CIS Azue Kubernetes Service Benchmark (AKS) V1.1.0 - CERT

License
Please see our terms of service here: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

Overview
This spreadsheet provides the prescriptive guidance for establishing a secure configuration posture for Microsoft Wi
The information related to mappings for MITRE ATT&CK and CIS Controls Implementation Groups are only availabl
is to extend the usability of the CIS recommendations as they relate to various frameworks to support organizations
benchmarkinfo@cisecurity.org.
The intent of this spreadsheet is to provide the user with the option to parse the recommendations based on the fram
Please note, that if there is not a specific sub-control for the recommendation, we have mapped to CIS Cont
The Word and Excel versions of the CIS Benchmarks, as well as Build Kits, are available for use internally by our CI
PDF versions, are governed by the CIS Terms of Use (http://workbench.cisecurity.org/downloads/terms-of-service).
organization’s internal policies. CIS respectfully requests that once the CIS Benchmark has been altered that neithe
please contact CIS Product Technical Support at https://www.cisecurity.org/support/.
Level 1 (L1) = Level 1 (L1) - Corporate/Enterprise Environment (general use)

Items in this profile intend to:
- be the starting baseline for most organizations;
- be practical and prudent;
- provide a clear security benefit; and
- not inhibit the utility of the technology beyond acceptable means.
Level 2 (L2) = Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)
This profile extends the "Level 1 (L1)" profile. Items in this profile exhibit one or more of the following characteristics:
- are intended for environments or use cases where security is more critical than manageability and usability;
- may negatively inhibit the utility or performance of the technology; and
- limit the ability of remote management/access.
BitLocker (BL) = BitLocker (BL) for when BitLocker is deployed

This profile contains BitLocker-related recommendations, if your organization chooses to use it. It is intended be an
Net Generation (NG) = Next Generation Windows Security (NG) - for use in the newest hardware and configuration
This profile contains advanced Windows security features that have specific configuration dependencies, and may n
these features, they are highly recommended as they have tangible security benefits. This profile is intended to be a
Assessment Status - Automated and Manual Recommendations

The Assessment Status has two possibilities:
- Automated: Means the CIS Community has determined that this Benchmark Recommendation should be fully eval
- Manual: Means the CIS Community has determined that this Benchmark Recommendation CANNOT be fully evalu
- It is possible that tooling can "Assist" a user with a Manual Recommendation by, for example, reading and providin
CIS Controls Implementation Groups (IGs)

Each IG identifies a subset of the CIS Controls that the community has broadly assessed to be applicable for an ent
- IG1 is defined as “Basic Cyber Hygiene”, the foundational set of cyberdefense safeguards that every enterprise sh
- Each IG then builds upon the previous one, IG2 includes all of IG1, and IG3 includes all the CIS Safeguards in IG1
- More information on the IGs can be obtained here: https://www.cisecurity.org/white-papers/cis-controls-v-7-1-
- The "MITRE & Controls Mappings" tab will show the CIS Controls Safeguards a given Benchmark Recommendatio
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge)

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world
- This version of the spreadsheet is mapped to v8 of MITRE ATT&CK
- More information on MITRE ATT&CK can be obtained here: https://attack.mitre.org/
- The "MITRE & Controls Mappings" tab will show the MITRE ATT&CK Tactics, Techniques and Mitigations a given
- The "MITRE ATT&CK Filtering" tab will allow the user to find the applicable Benchmark Recommendations based o
Recommendation Assessment
Section # Title
# Status
1 Master (Control Plane) Components

2 Master (Control Plane) Configuration
2.1 Logging
2.1 2.1.1 Enable audit Logs Manual
3 Worker Nodes
3.1 Worker Node Configuration Files
3.1 3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restManual
3.1 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root Manual
3.1 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 orManual
3.1 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root Manual
3.2 Kubelet
3.2 3.2.1 Ensure that the --anonymous-auth argument is set to false Manual
3.2 3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAl Manual
3.2 3.2.3 Ensure that the --client-ca-file argument is set as appropriate Manual
3.2 3.2.4 Ensure that the --read-only-port is secured Manual
3.2 3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not seManual
3.2 3.2.6 Ensure that the --protect-kernel-defaults argument is set to true Manual
3.2 3.2.7 Ensure that the --make-iptables-util-chains argument is set to true Manual
3.2 3.2.8 Ensure that the --hostname-override argument is not set Manual
3.2 3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to trueManual
4 Policies
4.1 RBAC and Service Accounts
4.1 4.1.1 Ensure that the cluster-admin role is only used where required Manual
4.1 4.1.2 Minimize access to secrets Manual
4.1 4.1.3 Minimize wildcard use in Roles and ClusterRoles Manual
4.1 4.1.4 Minimize access to create pods Manual
4.1 4.1.5 Ensure that default service accounts are not actively used. Manual
4.1 4.1.6 Ensure that Service Account Tokens are only mounted where necessaManual
4.2 Pod Security Policies
4.2 4.2.1 Minimize the admission of privileged containers Automated
4.2 4.2.2 Minimize the admission of containers wishing to share the host proc Automated
4.2 4.2.3 Minimize the admission of containers wishing to share the host IPC Automated
4.2 4.2.4 Minimize the admission of containers wishing to share the host netw Automated
4.2 4.2.5 Minimize the admission of containers with allowPrivilegeEscalation Automated
4.2 4.2.7 Minimize the admission of containers with the NET_RAW capability Automated
4.2 4.2.8 Minimize the admission of containers with added capabilities Automated
4.3 Azure Policy / OPA
4.4 CNI Plugin
4.4 4.4.1 Ensure latest CNI version is used Manual
4.5 Secrets Management
4.6 Extensible Admission Control
4.6 4.6.1 Verify that admission controllers are working as expected Manual
4.7 General Policies
4.7 4.7.1 Create administrative boundaries between resources using namespacManual
5 Managed services
5.1 Image Registry and Image Scanning
5.1 5.1.1 Ensure Image Vulnerability Scanning using Azure Defender image scann
Manual
5.1 5.1.2 Minimize user access to Azure Container Registry (ACR) Manual
5.1 5.1.3 Minimize cluster access to read-only for Azure Container Registry (A Manual
5.2 Access and identity options for Azure Kubernetes Service (AKS)
5.2 5.2.1 Prefer using dedicated AKS Service Accounts Manual
5.3 Key Management Service (KMS)
5.3 5.3.1 Ensure Kubernetes Secrets are encrypted Manual
5.4 Cluster Networking
5.4 5.4.1 Restrict Access to the Control Plane Endpoint Manual
5.4 5.4.3 Ensure clusters are created with Private Nodes Manual
5.4 5.4.4 Ensure Network Policy is Enabled and set as appropriate Manual
5.5 Authentication and Authorization
5.6 Other Cluster Configurations
5.6 5.6.1 Restrict untrusted workloads Manual
Actual state on a Non- Assessment result on a Assessment result on a
hardened system (Pass Non-hardened system Remediated (Hardened)
or Fail) (Fail) system (Pass or Fail)
cpuCapacityNanoCores
cpuAllocatableNanoCores
memoryRssBytes
memoryWorkingSetBytes
memoryCapacityBytes
memoryAllocatableBytes
restartTimeEpoch
Exceptions - Reason why the recommendation failed on a used (disk)
remediated system. Should include manual mitigation Intentionally Rational freeImpact(disk)
Description
Security is a shared responsibility between Microsoft and the
steps if possible. Can be provided in a separate left Blank Statement used_percent
Statement (disk)
document with the certification submission. io_time (diskio)
Master security
writes (diskio)
In AKS, the Kubernetes master components are part of the m
reads (diskio)
write_bytes (diskio)
With
By default,
Azure theKubernetes
Kubernetes
Service
API server
(AKS),uses
the master
a publiccomponent
IP addres
Node security write_time (diskio)
AKS nodes are Azure virtualiops_in_progress
machines that you manage and m
(diskio)
You can
With Azurecontrol
Kubernetes
access Service
to the API (AKS),
server
theusing
control
Kubernetes
plane comp ro
read_bytes (diskio)
Exporting logs
The Azure platform automatically read_time
applies
(diskio)
OS security patches
To help collect and review data from multiple sources, Azure M
This section consists of security err_in
recommendations
(net) for the com
For Windows Server nodes,err_out Windows (net)
Update does not autom
The `kubelet` bytes_recv
kubeconfig file
(net) controls various pa
If `kubelet`
Nodes are deployed
is into a private
None. virtual(net)
bytes_sent network subnet, with
This section contains recommendations
It is possible forwith
kubelet
toKubelet_docker_operations
run `kubelet` configurat
the kubeconfig
(kube
If `kubelet` is The kubeconfig None
To provide storage, the nodes Container
use Azuremetrics
Managed Disks. For
Ensure that
Kubelet settings
if The may
kubelet
be configured
reaNone.
The using list
following arguments on the
is the eight metrru
Kubernetes environments, in AKS or elsewhere, currently are
Ensure that if The kubelet rea None
To find the Kubelet config file, run the following command:
cpuUsageNanoCores
cpuRequestNanoCores
``` cpuLimitNanoCores
Disable anonyWhen enabled, Anonymous req
ps -ef | grep kubelet | grep config memoryRssBytes
Do not allow alKubelets, by dUnauthorized
``` r
memoryWorkingSetBytes
memoryRequestBytes
Enable Kubelet The connection You require TL
If the `--config` argument is present, this gives the location of
memoryLimitBytes
Disable the reThe Kubelet prrestartTimeEpoch
Removal of the
Setting idle timeouts ensures that you are prote
Cluster inventory
Do not disable Long-lived con
The following list is the cluster inv
**Note:** By default, `--streaming-connection-idl
Protect tuned Kernel paramet You would hav
KubePodInventory – 1 per minute
Allow Kubelet Kubelets can aKubelet would
KubeNodeInventory – 1 per node
Do not overri Overriding hosKubeServices
Some cloud pro – 1 per service per
`RotateKubeletServerCertificate` causes the kub
ContainerInventory – 1 per contai
Enable kubelet None
Note: This recommendation only applies if you l
This section contains recommendations for various Kubernete
The RBAC role

Kubernetes pro
Care should be
The Kubernetes Inappropriate Care should be
Kubernetes Roles and ClusterRoles provide access to resourc
The principle of least privi
The ability to create pods in a namespace can provide a numb
Use of wildcards
Kubernetes
is not optimal
provides
fromaa`default`
security service
perspective
account
as
The ability to Care should be
As such, access to create new pods should be restricted to th
The `default` Where accessAll to workloads
the Kubernetes API from a pod
Mounting service account tokens inside pods ca
Service accoun Pods mounted w
The feature described in this
The default document,
service accountpod security
should policy (p
be configure
Privileged containers
Avoiding mounting havetokens
these access to all Linux
removes K
this a
A container
After pod security running in
policy (preview) is the host's PID
deprecated, namespac
you must dis
Do not generall There should be Pods
at least
defined
onewPodSecurityPolicy
A container running in the host's IPC namespac
Do not generalThere should be Pods
at least
defined
If you need to run privileged containers, this sho
A container running in the host's network names
at least
defined
A more modern alternative
If you need totorunthecontainers
PSP is thewhich
Openrequire
Policy host
Age
A container running with the àllowPrivilegeEsca
Do not generalContainers
There should runbe
Pods
with
at least
defined
a default
set of capabilities
If you have a requirement to containers which re
Finally, third party agents such Aqua, Twistlock (Prisma), and
at least
defined
If you have
Ideally, all containers
need to run should
containers
drop this
which
capability
require
Containers run with a default set of capabilities
Do notPolicy
Azure generalextends Gatekeeper Pods with
v3, an
cont
admission controller
If you have need to run containers which use se
There should be at least one PodSecurityPolicy
at least
with cont
one PodSecurityPolicy
- Checks with Azure Policy service for policy assignments to t
- Deploys policyIf you
definitions
need tointo
run the
containers
cluster as
with
constraint
this capability
templ
If you need to run containers with additional cap
- Reports auditing and compliance details back to Azure Polic
There are
Azure Policy
a var
for
Kubernetes
Kubernetes
net
None.
