Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use User-Assigned Managed Identities for AKS Clusters

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Azure Kubernetes Service (AKS) clusters are using user-assigned managed identities for fine-grained control over access permissions.

Security
Operational
excellence

AKS clusters should use user-assigned managed identities to provide granular control over access permissions, enable integration with existing identity systems, facilitate multi-tenant scenarios, and support specific application requirements. User-assigned managed identities offer flexibility in managing identities and access control for AKS clusters, allowing for fine-grained customization based on individual needs.

Audit

To determine if your AKS clusters are configured to use user-assigned managed identities, perform the following operations:

Checking Azure Kubernetes Service (AKS) clusters for user-assigned managed identities using Azure Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run aks list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the current subscription: 

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested AKS cluster names: 

Name                     ResourceGroup
----------------------   ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

03 Run aks show command (Windows/macOS/Linux) using the name of the Azure Kubernetes Service (AKS) cluster that you want to examine and its associated resource group as the identifier parameters to describe the identity configured for the selected AKS cluster: 

az aks show 
  --name cc-project5-aks-cluster 
  --resource-group cloud-shell-storage-westeurope 
  --query 'identity'

04 The command output should return the identity configuration used by the selected cluster: 

{
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
	"type": "SystemAssigned",
	"userAssignedIdentities": null
}

If the aks show command output returns "SystemAssigned" for "type" and null for "userAssignedIdentities", as shown in the output example above, the selected Azure Kubernetes Service (AKS) cluster is not using an user-assigned managed identity.

05 Repeat step no. 3 and 4 for each AKS cluster available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure Kubernetes Service (AKS) clusters are using user-assigned managed identities, perform the following operations:

Configuring Azure Kubernetes Service (AKS) clusters to use user-assigned managed identities using Azure Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run aks update command (OSX/Linux/UNIX) using the name of the AKS cluster that you want to update as the identifier parameter to update the selected cluster to use a user-assigned managed identity in control plane. Specify the ID of your user-assigned identity as value for the --assign-identity command parameter: 

az aks update 
  --name cc-project5-aks-cluster 
  --resource-group cloud-shell-storage-westeurope 
  --enable-managed-identity 
  --assign-identity /subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/MC_cloud-shell-storage-westeurope_cc-project5-aks-cluster_westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-aks-cluster-manager

02 The aks update command request should ask for your confirmation. Press y to confirm: 

Your cluster is already using systemassigned managed identity, and you are going to update the cluster to use userassigned managed identity.
Are you sure you want to perform this operation? (y/N): y

03 Once the update process is completed, the command output should return the information available for the modified AKS cluster: 

{
	"aadProfile": null,
	"addonProfiles": {
		"azureKeyvaultSecretsProvider": {
			"config": null,
			"enabled": false,
			"identity": null
		},
		"azurepolicy": {
			"config": null,
			"enabled": false,
			"identity": null
		}
	},
	"apiServerAccessProfile": null,
	"autoUpgradeProfile": {
		"upgradeChannel": "none"
	},
	"identity": {
		"principalId": null,
		"tenantId": null,
		"type": "UserAssigned",
		"userAssignedIdentities": {
			"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/MC_cloud-shell-storage-westeurope_cc-project5-aks-cluster_westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-aks-cluster-manager": {
				"clientId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
				"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234"
			}
		}
	},
	"azureMonitorProfile": null,
	"currentKubernetesVersion": "1.26.3",
	"disableLocalAccounts": false,
	"diskEncryptionSetId": null,
	"dnsPrefix": "cc-project5-aks-cluster-dns",
	"enablePodSecurityPolicy": null,
	"enableRbac": true,
	"extendedLocation": null,
	"fqdn": "cc-project5-aks-cluster-dns-abcd1234.hcp.westeurope.azmk8s.io",
	"fqdnSubdomain": null,
	"httpProxyConfig": null,
	"kubernetesVersion": "1.26.3",
	"linuxProfile": null,
	"location": "westeurope",
	"maxAgentPools": 100,
	"name": "cc-project5-aks-cluster",
	"nodeResourceGroup": "MC_cloud-shell-storage-westeurope_cc-project5-aks-cluster_westeurope",
	"oidcIssuerProfile": {
		"enabled": false,
		"issuerUrl": null
	},
	"podIdentityProfile": null,
	"powerState": {
		"code": "Running"
	},
	"privateFqdn": null,
	"privateLinkResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"securityProfile": {
		"azureKeyVaultKms": null,
		"defender": null,
		"imageCleaner": null,
		"workloadIdentity": null
	},
	"servicePrincipalProfile": {
		"clientId": "msi",
		"secret": null
	},
	"sku": {
		"name": "Base",
		"tier": "Free"
	},
	"storageProfile": {
		"blobCsiDriver": null,
		"diskCsiDriver": {
			"enabled": true
		},
		"fileCsiDriver": {
			"enabled": true
		},
		"snapshotController": {
			"enabled": true
		}
	},
	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null
	}
}

04 Repeat steps no. 1 – 3 for each Azure Kubernetes Service cluster that you want to update, available within the current subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 8, 2023

Related AKS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Use User-Assigned Managed Identities for AKS Clusters

Risk Level: High