AKS Monitoring Logging Disabled
- Query id: d5e83b32-56dd-4247-8c2e-074f43b38a5e
- Query name: AKS Monitoring Logging Disabled
- Platform: Ansible
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Create an AKS instance v0
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password1234!"
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_DS1_v2
type: VirtualMachineScaleSets
max_count: 3
min_count: 1
enable_rbac: yes
- name: Create an AKS instance
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password1234!"
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_DS1_v2
type: VirtualMachineScaleSets
max_count: 3
min_count: 1
enable_rbac: yes
addon:
http_application_routing:
enabled: yes
- name: Create an AKS instance v3
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password1234!"
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_DS1_v2
type: VirtualMachineScaleSets
max_count: 3
min_count: 1
enable_rbac: yes
addon:
monitoring:
log_analytics_workspace_resource_id: "qwqeqe"
- name: Create an AKS instance v9
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password1234!"
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_DS1_v2
type: VirtualMachineScaleSets
max_count: 3
min_count: 1
enable_rbac: yes
addon:
monitoring:
log_analytics_workspace_resource_id: "qwqeqe"
enabled: no
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create an AKS instance v4
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948
client_secret: Password1234!
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_DS1_v2
type: VirtualMachineScaleSets
max_count: 3
min_count: 1
enable_rbac: yes
addon:
monitoring:
log_analytics_workspace_resource_id: qwqeqe
enabled: yes