supports the following cluster env
- Azure Kubernetes Service (AKS)

- Azure Arc enabled Kubernetes
- AKS Engine
An admission controller is a piece of code that intercepts requ
Admission controllers limit requests to create, delete, modify o

If there are problems in the admission control
The admission control process proceeds in two phases. In the
These policies relate to general cluster management topics, li
Use
If anynamespace
of the controllers
Limiting the
in either
s You phase
need toreject
s the request, the
This section
Scan imagesconsists
being deployed
of security
to Azure
recommendations
(AKS) for vulnerabilities
for the Azu
This section contains recommendations relating to container i
Vulnerability scanning for images stored in Azure Container R
Vulnerabilitie When using an Azure container re
When you push an image to Container Registry, Security Cen
Restrict user Weak access Careco should be
Configure
When the scan
the The
completes
Cluster Se
(after
A separate
about 10
dedicated
minutes),
service
Security
accoC
This section contains recommendations relating to access and
Kubernetes woManual approaches for authe
When implementing Endpoint Priv

Encryption at Rest is a common security requirement. In Azur
Authorized networks are a way of specifying a r
This section contains recommendations
Limitations relating to network se
Restricting access
IP authorized
to an authorized
ranges can't
network
be app
can
Enable Endpoin Network Policy requires the Netwo
To enable Private
Availability Nodes,
Zones are the clus
currently su
All pods in an AKS cluster can send and receive
Disable publicDisabling publAzure
- Better protection from
Private
outsider
Link attacks:
service limitatio
Author
Enabling/Disabling Network Policy
Private
- Better protection
No support
fromNodes
for do
insider not DevOps
Azure have
attacks: outbou
Authoriz
Mic
When you runNetwork
m Policy is a Kubernetes specification tha
For customers that need to enable
Restricting unstrusted workloads
If Network
can be
Policy
achieved
is used,
by using
a cluste
AC
This section contains recommendations relating to authentica
These network policy rules are defined as YAML
This section
What is ACI?contains recommendations
Enabling Network
relating
Policy
to any
enforcem
remain
ACI lets you quickly deploy container instances without additio
It is Best Practice to restrict or fence untrusted w
Your application requires no modification to use virtual nodes.
Virtual nodes are deployed to an additional subnet in the sam

Remediation Audit Additional CIS Safeguards CIS Safeguards CIS Safeguards
ibility between Microsoft and the Azure (AKS) customer. CIS Controls
Procedure Procedure Information 1 (v8) 2 (v8) 3 (v8)
**Remediation Method
SSH to1:**
the worker nodes
ter components **Remediation
are part of the Method
**Audit
managed 1:**
Method service 1:**provided by Microsoft. Each AKS cluster has its own single-tenanted, dedicated Kubernetes master to pro
If modifying the Kubelet To check
SSH to config
thetoworkerseefile,if edit
the
nodes the kubelet-config.json
Kubelet Service is running: file `/etc/kubernetes/kubelet/kubelet-config.json` and set the below parameter t
**Remediation
Azure audit logsMethod **Audit
are enabled 1:**
Method and1:** managed in the Azure portal. To enable log collection for the Kubernetes master components in your AKS c
```
ice
PI server theIfmaster
(AKS),uses modifying IPthe
a publiccomponents Kubelet
If using
**Audit
address such
and config
Method
a aKubelet
asfullyfile,
the 1:** configuration
edit thedomain
qualified
kube-apiserver kubelet-config.json
file,
and
name check thatfile there
`/etc/kubernetes/kubelet/kubelet-config.json`
kube-controller-manager
(FQDN). You iscanan limit
entryaccess
for provided
are àuthentication:
to the as APIa serveranonymous:
managed endpoint and
service. enabled`
set
Youthe
using set
below
toand
authorized
create `false`.
parameter
ranges.t
IPmanage
``` sudo
To
First,check
systemctl
SSHtotosee thestatus
ifrelevant
the Kubelet
kubeletworker Service
node:is running:
If
1.modifying
Select thethe Kubelet
If using
resource config
groupa Kubelet forfile,
your configuration
edit AKS thecluster,
kubelet-config.json
file,
such check thatfile there
as myResourceGroup.`/etc/kubernetes/kubelet/kubelet-config.json`
is an entryDon't for `"authentication":
select the resource "webhook":
group that and"enabled"`
set the below
contains set
yourtoparameter
`true`. At
individual
machines that **Remediation
"authentication":
you manage and Method
``` 1:** Linux
{ "anonymous":
maintain. { "enabled":
nodes runfalse an optimized Ubuntu distribution using the Moby container runtime. Windows Server nodes run
``Òn Kubernetes
e API server using
2. the left-hand If using
First,
side,SSH
role-based a
chooseKubelet
toaccess configuration
theDiagnostic
relevant
controlnode:
worker
settings.file,
(Kubernetesnode:check that there
RBAC) and is Azurean entry
RBAC. for For`"x509":more{"clientCAFile:"`
information, seeset to the
Azure ADlocation of the
integration client
with AKS.ce
``` Thecheck
sudo
To output
systemctl toshould
seestatusif the
return Kubelet
kubelet
Àctive: Service
activeis(running)
running: since..`
```
**Remediation
"authentication"...
3. Select your AKS Method
**Audit
First, 1:**
cluster, Method to the1:**
"webhook":{"enabled":true
SSH such as relevant
myAKSCluster,node:
TITLE:Establish
then choose andto Maintain
Add diagnostica8.1 setting. 8.2
If modifying
cally applies OS the Kubelet
security patches ``` to Linux config file, edit
nodes on athe kubelet-config.json
nightly basis. If a Linux fileOS`/etc/kubernetes/kubelet/kubelet-config.json`
security update requires a host reboot, thatand rebootset is
thenotbelow parameterpet
automatically
"authentication":
4. Enter a name,First,
``` {such
To
Run"x509":SSH
check
the {"clientCAFile:"
totosee
as following theifrelevant
myAKSClusterLogs, command
the Kubelet tonode:
the
on location
Service
each
then isofrunning:
node
select the
the client
to option
find theCA file. to Log
toappropriate
Send Kubelet
Analytics. config file:
**Remediation
rity recommendations for theMethod **Audit
Run output
The
sudo
componentsthe Method
systemctl
2:** following
should 1:**
thatstatus command
run return
onkubeletÀctive:
Azure onAKS each
active node
worker (running)
to find since..`
nodes. the appropriate kubeconfig file:
```
If
5.modifying
Select an the Kubelet
If
``ùsing
Run
existing theconfig
afollowing
workspace Kubelet file, configuration
edit theakubelet-config.json
or command
create newon file,
one.check
each youthat
Ifnode to file
find
create there
the isappropriate
an entry for
a workspace, `streamingConnectionIdleTimeout`
Kubelet
provide config file: name, a resource
a workspace and set is the not
below
group, setandtoparameter
`0`.
a locationt
Windows Update ```
Run does
the below command
```
not automatically (based
run and on apply
the filethe location on your system)
latest updates. On a regular on theschedule
each worker around the Windows Update release cycle and your own
6. In the list of available Run
**Audit
sudothe
``` 1:**
Method
systemctl
2:** following
logs, 1:**
status
select command
thekubelet
logs you on eachwish node to findFor
to enable. thethis appropriate
example, Kubelet enable the config file:
kube-audit and kube-audit-admin logs. Commo
"streamingConnectionIdleTimeout":
If usingFor
node. executable
example, If
``ùsing
The
Run theafollowing
arguments,
output Kubelet
should configuration
editcommand
return
the kubelet Àctive: file,
onservice check
active
each file
node that
(running) theretheisappropriate
an entry forkubeconfig`protectKernelDefaults`
`/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf`
to find since..` file: is set to `true`. on each worker node
```
Run
**Remediation
7. Whenthe below
ready,command First,
ps -efSSH
Method
```
select |2:**
Savegrep to
(based the
tokubelet on
enable relevant
the filenode:
collectionlocationof the onselected
your system) logs. on the each worker node. For example,
```
**Remediation
rivate virtual network subnet,Method
"protectKernelDefaults":
If modifying
using executable
with
ps -ef
the Kubelet
If
The
ps
```
no|1:**
using
public
grep kubelet
config
arguments,
-efoutput a Kubelet
| grep
IP addresses assigned.
file,
shouldeditconfiguration
kubelet edit
the the
return kubelet
TITLE:Configure
kubelet-config.json
Àctive: file,
service
active
For troubleshooting
checkfile
Data Accessand
thatfile
(running) there 3.3management
Co
is an entry
purposes, SSH is enabled by default. This SSH a
for `makeIPTablesUtilChains` set
since..` andtoset `true`.
the
on below
each workerparameter nodet
mendations for Run
```kubelet
chmod the644following First,
configuration.
Run
```command
<kubeconfig SSH
the to(using
following
file> the relevant
command
the config node:on
fileeach
location node identied
to find in thethe appropriate
Audit step)Kubelet config file:
```
If using executable Run
The
```
ps the
arguments,
-efoutput
| grep following
ofkubelet
the command
editabove the kubelet commandonservice
each node
should
TITLE:Configure to Data
findsomething
the appropriatesimilarKubelet
file `/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf`
return Access Co
3.3 to `--config config file:
/etc/kubernetes/kubelet/kubelet-config.json`
on each worker node w
If
```modifying theMethod
--anonymous-auth=false
**Remediation
s use Azure Managed Disks. Kubelet
For
The-ef
ps most
outputconfig
|2:**
grep VM file,above
ofkubelet
node
the edit
sizes, the kubelet-config.json
command
these are should
Premium return file something
disks `/etc/kubernetes/kubelet/kubelet-config.json`
backed by similar
high-performance
to `--kubeconfig SSDs. and set the
/var/lib/kubelet/kubeconfig`
The data stored onbelow
managed parameter
which disks
is theislot
```
Run
If modifying
chown theroot:root
following First,
**Audit
the Kubelet
Run
The
```
command
<proxy SSH
output
the Method
config
kubeconfig to
following
of the
(using
the1:**
file, relevant
above
command
edit
the config
file> the node:
command
kubelet-config.json
on
fileeach
location
should
node identified
return
to find
file something
the
in theappropriate
Auditsimilar
step) Kubelet
to `--config config /etc/kubernetes/kubelet/kubelet-config.json`
file: and set the below parameterwt
arguments on theRun
figured using ```
"makeIPTablesUtilChains":
--authorization-mode=Webhook
```
theafollowing
```running
If using
Openoutput
The
``` the
Kubelet
2:**Kubelettrue
of the above
command
kubelet executable,
configuration
config command
file:
onorfile,
each
TITLE:Configure
theychecknode
may that to Data
be find
taken
therethe
Access
from 3.3
isappropriate
anaentry
Co
Kubelet forKubelet config
àuthentication:
config file. file:anonymous:
If both
should return something similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` w
are specified, enabled`
the executable
set to `0`.argument
```
If usingcurrently
AKS or elsewhere,
chmod a Kubelet
644 config
this file,
completely
| grep edit
command
of thethe
/etc/kubernetes/kubelet/kubelet-config.json
aren't
Run
The
ps -efoutput kubelet safe
above
tofileobtain
fortocommand
setthe
hostile `streamingConnectionIdleTimeout`
multi-tenant
kubeconfig
should return file
usage. permissions:
something
Additional similar toto
security a value otherlike
`--kubeconfig
features than 0. Security Policies, or more
/var/lib/kubelet/kubeconfig`
Pod which fine-grain
is the lo
``` Run
If
``ùsing
-efthe
--client-ca-file=<path/to/client-ca-file>
Open
ps the afollowing
| grep Kubelet
kubelet command
configuration on file,
eachcheck
config file:TITLE:Configure node that to Data
findtherethe isappropriate
Access an entry
3.3 forKubelet
Co `RotateKubeletServerCertificate`
config file: is set to `true`.
