected cluster:

Name           EnableFips
------------   ------------
miningpool01   False
miningpool02   False
miningpool03   False

If the aks show command output returns False for one or more node pools, as shown in the example above, Federal Information Process Standard (FIPS) is not enabled for the node pools provisioned within the selected AKS cluster.

08 Repeat steps no. 6 and 7 for each AKS cluster provisioned within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that Federal Information Process Standard (FIPS) is enabled for your Azure Kubernetes Service (AKS) cluster node pools, perform the following operations:

Enabling FIPS for AKS cluster node pools using Microsoft Azure Portal (Azure Console) is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks nodepool update command (OSX/Linux/UNIX) with the name of the cluster that you want to configure as the identifier parameter, to enable Federal Information Process Standard (FIPS) for the selected AKS cluster node pool. When you update an existing node pool, the current node image will be replaced with the recommended FIPS-compliant image for the same OS SKU. The command provided below launches an immediate reimage of the node pool, allowing for the deployment of the FIPS-compliant OS. This reimage takes place during the node pool update, and no further actions are required:

az aks nodepool update
  --name miningpool01
  --cluster-name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --enable-fips-image

05 The command output should return the configuration information available for the modified AKS cluster node pool:

{
	"artifactStreamingProfile": null,
	"availabilityZones": null,
	"capacityReservationGroupId": null,
	"count": 1,
	"creationData": null,
	"currentOrchestratorVersion": "1.29.8",
	"eTag": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"enableAutoScaling": false,
	"enableCustomCaTrust": null,
	"enableEncryptionAtHost": null,
	"enableFips": true,
	"enableNodePublicIp": false,
	"enableUltraSsd": null,
	"gatewayProfile": null,
	"gpuInstanceProfile": null,
	"gpuProfile": null,
	"hostGroupId": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster/agentPools/miningpool01",
	"kubeletConfig": null,
	"kubeletDiskType": "OS",
	"linuxOsConfig": null,
	"maxCount": null,
	"maxPods": 30,
	"messageOfTheDay": null,
	"minCount": null,
	"mode": "System",
	"name": "miningpool01",
	"networkProfile": null,
	"nodeImageVersion": "AKSUbuntu-2004gen2fipscontainerd-202409.23.0",
	"nodeInitializationTaints": null,
	"nodeLabels": null,
	"nodePublicIpPrefixId": null,
	"nodeTaints": null,
	"orchestratorVersion": "1.29.8",
	"osDiskSizeGb": 128,
	"osDiskType": "Managed",
	"osSku": "Ubuntu",
	"osType": "Linux",
	"podIpAllocationMode": null,
	"podSubnetId": null,
	"powerState": {
		"code": "Running"
	},
	"provisioningState": "Succeeded",
	"proximityPlacementGroupId": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"scaleDownMode": null,
	"scaleSetEvictionPolicy": null,
	"scaleSetPriority": null,
	"securityProfile": {
		"enableSecureBoot": false,
		"enableVtpm": false,
		"sshAccess": "LocalUser"
	},
	"spotMaxPrice": null,
	"tags": null,
	"type": "Microsoft.ContainerService/managedClusters/agentPools",
	"typePropertiesType": "VirtualMachineScaleSets",
	"upgradeSettings": {
		"drainTimeoutInMinutes": null,
		"maxSurge": "10%",
		"nodeSoakDurationInMinutes": null,
		"undrainableNodeBehavior": null
	},
	"virtualMachineNodesStatus": null,
	"virtualMachinesProfile": null,
	"vmSize": "Standard_D2as_v4",
	"vnetSubnetId": null,
	"windowsProfile": null,
	"workloadRuntime": null
}

06 Repeat steps no. 4 and 5 for each node pool provisioned within the selected AKS cluster.

07 Repeat steps no. 4 - 6 for each AKS cluster that you want to configure, available within the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
Federal Information Processing Standard (FIPS) 140
Enable Federal Information Process Standard (FIPS) for Azure Kubernetes Service (AKS)

Publication date Oct 22, 2024

Audit

Using Azure CLI

Remediation / Resolution

Using Azure CLI

References

Related AKS rules