Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 7.3 Ensure role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters

Description

In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to specific cluster resources within their own namespace and is now stable in Kubernetes.

Remediation

Using the management console:

  1. Logon to ACK console.
  2. Select the target RAM sub-account and configure the RBAC roles on specific clusters or namespaces.

Default Value:

By default, RBAC authorization is enabled on ACK clusters, and the legacy authorizations as ABAC is disabled. Besides, the RAM sub-users have no permissions to access any resources in ACK clusters by default.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_7_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_7_3 --share

SQL

This control uses a named query:

select
  'arn:acs:::' || account_id as resource,
  'info' as status,
  'Manual verification required.' as reason
  , account_id as account_id
from
  alicloud_account;

Tags

category = Compliance
cis = true
cis_item_id = 7.3
cis_level = 1
cis_section_id = 7
cis_type = automated
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/ACK