"RotateKubeletServerCertificate":true
e, run the following
**Remediation
``` command: ```
Method
First, SSH 3:** to the relevant node:
chown
```
readOnlyPort
If usingroot:root
a Kubelet to /etc/kubernetes/kubelet/kubelet-config.json
0```
psconfig
sudo
Open -efmore
the
| grep
file, Kubelet
edit
kubeletthe config
file tofile:
set `protectKernelDefaults` to `true`.
```
If using executable ps
``` arguments,
Run
The -ef | grep
output
this ofkubelet
command editabove
the the kubelet
to obtain command theservice
kubeconfig
shouldfile `/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf`
return
file ownership:
something similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` on each worker node w
**Remediation
``` Method
```
First,
sudooutput
The SSH
2:**
1:**
3:** to
more of the
the relevant node:
above command should return something similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` w
If using the api configz Run
```
stat -c theendpoint
%a following consider
command
/var/lib/kubelet/kubeconfig searching
on each fornode
the status
to findof the`"authentication.*anonymous":{"enabled":false}"`
appropriate Kubelet config file: by extracting the live co
**Remediation
If using executable ps
Method
```
sudo
The -ef |3:**
outputgrep/etc/kubernetes/kubelet/kubelet-config.json
arguments,
more ofkubelet
editabove
the the kubelet TITLE:Access
command service shouldfile `/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf`
Controlsomething
return Manageme 6similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` on each worker node w
onfig **Remediation
``` Method
**Audit
The
``` output
Run the 2:**
Method of the
following 1:** above
command: command should return something similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` w
If modifying
using executable
the api Run
theconfigz
Kubelet
Verify
Open
``` the
arguments,
the following
endpoint
that
config Kubelet
the file, command
`"authentication":
edit
consider
config
edit
the the kubelet onservice
searching
file: each fornode
kubelet-config.json
{ "anonymous":
{"webhook": file to {find the appropriate to Kubelet
the `/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf`
status file
"enabled":
{of
"enabled":
`"authentication.*webhook":{"enabled":true"`
is set
false true`.
}` argument configis file:
set to `false`. and by set
extracting
the
on below
each theworker
parameter
live configu
nodet
--streaming-connection-idle-timeout=4h0m0s
**See detailed step-by-step ```
The -c
stat output
%U:%G configmap
of the TITLE:Access
/var/lib/kubelet/kubeconfig
above procedures
command ingives Control
[Reconfigure
you the kubeconfigNode's6Kubelet
aManageme file's permissions.
in a Live Cluster](https://kubernetes.io/docs/tasks/admini
If using the api configz
``` ```
The
Run output
theendpoint of the
following consider
above
command: command
searching should for the status
return something
of `"authentication.*x509":("clientCAFile":"/etc/kubernetes/pki/ca.crt"`
similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` by extw
``ùsing a KubeletIf
If ps
Open
```config
using
-ef the
| grep
a
file, Kubelet
edit
kubeletthe configuration
config
file tofile:
set `RotateKubeletServerCertificate
file, check that there is an entrytofor true`.
`--hostname-override` is not set or does not exist.
```
**See detailed step-by-step ```
----protect-kernel-defaults=true
Verify
cat /etc/kubernetes/kubelet/kubelet-config.json
**Audit
If the that the
`"authentication":
Method `"x509":
configmap
2:** procedures {"clientCAFile:"`
{"mode": TITLE:Access
{` in
argument argument
Control
[Reconfigure is presentexists
aManagemen
Node's and6Kubelet
check isthat
set ittoin isthe
a
not location
Live of the client certificate
If it is notauthority
setCluster](https://kubernetes.io/docs/tasks/admini
to ÀlwaysAllow`. present file.check that
present, this gives
kubectltheproxy
location ```
--port=8001
Verify
stat
of the-c that
Kubelet
%a&/etc/kubernetes/kubelet/kubelet-config.json
if a file
config is specified
file. Thisand configit exists,
file couldthe permissions
be in JSON or areYAML`644`format or more depending
restrictive. on your distribution.
**See detailed step-by-step
--read-only-port=0
```
"hostname-override" ps
``` -ef the
--make-iptables-util-chains:true
Open | grep kubelet
Kubelet
configmap config procedures
file: in [Reconfigure a Node's Kubelet in a Live Cluster](https://kubernetes.io/docs/tasks/admini
**Remediation
If using executable Method
The
cat
First,
``` arguments,
output
SSH
3:** to of the
the
edit relevant
above
the kubelet command
node:
TITLE:Establish
service should
gives fileyou a4.1
return
and
the Maintain
something
kubeconfig similar to `--configVerify
file's ownership. /etc/kubernetes/kubelet/kubelet-config.json`
that the ownership isonset each worker node
to `root:root`. w
```
kubectl proxy --port=8001 If
```
statthe
**Audit-c`"x509":
using %U:%G
Method
the & api{"clientCAFile:"`
configz argument
considerissearching
2:** endpoint not present, for thecheck thatofthere
status is a Kubelet config
àuthentication... file specified by `--config`, by
"anonymous":{"enabled":false}` andextr
th
```
export HOSTNAME_PORT=localhost:8001
The output of the above command (example is host
the Kubelet
and portconfig number) file's permissions. Verify that the permissions are `644` or more restr
kubectl proxy --port=8001
Verify
cat
The
``` /etc/kubernetes/kubelet/kubelet-config.json
output
that
3:**&the of the`streamingConnectionIdleTimeout`
above command TITLE:Establish
should return and Maintain
something
argument a4.1
similar
is not set to `--config
to `0`. /etc/kubernetes/kubelet/kubelet-config.json` w
If
``ùsingNODE_NAME=ip-192.168.31.226.aks.internal
export the api configz Openthe
Run the
endpoint
following
Kubelet consider
command
config searching
file: on each for(example
node
the status
to find nodeof
the`"streamingConnectionIdleTimeout":`
appropriate
name from "kubectlKubeletget config
nodes")file: by extracting the live configuration f
For
**Remediation
all three
export remediations:
Method
**Audit
```
HOSTNAME_PORT=localhost:8001
The
Set
If using
the 3:**
2:**
outputMethod
local
the of api
proxy
the2:**
configzabove
portendpoint
and
command
(example
the following
consider
is host
the Kubelet
variables
searching
and portconfig number)
and
for theprovide
file's
status
ownership.
proxyof àuthentication...
portVerify
number thatandthe"webhook":{"enabled":true}`
node
ownershipname;is set to `root:root` by extracti
--rotate-kubelet-server-certificate=true
```
Verify that the `--protect-kernel-defaults=true`. TITLE:Establish and Maintain a4.1
If usingHOSTNAME_PORT=localhost:8001
export
Based theyourapi system,
configz
If
Openthe argument
the
endpoint Kubelet
NODE_NAME=ip-192.168.31.226.aks.internal
on consider
is `kubelet`
not
config
`HOSTNAME_PORT="localhost-and-port-number"`
restart the present,
searching
file: and and
(example
service there
for(example
the
host isand
checkstatus
a Kubelet
status
port
nodeofnumber)
`"protectKernelDefaults":`
configfrom
name file specified
"kubectl get by `--config`,
by extracting
nodes") check the that
liveit configuration
does not set `streamingC
from the nod
**See
```
curl -sSLdetailed step-by-step
cat /etc/kubernetes/kubelet/kubelet-config.json
``` configmap procedures in [Reconfigure a Node's Kubelet in a Live Cluster](https://kubernetes.io/docs/tasks/admini
"http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
If usingNODE_NAME=ip-192.168.31.226.aks.internal
export the api configz
executable Verify
``` arguments,
theendpoint
thattheifapi the edit
consider
`makeIPTablesUtilChains`
the
portkubeletsearching
`NODE_NAME="The-Name-Of-Node-To-Extract-Configuration"
Set
If using local proxy
configz endpoint
and TITLE:Establish
theservice for(example
following
consider file
thevariables
status
argument
and
searching nodeMaintain
of and
`"makeIPTablesUtilChains":
forexists
name the a4.1
providethenproxy
from
status itofisàuthentication..
"kubectl
from set
portto
the get`true`.
output
number true`
nodes")
of bynode
"kubectl
and extracting the live
on configuration
each worker node
x509":("clientCAFile":"/etc/kubernetes/p
getname;
nodes"` from
``` If
ps
```the
-ef`--protect-kernel-defaults`
| grep kubelet argument is not present, check that there is a Kubelet config file specified by `--config`, and t
**See
curl -sSL
``` detailed step-by-step
**Audit
cat
``` /etc/kubernetes/kubelet/kubelet-config.json
Method configmap
2:** procedures in [Reconfigure a Node's Kubelet in a Live Cluster](https://kubernetes.io/docs/tasks/admini
**Remediation
kubectl proxy --port=8001Method
``` 3:**& TITLE:Establish and Maintain a4.1
**See
```
curl -sSL
systemctldetailed step-by-step
If
``` thethe`--make-iptables-util-chains`
configmap portprocedures
daemon-reload
kubectl
Set local
proxy proxy
--port=8001 and & the followingargument
in [Reconfigure does not
variables aandNode's
exist,
provideKubelet
andproxythere
from inthe
is
aa
port Live
Kubelet
outputCluster](https://kubernetes.io/docs/tasks/admini
number of config
"kubectl
and node filegetspecified
nodes"`by `--config`, verify tha
name;
**Audit
The
**For all three remediations:**
Verify outputMethod
that of the
the 2:** above command
`--read-only-port` should return
argument exists and somethingis set tosimilar
`0`. to `--config /etc/kubernetes/kubelet/kubelet-config.json` w
```
--hostname-override
systemctl
kubectl proxy
restart--port=8001
```
If
kubelet.service
using the & api configz endpoint TITLE:Encrypt
consider searching Sensitivefor Data thei 3.10
status of `"streamingConnectionIdleTimeout":"4h0m0s"` by extrac
If usingHOSTNAME_PORT=localhost:8001
Based
export ontheyourapi system,
configz endpoint
restart the consider
`kubelet` searching
(example
service and forhost
the
checkstatus
and status
port ofnumber)
`"RotateKubeletServerCertificate":` by extracting the live configuration fro
kubectl
```
**For allproxy
systemctl three
status --port=8001
**Audit
Verify
export that
remediations:**
kubelet
kubectl Method
-l &`RotateKubeletServerCertificate`
2:**
proxy --port=8001 & argument host
(example exists andand port is set
from number)
the tooutput
`true`. of "kubectl get nodes"`
mendations for Identify
various
export allKubernetes
clusterrolebindings
If using
Openthe policies
the theKubelet
NODE_NAME=ip-192.168.31.226.aks.internal api
`--read-only-port`which
toconfigz
theconfigare
cluster-admin
endpoint
important
file:
argument consider
to
role.
is the
not Check
security
(examplesearching
present, ifnode
they
of Azure
check for
arethat
name theused
AKS
status
from
thereand
customer
isofifa`"protectKernelDefaults"`
"kubectl they environment.
