Protect Azure Kubernetes Service (AKS) With Azure Security Center

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

1. Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or in different clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Azure Defender for Containers is one of many features that is included in Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) which is something you must consider for your containers running on Microsoft Azure.

Azure Security Center (ASC) is expanding its support in the container space to one of the fastest-growing services in Azure – Azure Kubernetes Service (AKS). In November 2019, Microsoft announced the public preview for threat protection for Azure Kubernetes Service (AKS) support in Security Center. The good news is, on March 25th, 2020 the Azure Kubernetes Services integration with Security Center became Generally Available (GA).

Kubernetes is quickly becoming the new standard for deploying and managing software in the cloud. Few people have extensive experience with Kubernetes and many only focus on general engineering and administration and overlook the security aspect. Kubernetes environment needs to be configured carefully to be secure, making sure no container focused attack surface doors are not left open is exposed for attackers.

In this article, I will walk you through how to protect and hardening your Azure Kubernetes Service (AKS) cluster with Azure Security Center, and then simulate an AKS alert.

Prerequisites

To follow this article, you need to have the following:

1. Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2. Azure Security Center | Azure Defender enabled. Please note that Azure Defender is required to leverage advanced protection for Kubernetes Service. The Kubernetes service’s cores are billed hourly, and the price is calculated by the number of cores.
3. Log Analytics Workspace – To create a new workspace, follow the instructions on how to create a Log Analytics workspace.
4. Last, you need to have an AKS cluster deployed and running on Azure – To create a new AKS cluster, follow the steps documented below.

Deploy AKS Cluster

If you don’t have an Azure Kubernetes Service (AKS) cluster deployed on Azure, you can follow the steps below to create a new one.

In this example, I will use the Azure CLI and the Azure Cloud Shell to deploy a new AKS cluster since “kubectl” is already installed as part of the Cloud Shell. Launch the Cloud Shell and then run the following commands (you can also follow the short video below which illustrates the entire process):

az account set --subscription "SUBSCRIPTION-NAME"
az group create --name rg-aks-cluster --location "West Europe" --output none
az aks create --resource-group rg-aks-cluster --name myAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys
az aks get-credentials --resource-group rg-aks-cluster --name myAKSCluster
kubectl get nodes

Here is the short video:

Enable Security Center for AKS

To enable threat protection for Azure Kubernetes Services in Security Center, this should be done at the subscription level:

1. Open Azure Portal and sign in with a user who has Security Admin privileges.
2. On the left navigation pane, click Security Center.
3. From Security Center’s sidebar, open the Pricing & settings page.
4. Select the desired subscription for which you want to enable threat protection for Kubernetes Services.
5. Toggle the option for Kubernetes Services to enabled as shown in the screenshot below and then click Save on the left-hand side.

Now threat protection for AKS will be enabled on all Kubernetes clusters connected to the selected subscription. As noted in the Pricing tier page, the first 30 days are free.​​ This is a great opportunity to evaluate and try the threat protection for Azure Kubernetes Service for free.

Protect AKS with Security Center

Once the Kubernetes Services protection is enabled, Security Center will be ready to start securing your infrastructure and constantly monitor for potential threats. Typically within an hour, Azure Security Center will update the security resource health, recommendations, and secure score. Security Center will find a new recommendation for the AKS cluster under “Compute & apps” → “Containers” tab → Filter on “Resource type: Kubernetes service” as shown in the screenshot below. In my example, I waited nearly 30 minutes for the recommendations list to show up.

Let’s now drill into the recommendations list offered by Security Center to strengthen the security posture for AKS. In this example, I have two recommendations that I want to address which they are classified as High:

• Pod Security Policies should be defined on Kubernetes Services.
• Authorized IP ranges should be defined on Kubernetes Services.

Let’s address the first recommendation: Pod Security Policies should be defined on Kubernetes Services.

