Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Rotate AKS Cluster Credentials

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure Kubernetes Service (AKS) cluster credentials are regularly rotated in order to meet security and compliance requirements. This reduces the risk of compromised credentials being used to gain unauthorized access to the cluster and its resources. By default, it is recommended to rotate service principal credentials for associated AKS clusters every 90 days.

Security

Regularly rotating Azure Kubernetes Service (AKS) cluster credentials is essential for security. It helps prevent unauthorized access by reducing the risk associated with credential exposure. Credential rotation also aligns with security best practices and policies, mitigating potential threats from leaked or compromised credentials. Updating credentials protects both the Kubernetes cluster and the underlying Azure infrastructure.

Azure Kubernetes Service (AKS) clusters can only rotate credentials when configured to use a service principal for authentication.

Audit

To determine if your AKS cluster credentials are regularly rotated (i.e. every 90 days), perform the following operations:

Checking the credential information of the service principal associated with the AKS cluster using Microsoft Azure Portal (Azure Console) is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Name                    ResourceGroup
----------------------  ------------------------------
cc-data-mining-cluster  cloud-shell-storage-westeurope
cc-project5-cluster     cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to describe the ID of the service principal associated with the selected AKS cluster:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks show
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --query 'servicePrincipalProfile.clientId'

07 The command output should return the requested service principal ID:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
"abcd1234-abcd-1234-abcd-abcd1234abcd"

08 Run ad app credential list command (Windows/macOS/Linux) with custom query filters to describe the creation date of the associated service principal:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az ad app credential list
  --id "abcd1234-abcd-1234-abcd-abcd1234abcd"
  --query "[].startDateTime"

09 The command output should return the service principal creation date:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
	"2024-05-12T06:29:02Z"
]

Check the timestamp returned by the ad app credential list command output to determine when the selected service principal and its credentials were created. If more than 90 days have passed since the resource was created, the credentials for the selected AKS cluster are not being rotated regularly.

10 Repeat steps no. 6 - 9 for each AKS cluster provisioned within the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To rotate credentials for your Azure Kubernetes Service (AKS) clusters periodically (i.e. every 90 days), perform the following operations:

Rotating credentials for the service principal associated with the AKS cluster using Microsoft Azure Portal (Azure Console) is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run ad app credential reset command (Windows/macOS/Linux) to reset the existing credentials for the service principal associated with your AKS cluster:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az ad app credential reset
  --id "abcd1234-abcd-1234-abcd-abcd1234abcd"
  --query password

05 The command output should return the new service principal credentials (i.e. password):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
"abcd1234abcd1234abcd1234abcd1234abcd1234"

06 Run aks update-credentials command (OSX/Linux/UNIX) with the name of the AKS cluster that you want to configure as the identifier parameter, to update the service principal credentials for the selected cluster (the command does not produce an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks update-credentials
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --reset-service-principal
  --service-principal "abcd1234-abcd-1234-abcd-abcd1234abcd"
  --client-secret "abcd1234abcd1234abcd1234abcd1234abcd1234"

07 Repeat steps no. 4 - 6 for each AKS cluster that you want to configure, available within the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 22, 2024

Related AKS rules