Kubeletneed
get this role
nodes")
config file or if they
specified by extracting
could use a
by `--config`.therole
livewith
Check configura
fewer
that if t
BasedallHOSTNAME_PORT=localhost:8001
**For
```
export onthree
yourremediations:**
system,
export
```
Set therestart
local proxy the `kubelet`
port and(example
service
the followingand host check
variables
and status
port number)
and (example
provide proxy node name port number
from "kubectl
and node get name;
nodes")
**See
``` Retrieve
detailed step-by-step
```
Obtain a the roles
the defined
listconfigmap
of principals across
procedures who each have namespaces
in [Reconfigure
access to the in
a Node's the cluster
`cluster-admin`
Kubelet and areview
inrole Live for wildcards
by reviewing
Cluster](https://kubernetes.io/docs/tasks/admini
the `clusterrolebinding` output for eac
export
**For
BasedallHOSTNAME_PORT=localhost:8001
onremediations:** If
**Audit
usingrestart
Method
the apithe
your system,export
kubectl configz
2:**
proxy --port=8001
`kubelet` endpoint
&(example
service consider
and host
(examplesearching
and
check port
nodenumber)
(example
status for
name the and
host status
from port ofnumber)
"kubectl àuthentication...
get nodes") "makeIPTablesUtilChains":true` by extr
```
Where
systemctl
curl -sSL possible, cat
first/etc/kubernetes/kubelet/kubelet-config.json
bindlocal users to aport lower
daemon-reload
Set the proxy and privileged
the following role and then remove
variables and provide the clusterrolebinding
proxy port number to and
the cluster-admin
node name; role :
export
Based
``` NODE_NAME=ip-192.168.31.226.aks.internal
on your system, curl -sSL
export restart the `kubelet` service and
NODE_NAME=ip-192.168.31.226.aks.internal (example
check status
"http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz" node name (examplefrom node "kubectl
from the name get nodes")
output
from of"kubectl
"kubectlget getnodes")
nodes"`
kubectl
```
systemctl proxy
restart--port=8001
kubectl
``` get & clusterrolebindings
kubelet.service TITLE:Establish and Maintain a4.1
-o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].nam
systemctl
```
curl Get
If theHOSTNAME_PORT=localhost:8001
using set of
the api PSPs
configz with
-sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
daemon-reload
export
```
Set the local proxy port andthethe
endpoint following
consider
following command:
searching
variables
(example forhost
and the status
provide
and port
proxyofnumber)
`"RotateKubeletServerCertificate":true`
port number and node name; by extracting the
Create
```
systemctl explicit
statusservice
kubectl
kubelet accounts
-l roleswherever
get --all-namespaces
`NODE_NAME="The-Name-Of-Node-To-Extract-Configuration"a Kubernetes -o yaml workload requires specific from access to the of
the output Kubernetes
"kubectl get API server.
nodes"`
Where
systemctl
curl
``` -sSL possible, R
rkubelet.service
eview the users who have
restart `HOSTNAME_PORT="localhost-and-port-number"`
daemon-reload
curl
export
kubectl-sSL NODE_NAME=ip-192.168.31.226.aks.internal
proxy &TITLE:Establish
`g
--port=8001 and Maintain a4.1 node name from "kubectl get nodes")
(example
kubectl
**For
export
``` delete clusterrolebinding
Review
```
allHOSTNAME_PORT=localhost:8001
three remediations:**
Verify that each principal
[name]listed(example
`--hostname-override` and ensure hostthat
argument and `cluster-admin`
does port not exist. privilege is required for it.
number)
```
systemctl restart ```
Set
daemon-reload the local proxy port and the following variables and provide proxy
kubelet.service
status kubelet -l from the portoutput
number and nodeget
of "kubectl name;
nodes"`
Modify
Based
export
**For
systemctl
```
the
on
all three
configuration
your
status
restart
re
system,
kubectlrestart
kubectl
remediations:**
kubelet
curl
export
```
of each
Where NODE_NAME=ip-192.168.31.226.aks.internal
``` possible proxy
get
kubelet.service
-sSL psp
the default
--port=8001
`kubelet`
service
&service account
TITLE:Establish
and to include
(example
check
-l "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
andstatus
node thisname
Maintain
(example host and
value 4.1 port
afrom "kubectl get nodes")
number)
Retrieve
**Note** This the cluster
settingroles is notdefined
configurablein the cluster
via the and Kubeletreview for wildcards
config file.
Whereallon
```
Based
**For
systemctl possible,
three
status ```
R
r eviewrestart
yourremediations:**
system,
kubelet
export
kubectl -lthe users who have
proxy the
--port=8001
`kubelet` TITLE:Establish
c
&service and checkand statusMaintain a4.1 node
(example from the name output
fromof"kubectl
"kubectlget getnodes")
nodes"`
``` For each namespace in the cluster, review the
curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
export HOSTNAME_PORT=localhost:8001 rights assigned
(example host and to port thenumber)
default service account and ensure that it has no roles o
Based on your system,
``` Review
``` pod and
restart theservice
`kubelet` account
serviceobjects and check in thestatus cluster and ensure that the option below is set, unless the resource explicitly r
systemctl daemon-reload
```
```
Get
automountServiceAccountToken:
```
export
as
curlan
export
kubectl
theNODE_NAME=ip-192.168.31.226.aks.internal
-sSL
set of PSPs
alternative
false with theTITLE:Manage
AZ CLI can
proxy
following command:
& be used:
--port=8001
Default Accounts
(example host and
(example 4.7 portnode name from "kubectl get nodes")
number)
```
systemctl restart Additionally
kubectl get clusterroles
kubelet.service ensure that -o theyamlàutomountServiceAccountToken: false` setting is in place for each default service account.
systemctl
``` defini Get
Modify thedaemon-reload ```
export theNODE_NAME=ip-192.168.31.226.aks.internal
set of PSPs with theTITLE:Establish following command: and Maintain a4.1 node name from "kubectl get nodes")
(example
document, pod security
systemctl
**For all three policy
status ```
(preview),
remediations:**
kubelet
curl will begin deprecation with Kubernetes version 1.21, with its removal in version 1.25. As Kubernetes Upstream ap
-sSL-l "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
restart ```
systemctl daemon-reload automountServiceAccountToken:
export
kubelet.service
HOSTNAME_PORT=localhost:8001 false (example host and port number)
Automatic
Based
``` on yourremediationkubectl
Get
``` thefor
system, get
set
restart the psp
ofdefault
PSPs
the with
account:
`kubelet` theservice
following andcommand:
check status
systemctl restart az
```
status kubelet
curl aks
export list
kubelet.service
-sSL --output yaml
-l "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz" (example node name from "kubectl get nodes")
view) is deprecated, you must``` disable the feature on any existing clusters using the deprecated feature to perform future cluster upgrades and stay within A
Create a PSP
```
systemctl status askubelet
```
kubectl
Get
d the get -lset psp of PSPs with theTITLE:Establish following command: and Maintain a4.1
`kubectl
``` ```
patch serviceaccount default -p $'automountServiceAccountToken: false'`
```
Create a PSP
systemctl asGet
For
kubectl
daemon-reloadd eachthe get set PSP,psp
of PSPs
checkwith whether
theTITLE:Establish
following
privileged command: and Maintain a4.1
is enabled:
```
For each PSP, check whether privileged is enabled:
systemctl restart ``` kubelet.service
Create a PSP askubectl For
d each get PSP,psp check whether TITLE:Establish
privileged is enabled: and Maintain a4.1
o the PSP is the Open Policy
systemctl statusAgent ``` (OPA)
kubelet -l and OPA Gatekeeper. OPA is an admission controller which is integrated with the OPA Constraint Framework to
```
Create a PSP askubectl
``` For
d each get PSP,psp check<name> whether TITLE:Establish
privileged is enabled:
-o=jsonpath='{.spec.hostPID}' and Maintain a4.1
kubectl get psp -o json
```
ch Aqua, Twistlock (Prisma), and ``` Sysdig can offer similar capabilities or manage PSP's themselves.
Create a PSP asGet For
d each
```
kubectlthe get set PSP, of PSPs
psp check
<name> withwhether
theTITLE:Establish
following
privileged command:
-o=jsonpath='{.spec.hostIPC}' is enabled:
and Maintain a4.1
```
```
eeper v3, an admission
Create a PSP controller
asFor
Verifywebhook
kubectl
```
eachthatget PSP, forcheck
there
psp Open
<name>
is at least whether
Policy TITLE:Establish
Agent
NET_RAW
PSP(OPA), which is
-o=jsonpath='{.spec.hostNetwork}'
one
Verify that there is at least one PSP which does not return `true`.
toand
disabled:
does apply Maintain
not at-scale
return atrue.4.1
enforcements and safeguards on your clusters in a centralized, c
```
Ensure that àllo kubectl Verify that getthere psp <name> is at least -o=jsonpath='{.spec.allowPrivilegeEscalation}'
TITLE:Establish
one PSP which does andnot Maintain
return a4.1 true.
ervice for policy assignments to ```the cluster.
```
`kubectl get psp <name> -o=jsonpath='{.spec.privileged}'`
nto the cluster as constraint template kubectl
Verify that andgetthere constraint
psp <name> is at leastcustom-o=jsonpath='{.spec.requiredDropCapabilities}'
oneresources.
PSP which does not return true.
iance details back to Azure Policy ``` service.
Verify that there are is atno leastPSPs onepresent
PSP which which have
does notàllowedCapabilities`
return true. set to anything other than an empty array.
supports the following
As with RBAC
cluster
poli
environments:
Reviewthat
Verify thethere
doc
One example
is at TITLE:Use
he PSP which
least one Up-to-Date 16.5
and Trusted
returns NET_RAW orThird-Party
ALL. Software Components CONTROL:v8 16.5 DESC
(AKS)
etes
# Check AKS Policy pods are running.
```
kubectl get po -n gatekeeper-system
```
# Sample Output
blems in the admission controlRun the below command and TITLE:Manage
review the namespaces
Access Control
created
13.5
f in the cluster.
...
ral cluster management topics,NAME
like namespace
READY STATUSbest practices
RESTARTSand policies
AGE applied to pod objects in the cluster.
```
gatekeeper-audit-65844778cb-rkflg 1/1 Running 0 163m
Follow the documkubectl get namespaces TITLE:Securely Manage Enterpr 4.6
gatekeeper-controller-78797d4687-4pf6w 1/1 Running 0 163m
```
rity recommendations for the Azure
gatekeeper-controller-78797d4687-splzh
AKS. These recommendations are applicable
1/1 Runningfor0configurations
163m that Azure AKS customers own and manage.
...
mendations relating to container
Ensure
imagethat
registries
these namespaces
and securingare
images
the ones
in those
you registries,
need and aresuchadequately
as the Azure
administered
Container as
Registry.
per your requirements.
When using anAzure
Azure
Container
containerRegistry
registry, you might occasionTITLE:Perform Automated Vulner 7.6
If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS
TITLE:Configure Data Access Con3.3
Azure Active Directory integration
A separate dedicated
To avoidservice
needing
account
an Owner
mayorbeAzure
required
account
for TITLE:Configure
administrator role,
Datayou
Access 3.3 Directory
can configure
Co
The security of AKS clusters can be enhanced with the integration of Azure Active
a service principal manually or use an existing service prin
(AD). Built on decades of enterprise identity man
mendations relating to access and identity options for Azure (AKS).
Azure Active Directory integration with AKS clusters
For each namespace in the TITLE:Account
clu Management CONTR5
With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the clu
When implementing Endpoint Private Access, be careful to ensure all desired networks are on the allowlist (whitelist) to prevent inadvertently blocking exter
mon security requirement. In Azure, organizations can encry TITLE:Encrypt Sensitive Data at3.11
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 p
Limitations
mendations relating to network security configurations in Azure (AKS).
P authorized ranges can't be applied to the private api server endpoint, they only apply to the public API server
Network Policy requires the Network Policy add-on. This add-on
To enable Private
Availability Nodes,
Zones are the cluster
currently has to
supported foralso
TITLE:Configure
be configured
certain
is included Data
automatically 3.3
Access Con
when a cluster with Network Policy is created, but for an existing c
regions. with a private master IP range and IP Aliasing enabled.
