New Azure Kubernetes Service (AKS) Security Workbook

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Visibility to the activities in your Kubernetes clusters is a crucial part of keeping the clusters secured. With Azure Defender for AKS, you can monitor your AKS clusters and be alerted when suspicious and malicious activities in the clusters occur.

Now you can get even more insights about the security of your AKS clusters with the new workbook for Azure Kubernetes Service (AKS) security in Sentinel. The workbook helps you to get a better visibility to your cluster from security perspective. The workbook leverages Diagnostic Logs and Azure Defender security alerts for giving you insights about operations in the cluster that have security impact. This includes visibility to:

  • Creation of privileged containers.
  • operations on secrets in the cluster.
  • Cluster-admin bindings.
  • Images with multiple security alerts.

overview.png

 

To get full benefit of the new workbook, enable kube-audit in the diagnostic settings of the AKS clusters and make sure that Azure Defender for Kubernetes is enabled and ingested to Azure Sentinel.

To enable Azure Defender for Kubernetes go to Azure Security Center --> Pricing & Settings --> Select the relevant subscription and make sure that Kubernetes plan is enabled:

 

asc-opt-in-2.png

To ingest the security alerts to Sentinel, go to Sentinel --> Data connectors --> Azure Security Center

asc sentinel connector.png

 

To enable Diagnostic logs for AKS go to your AKS cluster --> Diagnostic settings --> Add diagnostic setting --> select kube-audit logs and “Send to Log Analytics”:

diagnostic.png

 

The workbook was developed with the assistance of:

Hesham Saad - Senior Global Cybersecurity Technical Specialist, Global Black Belt
Yaniv Shasha - Senior Program Manager, C+AI Security
Hosam Kamel - Senior Azure Specialist

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.