Azure security baseline for Azure Kubernetes Service on Azure Stack HCI
This security baseline applies guidance from the Microsoft cloud security benchmark version 1.0 to Azure Kubernetes Service on Azure Stack HCI. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to Azure Kubernetes Service on Azure Stack HCI.
You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud portal page.
When a feature has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance with the Microsoft cloud security benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Note
Features not applicable to Azure Kubernetes Service on Azure Stack HCI have been excluded. To see how Azure Kubernetes Service on Azure Stack HCI completely maps to the Microsoft cloud security benchmark, see the full Azure Kubernetes Service on Azure Stack HCI security baseline mapping file.
Security profile
The security profile summarizes high-impact behaviors of Azure Kubernetes Service on Azure Stack HCI, which may result in increased security considerations.
Service Behavior Attribute | Value |
---|---|
Product Category | Hybrid/Multi-Cloud |
Customer can access HOST / OS | Full Access |
Service can be deployed into customer's virtual network | False |
Stores customer content at rest | False |
Identity management
For more information, see the Microsoft cloud security benchmark: Identity management.
IM-1: Use centralized identity and authentication system
Features
Local Authentication Methods for Data Plane Access
Description: Local authentications methods supported for data plane access, such as a local username and password. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | True | Microsoft |
Feature notes: You can create a secure connection to Kubernetes API server using Active Directory (AD) single sign-on (SSO) credentials. Without Active Directory authentication, users must rely on a certificate-based kubeconfig file when connecting to the API server via the kubectl command. The kubeconfig file contains secrets such as private keys and certificates that need to be carefully distributed, which can be a significant security risk.
Additionally, if AKS on Stack HCI is configured with Azure Arc, access to the control plane of the Kubernetes cluster can be controlled using Azure AD. Avoid the usage of local authentication methods or accounts, these should be disabled wherever possible. Instead use Azure AD to authenticate where possible.
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
IM-3: Manage application identities securely and automatically
Features
Service Principals
Description: Data plane supports authentication using service principals. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Feature notes: If AKS on Stack HCI is configured with Azure Arc, you may register your AKS host to Azure for billing using a service principal.
For more information, please visit: /en-us/azure-stack/aks-hci/kubernetes-walkthrough-powershell
Configuration Guidance: This feature is not supported to secure this service.
Privileged access
For more information, see the Microsoft cloud security benchmark: Privileged access.
PA-1: Separate and limit highly privileged/administrative users
Features
Local Admin Accounts
Description: Service has the concept of a local administrative account. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | True | Microsoft |
Feature notes: Avoid the usage of local authentication methods or accounts, these should be disabled wherever possible. Instead use Azure AD to authenticate where possible.
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Set up multiple administrators
Data protection
For more information, see the Microsoft cloud security benchmark: Data protection.
DP-3: Encrypt sensitive data in transit
Features
Data in Transit Encryption
Description: Service supports data in-transit encryption for data plane. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | True | Microsoft |
Feature notes: Certificates are used to build secure communication between in-cluster components. Azure Kubernetes Service (AKS) on Azure Stack HCI and Windows Server provides zero-touch, out-of-the-box provisioning, and management of certificates for built-in Kubernetes components.
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Secure communication with certificates
DP-4: Enable data at rest encryption by default
Features
Data at Rest Encryption Using Platform Keys
Description: Data at-rest encryption using platform keys is supported, any customer content at rest is encrypted with these Microsoft managed keys. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | True | Microsoft |
Feature notes: In the Kubernetes API server, secrets are stored in etcd, which is a highly available key values store used as the Kubernetes backing store for all cluster data. Azure Kubernetes Service (AKS) on Azure Stack HCI and Windows Server comes with encryption of etcd secrets and automates the management and rotation of encryption keys.
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Encrypt etcd secrets in Azure Kubernetes Service on Azure Stack HCI and Windows Server clusters
DP-5: Use customer-managed key option in data at rest encryption when required
Features
Data at Rest Encryption Using CMK
Description: Data at-rest encryption using customer-managed keys is supported for customer content stored by the service. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Feature notes: Though this feature is not supported for AKS on Stack HCI, the customer may enable Bitlocker on the physical host. Additionally, AKS on Azure Stack HCI and Windows Server comes with encryption of etcd secrets and automates the management and rotation of encryption keys.
Configuration Guidance: This feature is not supported to secure this service.
Posture and vulnerability management
For more information, see the Microsoft cloud security benchmark: Posture and vulnerability management.
PV-3: Define and establish secure configurations for compute resources
Features
Custom Containers Images
Description: Service supports using user-supplied container images or pre-built images from the marketplace with certain baseline configurations pre-applied. Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Backup and recovery
For more information, see the Microsoft cloud security benchmark: Backup and recovery.
BR-1: Ensure regular automated backups
Features
Service Native Backup Capability
Description: Service supports its own native backup capability (if not using Azure Backup). Learn more.
Supported | Enabled By Default | Configuration Responsibility |
---|---|---|
False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Next steps
- See the Microsoft cloud security benchmark overview
- Learn more about Azure security baselines
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for