TITLE:Implement and Manage 4.4
Azure Private Link service limitations apply to private clusters. a
Enabling/Disabling Network Policy causes a rolling update of all cluster nodes, similar to performing a cluster upgrade. This operation is long-running and w
Private Nodes
No support for do not DevOps
Azure have outbound access to the
Microsoft-hosted public
Agents internet.
with privateIfclusters.
you want to provide
Consider outbound
to use Internet
Self-hosted access for your private nodes, you can use Clou
Agents.
For customers that need to enable Azure Container Registry to work with private AKS, the4.4
TITLE:Implement and Manage a F
Container Registry virtual network must be peered with the agen
f Network Policy is used, a cluster must have at least 2 nodes of type `n1-standard-1` or higher. The recommended minimum size cluster to run Network Po
mendations relating to authentication and authorization in Azure (AKS).
Enabling
mendations
Network
relating
Policy
to any
enforcement
remaining security-related
consumes additional
cluster
resources
configurations
in nodes.
in Azure
Specifically,
(AKS). it increases the memory footprint of the `kube-system` process
ice to restrict or fence untrusted workloads when running TITLE:Segment Data Processing
3.12
v8 v8 v8 CIS Safeguards CIS Safeguards CIS Safeguards v7 v7 v7
IG1 IG2 IG3 1 (v7) 2 (v7) 3 (v7) IG1 IG2 IG3
ed Kubernetes master to provide the API Server, Scheduler, etc. This master is managed and maintained by Microsoft.
ce.
using
Youauthorized
create andIPmanage
ranges.the
Younodes
can also
that create
run theakubelet
fully private
and container
cluster to runtime,
limit APIand
server
deploy
access
yourtoapplications
your virtual through
network.the managed Kubernetes API serve
Windows Server nodes run an optimized Windows Server 2019 release and also use the Moby container runtime. When an AKS cluster is created or scal
ure AD integration with AKS.
X X X 6
eboot is not automatically performed. You can manually reboot the Linux nodes, or a common approach is to use Kured, an open-source reboot daemon fo
release cycle and your own validation process, you should perform an upgrade on the Windows Server node pool(s) in your AKS cluster. This upgrade pro
nabled by default.
X ThisX SSH 5.2 is only available using the internal IP address.
X access X X
X X X 5.2 X X
stored on managed disks is automatically encrypted at rest within the Azure platform. To improve redundancy, these disks are also securely replicated wit
d, the executable
X argument
X 5.2 precedence.
X takes X X
y Policies, or more fine-grained Kubernetes role-based access control (Kubernetes RBAC) for nodes, make exploits more difficult. However, for true securi
X X X 5.2 X X
14
14
14.4 X X
istribution.
X X X 9.2 X X
X X X 9
X X X 5.2 X X
X X X 9
X X X 5
X X 14.4 X X
X X X 5.1 X X X
X X X 5.2 X X
X X X 5.1 X X X
X X X 5.2 X X
X X X 4.3 5.2 X X X
X X X 5.2 X X
As Kubernetes Upstream approaches that milestone, the Kubernetes community will be working to document viable alternatives. The previous deprecation
er upgrades and stay within Azure support.

X X X 5.2 X X
X X X 5.2 X X
X X X 5.2 X X
OPA Constraint Framework to enforce Custom Resource Definition (CRD) based policies and allow declaratively configured policies to be reliably shareable
X X X 5.2 X X
X X X 5.2 X X
ur clusters in Xa centralized,
X 5.2
X consistent manner. Azure Policy makes it possible to manage
X and
X report on the compliance state of your Kubernetes clusters f
X X X 5.2 X X
X X 18.4 X X
X X 12
X X X 14
s own and manage.
X X 3 3.1 3.2 X X
X X X 14.6 X X X
X X X 3.2 X X
4.3 X X X
X X 14.8 X
X X X 14.6 X X X
X X X 12
X X X 9.2 9.4 X X X
X X 18
references
aged and maintained by Microsoft.
nd
erver
deploy
access
yourtoapplications
your virtual through
network.the managed Kubernetes API server. To help troubleshoot your application and services, you may need to view the log
se the Moby container runtime. When an AKS cluster is created or scaled up, the nodes are automatically deployed with the latest OS security updates and
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://docs.microsoft.com/en-us/azure/aks/view-master-logs:https://docs.mic
a common approach is to use Kured, an open-source reboot daemon for Kubernetes. Kured runs as a DaemonSet and monitors each node for the presenc
he Windows Server node pool(s) in your AKS cluster. This upgrade process creates nodes that run the latest Windows Server image and patches, then rem
https://kubernetes.io/docs/admin/kube-proxy/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-posture-vulnerability-m
m. To improve redundancy, these disks are also securely replicated within the Azure datacenter.
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v
RBAC) for nodes, make exploits more difficult. However, for true security when running hostile multi-tenant workloads, a hypervisor is the only level of secu
https://kubernetes.io/docs/admin/kubelet/:https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication:https:
https://kubernetes.io/docs/admin/kubelet/:https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication:https:
https://kubernetes.io/docs/admin/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authoriza
https://kubernetes.io/docs/admin/kubelet/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-posture-vulnerability-man
https://kubernetes.io/docs/admin/kubelet/:https://github.com/kubernetes/kubernetes/pull/18552:https://docs.microsoft.com/security/benchmark
https://kubernetes.io/docs/admin/kubelet/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-posture-vulnerability-man
https://kubernetes.io/docs/admin/kubelet/:https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/:https://docs.microsoft.com/s
https://kubernetes.io/docs/admin/kubelet/:https://github.com/kubernetes/kubernetes/issues/22063:https://kubernetes.io/docs/tasks/administer-
https://github.com/kubernetes/kubernetes/pull/45059:https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration
https://kubernetes.io/docs/admin/authorization/rbac/#user-facing-roles:https://docs.microsoft.com/security/benchmark/azure/security-controls-
https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-identity-management#im-7-eliminate-unintended-credential-exposu
https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-priv
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/:https://docs.microsoft.com/security/benchmark/azure/sec
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/:https://docs.microsoft.com/security/benchmark/azure/sec
ll be working to document viable alternatives. The previous deprecation announcement was made at the time as there was not a viable option for custome
https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://kubernetes.io/docs/concepts/policy/pod-security-policy:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-data-
cies and allow declaratively configured policies to be reliably shareable. The Kubernetes projects is shifting focus from PSPs to OPAs.
https://kubernetes.io/docs/concepts/policy/pod-security-policy:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-privile
anage and report
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.trust/uk/our-research/abu
on the compliance state of your Kubernetes clusters from one place. The add-on enacts the following functions:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.trust/uk/our-research/abu
https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/:https://docs.microsoft.com/security/benchmark/
https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/:http://blog.kubernetes.io/2016/08/security-best-practices-kub
https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-usage:https://docs.microsoft.com/en-us/azure/contain
https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-data-protection#dp-2-protect-sensitive-data
https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-identity-management#im-2-manage-application-identities-securely-a
https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest
https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic
https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-network-security#ns-2-connect-private-networks-together:https://do
https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-isolation:https://azure.microsoft.com/en-us/blog/azure-container-in
ices, you may need to view the logs generated by these master components. This section shows you how to use Azure Monitor logs to enable and query th
the latest OS security updates and configurations.
s/view-master-logs:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resourc
monitors each node for the presence of a file indicating that a reboot is required. Reboots are managed across the cluster using the same cordon and drain
Server image and patches, then removes the older nodes. For more information on this process, see Upgrade a node pool in AKS.
y-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources
enchmark/azure/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources
hypervisor is the only level of security that you should trust. The security domain for Kubernetes becomes the entire cluster, not an individual node. For the
ation/#kubelet-authentication:https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/:https://docs.microsoft.com/security/benchmark/azure/s
ation/#kubelet-authentication:https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/:https://docs.microsoft.com/security/benchmark/azure/s
ce/kubelet-authentication-authorization/:https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/:https://docs.microsoft.com/security/benchm
ntrols-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources
.microsoft.com/security/benchmark/azure/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resour
ubelet/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic
ubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-posture-vulnerabi
pping/#kubelet-configuration
benchmark/azure/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle
nate-unintended-credential-exposure
st-enough-administration-least-privilege-principle
com/security/benchmark/azure/security-controls-v2-identity-management#im-2-manage-application-identities-securely-and-automatically
com/security/benchmark/azure/security-controls-v2-identity-management#im-2-manage-application-identities-securely-and-automatically
was not a viable option for customers. Now that the Kubernetes community is working on an alternative, there no longer is a pressing need to deprecate ahe
e-enterprise-segmentation-strategy
rk/azure/security-controls-v2-data-protection#dp-2-protect-sensitive-data
PSPs to OPAs.
rk/azure/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle
nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/:https://docs.microsoft.com/security/benchmark/azure/security-controls
unctions:
nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/:https://docs.microsoft.com/security/benchmark/azure/security-controls
microsoft.com/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic
2016/08/security-best-practices-kubernetes-deployment.html:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-governance-strategy
.microsoft.com/en-us/azure/container-registry/container-registry-check-health:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-pos
age-application-identities-securely-and-automatically
nsitive-data-at-rest
t-security-for-internal-traffic
rivate-networks-together:https://docs.microsoft.com/en-us/azure/aks/use-network-policies
.com/en-us/blog/azure-container-instances-now-generally-available/:https://azure.microsoft.com/en-us/resources/videos/ignite-2018-run-a-serverless-kube
logs to enable and query the logs from the Kubernetes master (control plane) components.
e-logging-for-azure-resources
he same cordon and drain process as a cluster upgrade.
S.
an individual node. For these types of hostile multi-tenant workloads, you should use physically isolated clusters. For more information on ways to isolate w
security/benchmark/azure/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
security/benchmark/azure/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
osoft.com/security/benchmark/azure/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit
rations-for-compute-resources
sing need to deprecate ahead of Kubernetes.
mark/azure/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle
mark/azure/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle
ols-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy:https://docs.microsoft.com/en-us/azure/aks/concepts-clusters-wo
ure/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments
018-run-a-serverless-kubernetes-cluster-by-bridging-aks-and-aci-through-the-virtual-kubelet/
mation on ways to isolate workloads, see Best practices for cluster isolation in AKS.
e/aks/concepts-clusters-workloads#:~:text=Kubernetes%20resources%2C%20such%20as%20pods,or%20manage%20access%20to%20resources.&text=
%20to%20resources.&text=When%20you%20interact%20with%20the,used%20when%20none%20is%20specified.
Recommendation Assessment
Section # Title
# Status
1 Master (Control Plane) Components

2 Master (Control Plane) Configuration
2.1 Logging
3 Worker Nodes
3.1 Worker Node Configuration Files
3.2 Kubelet
3.2 3.2.9 Ensure that the --eventRecordQPS argument is set to 0 or a level whi Manual
3.2 3.2.10 Ensure that the --rotate-certificates argument is not set to false Manual
4 Policies
4.1 RBAC and Service Accounts
4.2 Pod Security Policies
4.2 4.2.6 Minimize the admission of root containers Automated
4.2 4.2.9 Minimize the admission of containers with capabilities assigned Manual
4.3 Azure Policy / OPA
4.4 CNI Plugin
4.4 4.4.2 Ensure that all Namespaces have Network Policies defined Manual
4.5 Secrets Management
4.5 4.5.1 Prefer using secrets as files over secrets as environment variables Manual
4.5 4.5.2 Consider external secret storage Manual
4.6 Extensible Admission Control
4.7 General Policies
4.7 4.7.2 Apply Security Context to Your Pods and Containers Manual
4.7 4.7.3 The default namespace should not be used Manual
5 Managed services
5.1 Image Registry and Image Scanning
5.1 5.1.4 Minimize Container Registries to only those approved Manual
5.2 Access and identity options for Azure Kubernetes Service (AKS)
5.3 Key Management Service (KMS)
5.4 Cluster Networking
5.4 5.4.2 Ensure clusters are created with Private Endpoint Enabled and Publi Manual
5.4 5.4.5 Encrypt traffic to HTTPS load balancers with TLS certificates Manual
5.5 Authentication and Authorization
5.5 5.5.1 Manage Kubernetes RBAC users with Azure AD Manual
5.5 5.5.2 Use Azure RBAC for Kubernetes Authorization Manual
5.6 Other Cluster Configurations
5.6 5.6.2 Hostile multi-tenant workloads Manual
Actual state on a Non- Assessment result on a Assessment result on a
hardened system (Pass Non-hardened system Remediated (Hardened)
or Fail) (Fail) system (Pass or Fail)
Exceptions - Reason why the recommendation failed on a
remediated system. Should include manual mitigation Intentionally Rational Impact
Description
Security is a shared responsibility between Microsoft and the
steps if possible. Can be provided in a separate left Blank Statement Statement
document with the certification submission.
