Enable Defender for Cloud for AKS Clusters

Risk Level: High (not acceptable risk)

Ensure that Microsoft Defender for Cloud is enabled for Azure Kubernetes Service (AKS) clusters. Defender for Cloud for AKS clusters enables threat detection for containers, providing threat intelligence, anomaly detection, and behavior analytics.

Security

Operational
excellence

The Microsoft Defender for Cloud service is designed to actively monitor the configuration of your AKS clusters, ensuring the detection of any possible security vulnerabilities. By diligently identifying such risks, it provides valuable recommendations on appropriate actions to take in order to mitigate them effectively.

Audit

To determine if Microsoft Defender for Cloud is enabled for your AKS clusters, perform the following actions:

Checking Azure Kubernetes Service (AKS) clusters for Microsoft Defender for Cloud support using Azure Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the name of the Defender for Cloud pricing plan configured for the Azure containers available within the current subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings?api-version=2018-06-01' | jq '.|.value[] | select(.name=="Containers")'|jq '.properties.pricingTier'

02 The command output should return the name of the configured pricing tier:

"Free"

If the account get-access-token command output does not return "Standard" for the name of the pricing tier, Microsoft Defender for Cloud is not enabled for the Azure containers deployed within the current subscription, therefore the Audit process ends here. If the account get-access-token command output returns "Standard", continue the Audit process with the next step.

03 Run aks list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the current subscription:

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested AKS cluster names:

Name                     ResourceGroup
----------------------   ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

05 Run aks show command (Windows/macOS/Linux) using the name of the AKS cluster that you want to examine and its associated resource group as the identifier parameters to describe the Microsoft Defender for Cloud monitoring status available for the selected cluster:

az aks show 
  --name cc-project5-aks-cluster 
  --resource-group cloud-shell-storage-westeurope 
  --query 'securityProfile.defender.securityMonitoring.enabled'

06 The command output should return the Defender for Cloud monitoring status (true for enabled, false for disabled):

false

If the aks show command does not produce an output or the output returned is false, as shown in the example above, Microsoft Defender for Cloud is not enabled for the selected Azure Kubernetes Service (AKS) cluster.

07 Repeat steps no. 5 and 6 for each AKS cluster available within the current Azure subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Defender for Cloud for your Azure Kubernetes Service (AKS) clusters, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected subscription.

06 On the Defender plans configuration page, under Cloud Workload Protection (CWP), choose On for the Containers pricing plan listed in the Status column, to enable Microsoft Defender for Cloud for Azure containers. Choose Save from the top menu to apply the changes.

07 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

08 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

09 From the Type filter box, select Kubernetes service and choose Apply to list the Azure Kubernetes Service (AKS) clusters available in the selected subscription.

10 Click on the name (link) of the AKS cluster that you want to configure.

11 In the resource navigation panel, select Microsoft Defender for Cloud to access the Defender for Cloud service dashboard provided for the selected AKS cluster.

12 Under Recommendations, select the Azure Kubernetes Service clusters should have Defender profile enabled recommendation, and choose Fix. Select the name of your AKS cluster and choose Fix 1 resource.

13 Repeat steps no. 10 – 12 for each AKS cluster provisioned in the selected Azure subscription.

14 Repeat steps no. 8 – 13 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command, where the "pricingTier" parameter value is set to "Standard" to turn on the Defender for Cloud pricing plan for Azure containers. Save the configuration document to a JSON file named enable-defender-for-containers.json and replace the highlighted details, i.e. [azure-subscription-id], with your own Azure account subscription ID:

{
	"id": "/subscriptions/[azure-subscription-id]/providers/Microsoft.Security/pricings/Containers",
	"name": "Containers",
	"type": "Microsoft.Security/pricings",
	"properties": {
		"pricingTier": "Standard"
	}
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-defender-for-containers.json file), to enable Microsoft Defender for Cloud for all the Azure containers deployed in the selected subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/Containers?api-version=2018-06-01 -d@"enable-defender-for-containers.json"'

03 The command output should return the information available for the enabled pricing tier:

{
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Security/pricings/Containers",
	"name": "Containers",
	"type": "Microsoft.Security/pricings",
	"properties": {
	"pricingTier": "Standard",
		"freeTrialRemainingTime": "PT0S"
	}
}

04 Run aks update command (OSX/Linux/UNIX) using the name of the AKS cluster that you want to configure as the identifier parameter, to enable the Defender for Cloud profile and install the Defender extension for the selected cluster:

az aks update 
  --name cc-project5-aks-cluster 
  --resource-group cloud-shell-storage-westeurope 
  --enable-defender

05 Once the update process is completed, the command output should return the information available for the modified AKS cluster:

{
	"aadProfile": {
		"adminGroupObjectIds": [
			"abcd1234-abcd-1234-abcd-1234abcd1234"
		],
		"clientAppId": null,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd"
	},
	"apiServerAccessProfile": null,
	"autoUpgradeProfile": {
		"upgradeChannel": "none"
	},
	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
		"type": "SystemAssigned",
		"userAssignedIdentities": null
	},
	"azureMonitorProfile": null,
	"currentKubernetesVersion": "1.26.3",
	"disableLocalAccounts": false,
	"diskEncryptionSetId": null,
	"dnsPrefix": "cc-project5-aks-cluster-dns",
	"enablePodSecurityPolicy": null,
	"enableRbac": true,
	"extendedLocation": null,
	"fqdn": "cc-project5-aks-cluster-dns-abcd1234.hcp.westeurope.azmk8s.io",
	"fqdnSubdomain": null,
	"httpProxyConfig": null,
	"kubernetesVersion": "1.26.3",
	"linuxProfile": null,
	"location": "westeurope",
	"maxAgentPools": 100,
	"name": "cc-project5-aks-cluster",
	"nodeResourceGroup": "MC_cloud-shell-storage-westeurope_cc-project5-aks-cluster_westeurope",
	"oidcIssuerProfile": {
		"enabled": false,
		"issuerUrl": null
	},
	"apiServerAccessProfile": {
		"authorizedIpRanges": [
			"10.0.15.0/24"
		],
		"disableRunCommand": null,
		"enablePrivateCluster": null,
		"enablePrivateClusterPublicFqdn": null,
		"privateDnsZone": null
	},
	"podIdentityProfile": null,
	"powerState": {
		"code": "Running"
	},
	"privateFqdn": null,
	"privateLinkResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"securityProfile": {
		"azureKeyVaultKms": null,
		"defender": {
			"logAnalyticsWorkspaceResourceId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/DefaultResourceGroup-WEU/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-abcd1234-abcd-1234-abcd-1234abcd1234-WEU",
			"securityMonitoring": {
				"enabled": true
			}
		},
		"imageCleaner": null,
		"workloadIdentity": null
	},
	"servicePrincipalProfile": {
		"clientId": "msi",
		"secret": null
	},
	"sku": {
		"name": "Base",
		"tier": "Free"
	},
	"storageProfile": {
		"blobCsiDriver": null,
		"diskCsiDriver": {
			"enabled": true
		},
		"fileCsiDriver": {
			"enabled": true
		},
		"snapshotController": {
			"enabled": true
		}
	},
	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null
	}
}

06 Repeat steps no. 4 and 5 for each Azure Kubernetes Service cluster that you want to configure, available within the current subscription.

07 Repeat steps no. 1 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 9, 2023

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Defender for Cloud for AKS Clusters

Risk Level: High

Audit

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related AKS rules