When you click on the recommendation, Security Center will give you the full details about this recommendation, as well as how to remediate it. For this particular recommendation, there is no quick fix or logic app to trigger for remediation. You can follow the manual remediation steps as described below, or develop an automation workflow as described here. You can click Take action and configure the Pod security policies in AKS accordingly.

I will run the following Azure CLI commands from the Cloud Shell to enable pod security policy features. Please note that in production, you don’t enable the pod security policy until you have defined your own custom policies first. In my example, I enabled pod security policy as the first step to see how the default policies limit pod deployments and reduce attack vector as recommended by the Security Center.

# Install the aks-preview extension
az extension add --name aks-preview

#! Register pod security policy feature provider
az feature register --name PodSecurityPolicyPreview --namespace Microsoft.ContainerService
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/PodSecurityPolicyPreview')].{Name:name,State:properties.state}"
az provider register --namespace Microsoft.ContainerService

#! Enable pod security policy on an AKS cluster
az aks update --resource-group rg-aks-cluster --name myAKSCluster --enable-pod-security-policy

Now I will address the second recommendation: Authorized IP ranges should be defined on Kubernetes Services.

To update and restrict access to the Kubernetes Service Management API, I will run the following Azure CLI command from the Cloud Shell to grant API access only to the outbound public IP of the Standard SKU of the load balancer. In other words, you can only access the API server from the nodes within AKS cluster. You can also add IP addresses in specific ranges, or you can also authorize a single public IP by adding /32 Prefix.

#! Update an AKS cluster's API server authorized IP ranges
az aks update --resource-group myResourceGroup --name myAKSCluster --api-server-authorized-ip-ranges 0.0.0.0/32

After a short period of time, Security Center through continuous analysis of your AKS cluster will update the recommendations list and marked all assessments as passed now.

Simulate AKS alert on Security Center

To simulate an AKS alert on a cluster that is protected by Azure Security Center, you can follow this example. I will use the Azure CLI and the Azure Cloud Shell to simulate an AKS alert since “kubectl” is already installed as part of the Cloud Shell.

Launch the Cloud Shell and then run the following command:

kubectl get pods --namespace=asc-alerttest-662jfi039n

You may see an output similar to the one below:

After nearly 30 minutes, Azure Security Center will fire an alert under Security Center | Security alerts dashboard as shown in the image below with High severity. This alert is for demo purposes and not an actual threat.

If you’ve already integrated Azure Security Center with Azure Monitor, then you will receive a notification based on the action group that you specified. In my example, I am using email notification. You can find more details on how to integrate Azure Security Center with Azure Monitor here.

And if you’ve connected Azure Security Center to Azure Sentinel which I highly recommend as described in this article, then you can investigate this alert further by running the following Query from Azure Sentinel | Logs:

SecurityAlert
| where AlertName contains "AKS" 

If you click and open any of the results and then expand the ExtendedProperties, you will see the full details where you can investigate further and understand the behavior of this suspicious command line. The results should be similar to the image below:

That’s it there you have it!

Summary

In this article, I showed you how to protect AKS Cluster running on Azure by leveraging Azure Security Center threat protection capability, and then we looked at the security recommendations list provided by Security Center to strengthen the cloud security posture management (CSPM) for your AKS cluster.

Threat protection for Azure Kubernetes Service in Security Center supports the following capabilities:

1. Discovery and Visibility: Continuous discovery of managed AKS instances within the Security Center’s registered subscriptions.
2. Secure Score recommendations: Actionable items to help you comply with security best practices in AKS as part of the customer’s Secure Score, such as:
   • Role-Based Access Control (RBAC) should be used to restrict access to a Kubernetes Service Cluster.
   • Pod Security Policies should be defined on Kubernetes Services.
   • Authorized IP ranges should be defined on Kubernetes Services.
   • Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version.
3. Threat Protection: Through continuous analysis of your AKS deployment, Security Center alerts you to threats and malicious activity detected at the host and AKS cluster levels, such as “A privileged container detected.”