Master security
In AKS, the Kubernetes master components are part of the m
Node security
With
By
AKS default,
Azure
nodestheKubernetes
areKubernetes
Azure virtual
Service
API
machines
server
(AKS),uses
the
thatmaster
you
a public
manage
component
IP addres
and m
This section contains recommendations for kubelet configurat
You Azure
The can control
platformaccess
automatically
to the APIapplies
server using
OS security
Kubernetes
patchesro
Kubelet settings
This section may of
consists besecurity
configured using arguments
recommendations foron
thethe
comru
For Windows Server nodes, Windows Update does not autom
To find the Kubelet config file, run the following command:
Nodes are deployed into a private virtual network subnet, with
``` The `--rotate-certificates` setting causes the kub
Security relev It is importan Setting this p
To -ef
ps provide
| grepstorage,
kubelet the| grep
nodes
config
use Azure Managed Disks. For
Enable kubelet**Note:** This None
``` recommendation only applies if y
Kubernetes environments, in AKS or elsewhere, currently are
This section contains recommendations for various Kubernete
A more
If the modern
`--config` alternative
**Note:**
argument is to
This the PSP
present,
feature is gives
also
this the Open
requirethe
thePolicy
location Age
`RotateKu
of
Containers may run as any Linux user. Containe
The feature described in this document, pod security policy (p
Finally, third party agents such Aqua, Twistlock (Prisma), and
Ideally, all containers should run as a defined no
After pod security policy (preview) is deprecated, you must dis
Do notPolicy
Azure generalextends Gatekeeper Pods with
v3, ancont
admission controller
Containers run with a default set of capabilities
There should be at least one PodSecurityPolicy
Do not general Pods with cont
- Checks with Azure Policy service for policy assignments to t
In many cases applications running in container
- Deploys policy definitions
If you need tointorun the
rootcluster as constraint
containers, templ
this should be
- Reports auditing and compliance details back to Azure Polic
Running different applications on the same Kub
Use network
Azure Policy for
pol KubernetesOnce supports
network
the following
p cluster env
Network Policies are namespace scoped. When
- Azure Kubernetes Service (AKS)
-Kubernetes sup
It is reasonab
Azure Arc enabled KubernetesApplication co
- AKS Engine
Consider the uKubernetes sup None
These policies relate to general cluster management topics, li

Apply Securit A security conIf you incorre
Kubernetes pro
Resources in a
None
This section consists of security recommendations for the Azu
This section contains recommendations relating to container i
Use approvedAllowing
c unresAll container images to be deploye
This section contains recommendations relating to access and
This section contains recommendations relating to network se

In a private cluster, the master node has two en
Disable access
Although Kubernetes API requires an authorized
Encrypt traffi Encrypting traffic between users and your Kube
This section contains recommendations relating to authentica
The ability to manage RBAC for Kubernetes resources from A
Azure Kubernet Kubernetes RBAC and AKS help you secure yo
Azure role-based
Today
access
you can
control
already
(RBAC)
leverage
is an authorization
integrated auth
s
This section contains recommendations relating to any remain
With AzureKubernetes
Currently, RBAC, youenvironments
create a role definition
aren't safethat
for outlines
hostile mu
the
For these types of hostile multi-tenant workloads, you should

**Remediation Method 1:**
**Audit Method 1:**
If modifying the Kubelet config file, edit the kubelet-config.json file `/etc/kubernetes/kubelet/kubelet-config.json` and set the below parameter t
If using a Kubelet configuration file, check that there is an entry for èventRecordQPS` set to `5` or a value equal to or greate
```
First, SSH to the relevant node:
"eventRecordQPS": 5
Remediation
ibility between```Microsoft and theAudit
AzureProcedure
(AKS) customer. Additional Information
Procedure Run the following command on each node to find the appropriate Kubelet config file:
**Remediation Method 2:**
```
ter components are part of the managed service provided by Microsoft. Each AKS cluster has its own single-tenanted, dedicated Kubernetes master to pro
ps -ef | grep kubelet
If using executable **Audit
arguments,
Methodedit 1:**the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf` on each worker node
```
ice
PI
machines
server
(AKS),uses
the
thatmaster
you
a public
manage
components
IP address
and maintain.
such
and aas fully
Linux
thequalified
kube-apiserver
nodes domain
run an optimized
and
name kube-controller-manager
(FQDN).
Ubuntu Youdistribution
can limit using
access
are provided
the
to Moby
the as
API
container
a server
managedendpoint
runtime.
service.
using
Windows
Youauthorized
create
Server
andIP
nodes
manage
ranges.
runt
The output of the above command should return something similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` w
mendations for ```kubelet configuration.
If using a Kubelet configuration file, check that there is an entry for `--rotate-certificates` set to `false`.
e
cally
APIapplies --eventRecordQPS=5
**Remediation
server using
OS security
Kubernetes Method
patches role-based1:** nodes
to Linux accesson control
a nightly
(Kubernetes
basis. If aRBAC)Linux OS andsecurity
Azure RBAC.
updateForrequires
more a information,
host reboot,see
that
Azure
rebootADisintegration
not automatically
with AKS.
pe
As a best practice we recommend
Open the Kubelet thatconfigyoufile:
scope the binding for privileged pods to service accounts within a particular namespace, e.g. kube
figured using ```
arguments
rity recommendations foron
thetheFirst,
running
componentsSSHkubelet
tothat
the run
relevant
executable,
on Azurenode:
or
AKSthey may be
worker taken from a Kubelet config file. If both are specified, the executable argument
nodes.
```
Windows Update If modifying
does notthe Kubelet config
automatically run file,
andedit
applythethe kubelet-config.json
latest updates. On filea `/etc/kubernetes/kubelet/kubelet-config.json`
regular schedule around the Windows Update and set the
release below
cycle parameter
and your ownt
``` cat /etc/kubernetes/kubelet/kubelet-config.json
e, run the following
**Remediation
command: Run the
Method following command on each node to find the appropriate Kubelet config file:
3:**
apiVersion: policy/v1beta1
```
```
rivate virtual network subnet, with no public IP addresses assigned. For troubleshooting and management purposes, SSH is enabled by default. This SSH a
kind: PodSecurityPolicy
"RotateCertificate":true
```
If using the api configz endpoint consider searching for the status of `"eventRecordQPS"` by extracting the live configuration from the nodes r
metadata: Review the value set for the `--eventRecordQPS` argument and determine whether this has been set to an appropriate level
onfig ```
s use Azure Managed ps -ef
Disks. For most | grep
VMkubelet
node sizes, these are Premium disks backed by high-performance SSDs. The data stored on managed disks is
name: restricted
Get
``` the set configmap
**See detailed step-by-step of PSPs with the following
procedures command: a Node's Kubelet in a Live Cluster](https://kubernetes.io/docs/tasks/admini
in [Reconfigure
annotations: If the `--eventRecordQPS` argument does not exist, check that there is a Kubelet config file specified by `--config` and review
AKS or elsewhere,
```
**Remediation
currentlyMethod
aren't
The outputcompletely
2:** of the safe
aboveforcommand
hostile multi-tenant
should return usage. something
Additionalsimilar
security
to `--config
features/etc/kubernetes/kubelet/kubelet-config.json`
like Pod Security Policies, or more fine-grain w
mendations forseccomp.security.alpha.kubernetes.io/allowedProfileNames:
various Kubernetes policies which are important to the security 'docker/default,runtime/default'
of Azure AKS customer environment.
o the PSP
present, is gives
this the Open
kubectl Policy
theproxy
location Agent
```
of the(OPA)
--port=8001 & and
Kubelet OPAfile.
config Gatekeeper.
This config OPAfile is an admission
could be in JSON controller
or YAMLwhich
formatis depending
integrated with the OPA
on your Constraint Framework to
distribution.
apparmor.security.beta.kubernetes.io/allowedProfileNames:
Get
**Auditthe Method
set of PSPs2:** with the following command: 'runtime/default'
If using executable kubectl
Open getKubelet
arguments,
the pspeditconfig
the kubelet
file: service file `/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf` on each worker node
document, pod seccomp.security.alpha.kubernetes.io/defaultProfileName:
security policy (preview), will begin deprecation with Kubernetes 'runtime/default'
version 1.21, with its removal in version 1.25. As Kubernetes Upstream ap
ch Aqua, Twistlockexport(Prisma), and
``` Sysdig can offer similar (example
HOSTNAME_PORT=localhost:8001 capabilitieshost or manage
and port PSP's number) themselves.
apparmor.security.beta.kubernetes.io/defaultProfileName:
```
If using the api configz endpoint consider searching 'runtime/default'
for the status of èventRecordQPS` by extracting the live configuration fr
export NODE_NAME=ip-192.168.31.226.aks.internal
``` cat /etc/kubernetes/kubelet/kubelet-config.json (example node name from "kubectl get nodes")
spec: you mustkubectl
view) is deprecated, disableget thepsp
feature on any existing clusters using the deprecated feature to perform future cluster upgrades and stay within A
eeper v3, an admission
Create a PSP controller
asFor
``` webhook
--RotateCertificate=true each PSP, forcheck
Open whether
Policy Agent
running (OPA),
containers
to apply asat-scale
root is enabled:
enforcements and safeguards on your clusters in a centralized, c
privileged: false ``` Set the local proxy port and the following variables and provide proxy port number and node name;
```
# Required
Review to prevent
the use of escalations to root.
ervice for policy``` assignments to ``` the cluster.
Verify that the `RotateCertificate` argument is not present, or is set to `true`.
allowPrivilegeEscalation:
For each falsePSP, check whether capabilities have been forbidden: from the output of "kubectl get nodes"`
nto the cluster as constraint template Run
kubectl theandbelow
get constraint
pspcommand
<name> customand resources.
review the `NetworkPolicy` objects created in the cluster.
-o=jsonpath='{.spec.runAsUser.rule}'
# This is redundant ``` with non-root + disallow privilege escalation,
iance details **For
back toall Azure Policy
If theservice.
three remediations:**
``` `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file d
# but we can provide ```
kubectl it for defense
proxy in depth.
--port=8001 &
Based on your system, ``` restart the `kubelet` service and check status
requiredDropCapabilities:
kubectl get psp <name> -o=jsonpath='{.spec.requiredDropCapabilities}'
supports the following
Follow thecluster
documenvironments:
kubectl
Verify that getthere
networkpolicy
is at least--all-namespaces
one PSP which returns `MustRunAsNonRoot` or `MustRunAs` with the range of UIDs not includin
- ALL export HOSTNAME_PORT=localhost:8001 (example host and port number)
```
``` ``` the following command to find references to objects which use environment variables defined from secrets.
Run
# Allow core volume export types.
NODE_NAME=ip-192.168.31.226.aks.internal (example node name from "kubectl get nodes")
(AKS) systemctl daemon-reload
volumes:
etes If possible,restart
systemctl rewr ```
Ensure that each namespace
kubelet.service Mounting defined
secrets in as
thevolumes
cluster has has attheleast
additional
one Network
benefi Policy.
- 'configMap' curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
kubectl get
systemctl status kubelet -l all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
Refer
- 'emptyDir'
to the sec ``` Review your secrets management implementation.
