AKS clusters should collect security-based audit logs

Security · Azure Kubernetes Service · Rule · 2021_09 · Important

AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.

Description

The Azure Kubernetes Service (AKS) service supports collection of security-based audit logs from clusters. The following log categories are available:

• kube-audit - Audit log data for every audit event including get, list, create, update, delete, patch, and post.
• kube-audit-admin - Is a subset of the kube-audit log category that excludes get and list audit events.
• guard - Contains logs for Entra ID and Azure RBAC events.

In other words, both kube-audit and kube-audit-admin contain the same data except kube-audit-admin does not contain get and list events.

For most configurations, consider enabling logging for kube-audit-admin and guard. This configuration provides good coverage and significantly reduces the number of logs and overall cost for collecting and storing AKS audit events. Enable kube-audit only when required.

Recommendation

Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.

Examples

Configure with Azure template

To deploy AKS clusters that pass this rule:

• Deploy a diagnostic settings sub-resource.
• Enable logging for kube-audit-admin (or kube-audit) and guard log categories.

For example:

Azure Template snippet

{
  "type": "Microsoft.Insights/diagnosticSettings",
  "apiVersion": "2021-05-01-preview",
  "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]",
  "name": "audit",
  "properties": {
    "logs": [
      {
        "category": "kube-audit-admin",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      },
      {
        "category": "guard",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      }
    ],
    "workspaceId": "[parameters('workspaceId')]",
    "logAnalyticsDestinationType": "Dedicated"
  },
  "dependsOn": [
    "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]"
  ]
}

Configure with Bicep

To deploy AKS clusters that pass this rule:

• Deploy a diagnostic settings sub-resource.
• Enable logging for kube-audit-admin (or kube-audit) and guard log categories.

For example:

Azure Bicep snippet

resource auditLogs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'audit'
  scope: cluster
  properties: {
    logs: [
      {
        category: 'kube-audit-admin'
        enabled: true
        retentionPolicy: {
          days: 0
          enabled: false
        }
      }
      {
        category: 'guard'
        enabled: true
        retentionPolicy: {
          days: 0
          enabled: false
        }
      }
    ]
    workspaceId: workspaceId
    logAnalyticsDestinationType: 'Dedicated'
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/container-service/managed-cluster:<version>

To use the latest version:

br/public:avm/res/container-service/managed-cluster:0.5.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Links

• SE:10 Monitoring and threat detection
• Monitoring AKS data reference
• AKS control plane/resource logs
• Azure deployment reference

Comments