``` ```
- 'projected'
- 'secret'
ral cluster management
- 'downwardAPI'topics,Runlikethis
namespace
commandbest to list
practices
objects and
in default
policies namespace
applied to pod objects in the cluster.
# Assume that persistentVolumes set up by the cluster admin are safe to use.
Review the pod definitions in your cluster and verify that you have security
- 'persistentVolumeClaim'
```
Ensure
hostNetwork:
that namefalse
kubectl get all -n default
hostIPC: false ```
rity recommendations for the Azure AKS. These recommendations are applicable for configurations that Azure AKS customers own and manage.
hostPID: false
mendations relatingrunAsUser:
to container The image
only registries
entries thereandshould
securing be images
system in managed
those registries,
resources such
suchasas
thethe
Azure
`kubernetes`
Containerservice
Registry.
# Require the container to run without root privileges.
All container images to be deployed to the cluster must be hosted within an approved container image regis
rule: 'MustRunAsNonRoot'
mendations relatingseLinux:to access and identity options for Azure (AKS).
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
mendations relating to network security configurations in Azure (AKS).
supplementalGroups:
ster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal loa
rule: 'MustRunAs'
ranges:
rnetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted ac
fic between users and your
# Forbid addingKubernetes
the root group. workload is fundamental to protecting data sent over the web.
- min: 1
mendations relating to authentication and authorization in Azure (AKS).
max: 65535
BAC and AKS fsGroup:
help you secure your cluster access and provide only the minimum required permissions to
rule: 'MustRunAs'
already leverage integrated authentication between Azure Active Directory (Azure AD) and AKS. When ena
ranges:
mendations relating# Forbidto any remaining
adding the rootsecurity-related
group. cluster configurations in Azure (AKS).
nments aren't safe for hostile multi-tenant usage. Extra security features, like Pod Security Policies or Kubernetes RBAC for nodes, efficiently block exploit
- min: 1
max: 65535
ulti-tenant workloads, you should use physically isolated clusters. For more information on ways to isolate workloads, see Best practices for cluster isolation
readOnlyRootFilesystem: false
```
This policy prevents pods from running as privileged or escalating privileges. It also restricts the types of volumes that can be mounted and th
Another, albeit similar, approach is to start with policy that locks everything down and incrementally add exceptions for applications that need
CIS Safeguards CIS Safeguards CIS Safeguards v8 v8 v8
CIS Controls
1 (v8) 2 (v8) 3 (v8) IG1 IG2 IG3
using
are provided
the Moby
ascontainer
a managedruntime.
service.
Windows
You create
Server
andnodes
manage
runthe
an nodes
optimized
thatWindows
run the kubelet
Serverand
2019
container
release runtime,
and also and
use deploy
the Moby
your
container
applications
runtime.
through
Whenth
pdate requires a host reboot, that reboot is not automatically performed. You can manually reboot the Linux nodes, or a common approach is to use Kured,
belet config file. If both are specified, the executable argument takes precedence.
dule around the Windows Update release cycle and your own validation process, you should perform an upgrade on the Windows Server node pool(s) in y
management purposes, SSH is enabled by default. This SSH access is only available using the internal IP address.
TITLE:Collect Audit Logs CONTROL:v8 8.2 DESCRIPTION:Collect
high-performance SSDs. The data stored on managed disks is automatically 8.2encrypted at rest
8.5within the Azure platform. To improve
X X X
redundancy, these dis
TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DES 3.10 X X
security features like Pod Security Policies, or more fine-grained Kubernetes role-based access control (Kubernetes RBAC) for nodes, make exploits more
customer environment.
oller which
YAML is depending
format integrated with the OPA
on your Constraint Framework to enforce Custom Resource Definition (CRD) based policies and allow declaratively configure
distribution.
1, with its removal in version 1.25. As Kubernetes Upstream approaches that milestone, the Kubernetes community will be working to document viable alte
selves.
ted feature to perform future cluster upgrades and stay within Azure support.
nforcements andTITLE:Establish
safeguards on and
your
Maintain
clusters
a in
Secure
a centralized,
Configuration
consistent
Process
manner.
4.1 Azure Policy makes it possible to manage and
X report
X on X the compliance s
TITLE:Establish and Maintain a Secure Configuration Process4.1 X X X
TITLE:Perform Traffic Filtering Between Network Segments CO

13.4 X X
TITLE:Access Control Management CONTROL:v8 6 DESCRIPTION:Us

6
6
TITLE:Access Control Management CONTROL:v8 6 DESCRIPTION:Us
bjects in the cluster.

TITLE:Securely Manage Enterprise Assets and Software CONTR
4.6 X X X
4.6
TITLE:Securely Manage Enterprise Assets and Software CONTR X X X
urations that Azure AKS customers own and manage.
ch as the Azure Container Registry.
TITLE:Allowlist Authorized Software CONTROL:v8 2.5 DESCRIPTION:Use
2.5 technical controls, such as application allowlisting,
X X to ensure that
TITLE:Implement and Manage a Firewall on Servers CONTROL:

4.4 X X X
3.10
TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DES X X
6.8
TITLE:Define and Maintain Role-Based Access Control CONTROL: X
TITLE:Define and Maintain Role-Based Access Control CONTROL:
6.8 X
TITLE:Segment Data Processing and Storage Based on Sensitiv

3.12 X X
CIS Safeguards CIS Safeguards CIS Safeguards v7 v7 v7
references
1 (v7) 2 (v7) 3 (v7) IG1 IG2 IG3
your
container
applications
runtime.
through
Whentheanmanaged
AKS cluster
Kubernetes
is created
API
or server.
scaled To
up,help
the nodes
troubleshoot
are automatically
your application
deployed
and with
services,
the latest
you may
OS security
need to updates
view theand
logsconfigurat
generate
approach is to use Kured, an open-source reboot daemon for Kubernetes. Kured runs as a DaemonSet and monitors each node for the presence of a file in
s Server node pool(s) in your AKS cluster. This upgrade process creates nodes that run the latest Windows Server image and patches, then removes the o
6 these disks are also securely replicated within the Azure datacenter.
ove redundancy,
https://kubernetes.io/docs/admin/kubelet/:https://github.com/kubernetes/ku
14.4 X X https://github.com/kubernetes/kubernetes/pull/41912:https://kubernetes.io/
nodes, make exploits more difficult. However, for true security when running hostile multi-tenant workloads, a hypervisor is the only level of security that you
low declaratively configured policies to be reliably shareable. The Kubernetes projects is shifting focus from PSPs to OPAs.
ng to document viable alternatives. The previous deprecation announcement was made at the time as there was not a viable option for customers. Now tha
report on the 5.2

compliance state of your Kubernetes clusters from one place.
X XThe add-on
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-po
enacts the following functions:
5.2 X X https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-po
14.1 14.2 X X https://kubernetes.io/docs/concepts/services-networking/networkpolicies/:h
14.4 14.8 X X https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets:htt

14.8 X https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-i
5 https://kubernetes.io/docs/concepts/policy/security-context/:https://learn.cis
5.1 X X X https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-p
5.2 5.3 X X https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-a
12 https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-n
14.4 X X https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-d
16.2 X X https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac:https://docs.mic
5.1 X X X https://docs.microsoft.com/en-us/azure/aks/manage-azure-rbac
14.1 X X https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster
security
need to updates
view the and
logsconfigurations.
generated by these master components. This section shows you how to use Azure Monitor logs to enable and query the logs from th
node for the presence of a file indicating that a reboot is required. Reboots are managed across the cluster using the same cordon and drain process as a
and patches, then removes the older nodes. For more information on this process, see Upgrade a node pool in AKS.
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go:https://kubernetes.io/docs/tasks/administer-cluster/r
pull/41912:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration:https://kubernetes.io/docs/im
the only level of security that you should trust. The security domain for Kubernetes becomes the entire cluster, not an individual node. For these types of ho
e option for customers. Now that the Kubernetes community is working on an alternative, there no longer is a pressing need to deprecate ahead of Kubern
pod-security-policy/#enabling-pod-security-policies:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-privileged-access#pa-7-follow
pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/:https:
es-networking/networkpolicies/:https://octetz.com/posts/k8s-network-policy-apis:https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-p
uration/secret/#using-secrets:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-identity-management#im-7-eliminate-unintended-cr
mark/azure/security-controls-v2-identity-management#im-7-eliminate-unintended-credential-exposure
security-context/:https://learn.cisecurity.org/benchmarks:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-posture-vulnerability-ma
mark/azure/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources
mark/azure/security-controls-v2-asset-management#am-6-use-only-approved-applications-in-compute-resources
mark/azure/security-controls-v2-network-security#ns-2-connect-private-networks-together
mark/azure/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit
s/azure-ad-rbac:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-p
s/manage-azure-rbac
s/operator-best-practices-cluster-isolation
e and query the logs from the Kubernetes master (control plane) components.
on and drain process as a cluster upgrade.
s/tasks/administer-cluster/reconfigure-kubelet/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-logging-threat-detection
tps://kubernetes.io/docs/imported/release/notes/:https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/:https://kubernetes.io/do
node. For these types of hostile multi-tenant workloads, you should use physically isolated clusters. For more information on ways to isolate workloads, see
eprecate ahead of Kubernetes.
vileged-access#pa-7-follow-just-enough-administration-least-privilege-principle
ged-linux-containers/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-le
ontainer/declare-network-policy/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-in
-7-eliminate-unintended-credential-exposure
v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources
ough-administration-least-privilege-principle
threat-detection
es/:https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/:https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-data-p
ys to isolate workloads, see Best practices for cluster isolation in AKS.
1-implement-security-for-internal-traffic
security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit
Section # Recommendation # Profile
1 L1
2 L1
2.1 L1
2.1 2.1.1 L1
3 L1
3.1 L1
3.1 3.1.1 L1
3.1 3.1.2 L1
3.1 3.1.3 L1
3.1 3.1.4 L1
3.2 L1
3.2 3.2.1 L1
3.2 3.2.2 L1
3.2 3.2.3 L1
3.2 3.2.4 L1
3.2 3.2.5 L1
3.2 3.2.6 L1
3.2 3.2.7 L1
3.2 3.2.8 L1
3.2 3.2.9 L2
3.2 3.2.10 L2
3.2 3.2.11 L1
4 L1
4.1 L1
4.1 4.1.1 L1
4.1 4.1.2 L1
4.1 4.1.3 L1
4.1 4.1.4 L1
4.1 4.1.5 L1
4.1 4.1.6 L1
4.2 L1
4.2 4.2.1 L1
4.2 4.2.2 L1
4.2 4.2.3 L1
4.2 4.2.4 L1
4.2 4.2.5 L1
4.2 4.2.6 L2
4.2 4.2.7 L1
4.2 4.2.8 L1
4.2 4.2.9 L2
4.3 L1
4.4 L1
4.4 4.4.1 L1
4.4 4.4.2 L2
4.5 L1
4.5 4.5.1 L2
4.5 4.5.2 L2
4.6 L1
4.6 4.6.1 L1
4.7 L1
4.7 4.7.1 L1
4.7 4.7.2 L2
4.7 4.7.3 L2
5 L1
5.1 L1
5.1 5.1.1 L1
5.1 5.1.2 L1
5.1 5.1.3 L1
5.1 5.1.4 L2
5.2 L1
5.2 5.2.1 L1
5.3 L1
5.3 5.3.1 L1
5.4 L1
5.4 5.4.1 L1
5.4 5.4.2 L2
5.4 5.4.3 L1
5.4 5.4.4 L1
5.4 5.4.5 L2
5.5 L1
5.5 5.5.1 L2
5.5 5.5.2 L2
5.6 L1
5.6 5.6.1 L1
5.6 5.6.2 L2
MITRE MITRE
Title of Recommendation ATT&CK ATT&CK
Tactic 1 Tactic 2
Master (Control Plane) Components

Master (Control Plane) Configuration
Logging
Enable audit Logs TA0003 TA0004
Worker Nodes TA0001
Worker Node Configuration Files
Ensure that the kubeconfig file permissions are set to 644 or more restrictive TA0005 TA0007
Ensure that the kubelet kubeconfig file ownership is set to root:root TA0005 TA0007
Ensure that the kubelet configuration file has permissions set to 644 or more restrictTA0005 TA0007
Ensure that the kubelet configuration file ownership is set to root:root TA0005 TA0007
Kubelet
Ensure that the --anonymous-auth argument is set to false TA0001 TA0008
Ensure that the --authorization-mode argument is not set to AlwaysAllow TA0001
Ensure that the --client-ca-file argument is set as appropriate TA0006
Ensure that the --read-only-port is secured TA0001 TA0003
Ensure that the --streaming-connection-idle-timeout argument is not set to 0 TA0040
Ensure that the --protect-kernel-defaults argument is set to true TA0004
Ensure that the --make-iptables-util-chains argument is set to true TA0001
Ensure that the --hostname-override argument is not set TA0005
Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appTA0003 TA0004
Ensure that the --rotate-certificates argument is not set to false TA0006
Ensure that the RotateKubeletServerCertificate argument is set to true TA0006
Policies
RBAC and Service Accounts
Ensure that the cluster-admin role is only used where required TA0001 TA0004
Minimize access to secrets TA0006
Minimize wildcard use in Roles and ClusterRoles TA0001 TA0004
Minimize access to create pods TA0001 TA0004
Ensure that default service accounts are not actively used. TA0006
Ensure that Service Account Tokens are only mounted where necessary TA0006
Pod Security Policies
Minimize the admission of privileged containers TA0004
Minimize the admission of containers wishing to share the host process ID namespaTA0001 TA0004
Minimize the admission of containers wishing to share the host IPC namespace TA0003
Minimize the admission of containers wishing to share the host network namespace TA0003
Minimize the admission of containers with allowPrivilegeEscalation TA0004
Minimize the admission of root containers TA0003
Minimize the admission of containers with the NET_RAW capability TA0004
Minimize the admission of containers with added capabilities TA0002 TA0003
Minimize the admission of containers with capabilities assigned TA0002 TA0003
Azure Policy / OPA
CNI Plugin
Ensure latest CNI version is used TA0007
Ensure that all Namespaces have Network Policies defined TA0007
Secrets Management
Prefer using secrets as files over secrets as environment variables TA0006
Consider external secret storage TA0006
Extensible Admission Control
Verify that admission controllers are working as expected TA0001 TA0003
General Policies
Create administrative boundaries between resources using namespaces TA0008 TA0002
Apply Security Context to Your Pods and Containers TA0004 TA0006
The default namespace should not be used TA0005
Managed services
Image Registry and Image Scanning
Ensure Image Vulnerability Scanning using Azure Defender image scanning or a thirTA0011
Minimize user access to Azure Container Registry (ACR) TA0006
Minimize cluster access to read-only for Azure Container Registry (ACR) TA0011
Minimize Container Registries to only those approved TA0002 TA0011
Access and identity options for Azure Kubernetes Service (AKS)
Prefer using dedicated AKS Service Accounts TA0001 TA0007
Key Management Service (KMS)
Ensure Kubernetes Secrets are encrypted TA0006
Cluster Networking
Restrict Access to the Control Plane Endpoint
Ensure clusters are created with Private Endpoint Enabled and Public Access DisabTA0001
Ensure clusters are created with Private Nodes TA0001
Ensure Network Policy is Enabled and set as appropriate TA0001
Encrypt traffic to HTTPS load balancers with TLS certificates TA0006
Authentication and Authorization
Manage Kubernetes RBAC users with Azure AD TA0001 TA0004
Use Azure RBAC for Kubernetes Authorization TA0001 TA0004
Other Cluster Configurations
Restrict untrusted workloads TA0002 TA0011
Hostile multi-tenant workloads TA0002 TA0011
MITRE MITRE MITRE
MITRE CIS CIS CIS
ATT&CK ATT&CK ATT&CK CIS Controls 2
ATT&CK Controls 1 Controls 3 IG (7.1) Controls 1
Technique Technique Mitigation (7.1)
Mitigation 1 (7.1) (7.1) (8)
1 2 2
T1543 M1027 6 6
T1078 M1027
T1222 T1083 M1022 M1018 5.2 2 4.1

T1222 T1083 M1026 M1018 5.2 2 4.1
T1222 T1083 M1022 5.2 2 4.1
T1222 T1083 M1026 5.2 2 3.10
T1190 T1210 M1025 14

T1133 M1026 14 4.1
T1552 M1022 14.4 2 4.1
T1133 M1035 9.2 2 4.1
T1490 M1028 9 4.1
T1611 M1048 5.2 2 4.7
T1190 M1030 9 4.1
T1140 T1484 M1026 5 4.1
T1543 M1047 6 4.1
T1552 M1022 14.4 2 4.1
T1552 M1022 14.4 2 4.1
T1078 T1078.002 M1026 5.1 1 4.1

T1552 M1026 5.2 2 4.1
T1078 T1078.002 M1026 5.1 1 4.1
T1078 T1078.002 M1026 5.2 2 4.1
T1552 M1028 4.3 5.2 1 16.5
T1555 T1528 M1026 5.2 2 4.1
T1611 M1048 M1038 5.2 2 13.5

T1078 T1078.002 M1026 5.2 2 4.1
T1098 M1030 5.2 2 4.6
T1098 M1030 5.2 2 4.1
T1611 M1048 M1038 5.2 2 4.1
T1098 M1026 5.2 2 7.6
T1068 M1050 5.2 2 3.3
T1204 M1047 M1045 5.2 2 3.3
T1204 M1047 M1045 5.2 2 4.1
T1046 M1030 M1042 18.4 2 3.11

T1046 M1030 M1042 14.1 14.2 2 13.4
T1552 M1026 14.4 14.8 2 4.4
T1552 M1026 14.8 3 4.4
T1133 T1195 M1042 M1016 12 13.5
T1609 T1106 M1038 14 8.2

T1611 T1556 M1048 5 3.10
T1578 M1018 5.1 1 4.1
T1071 M1016 M1031 3 3.1 3.2 2 6

T1552 M1026 14.6 1 6
T1568 M1031 M1021 3.2 2 4.6
T1195 T1612 M1031 M1021 5.2 5.3 2 4.6
2.5
T1190 M1026 4.3 1 4.4
T1552 M1041 14.8 3 6.8
T1190 T1133 M1030 12 4.4

T1190 T1133 M1030 12 4.4
T1190 T1133 M1030 9.2 9.4 1 4.4
T1555 T1110 M1027 14.4 2 3.10
T1078 T1078.002 M1026 16.2 2 5.6

T1078 T1078.002 M1026 5.1 1 4.1
T1203 M1048 18 3.12

T1203 M1048 14.1 2 3.12
CIS
CIS Controls
Controls 2 IG (8)
3 (8)
(8)
1
1
1
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
1
2
1
1
1
1
2
1
1
1
2
2
1
1
8.5 1
2
1
1
1
1
1
2
1
1
1
4.4 1
2
2
1
2
2
MITRE Tactics (1 per cell):
MITRE Techniques (1 per cell):
MITRE Mitigations (1 per cell):
All Applicable Rec# Rec # Rec #2 Rec #3 Rec #4 Rec #5 Rec #6 Rec #7
0
0
0
0
0
0
0
0
Err:508 Err:508 Err:508 Err:508 Err:508 Err:508 Err:508 Err:508

0
0


0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Rec #8 Rec #9 Rec #10
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508

Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508

Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508

Err:508 Err:508 Err:508
Err:508 Err:508 Err:508

Err:508 Err:508 Err:508
Err:508 Err:508 Err:508

Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508

Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
Err:508 Err:508 Err:508
To filter by Tactic, add the Tactic ID to any cell from B1 through K1. Then use the drop down filter (row 5) to clear the blanks.
To filter by Technique, add the Technique ID to any cell from B2 through K2. Then use the drop down filter (row 5) to clear the blank
To filter by Mitigation, add the Mitigation ID to any cell from B3 through K3. Then use the drop down filter (row 5) to clear the blanks
Title
Logging
Enable audit Logs
Worker Nodes
Ensure that the kubeconfig file permissions are set to 644 or more restrictive
Ensure that the kubelet kubeconfig file ownership is set to root:root
Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
Ensure that the kubelet configuration file ownership is set to root:root
Kubelet
Ensure that the --anonymous-auth argument is set to false
Ensure that the --authorization-mode argument is not set to AlwaysAllow
Ensure that the --client-ca-file argument is set as appropriate
Ensure that the --read-only-port is secured
Ensure that the --streaming-connection-idle-timeout argument is not set to 0
Ensure that the --protect-kernel-defaults argument is set to true
Ensure that the --make-iptables-util-chains argument is set to true
Ensure that the --hostname-override argument is not set
Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture
Ensure that the --rotate-certificates argument is not set to false
Ensure that the RotateKubeletServerCertificate argument is set to true
Policies
Ensure that the cluster-admin role is only used where required
Minimize access to secrets
Minimize wildcard use in Roles and ClusterRoles
Minimize access to create pods
Ensure that default service accounts are not actively used.
Ensure that Service Account Tokens are only mounted where necessary
Minimize the admission of privileged containers
Minimize the admission of containers wishing to share the host process ID namespace
Minimize the admission of containers wishing to share the host IPC namespace
Minimize the admission of containers wishing to share the host network namespace
Minimize the admission of containers with allowPrivilegeEscalation
Minimize the admission of root containers
Minimize the admission of containers with the NET_RAW capability
Minimize the admission of containers with added capabilities
Minimize the admission of containers with capabilities assigned
Azure Policy / OPA
CNI Plugin
Ensure latest CNI version is used
Ensure that all Namespaces have Network Policies defined
Secrets Management
Prefer using secrets as files over secrets as environment variables
Consider external secret storage
Verify that admission controllers are working as expected
General Policies
Create administrative boundaries between resources using namespaces

Apply Security Context to Your Pods and Containers
The default namespace should not be used

Managed services
Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider
Minimize user access to Azure Container Registry (ACR)
Minimize cluster access to read-only for Azure Container Registry (ACR)

Minimize Container Registries to only those approved
Prefer using dedicated AKS Service Accounts

Ensure Kubernetes Secrets are encrypted
Cluster Networking

Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
Ensure clusters are created with Private Nodes
Ensure Network Policy is Enabled and set as appropriate
Encrypt traffic to HTTPS load balancers with TLS certificates
Manage Kubernetes RBAC users with Azure AD
Use Azure RBAC for Kubernetes Authorization
Restrict untrusted workloads
Hostile multi-tenant workloads
CIS Sub-Control
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
3.1
3.2
3.3
3.4
3.5
3.6
3.7
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
5.1
5.2
5.3
5.4
5.5
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
7.10
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
9.1
9.2
9.3
9.4
9.5
10.1
10.2
10.3
10.4
10.5
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.7
12.8
12.9
12.10
12.11
12.12
13.1
13.2
13.3
13.4
13.5
13.6
13.7
13.8
13.9
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
15.5
15.6
15.7
15.8
15.9
15.10
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
16.13
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.10
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
19.8
20.1
20.2
20.3
20.4
20.5
20.6
20.7
20.8
Title
Utilize an Active Discovery Tool
Use a Passive Asset Discovery Tool
Use DHCP Logging to Update Asset Inventory
Maintain Detailed Asset Inventory
Maintain Asset Inventory Information
Address Unauthorized Assets
Deploy Port Level Access Control
Utilize Client Certificates to Authenticate Hardware Assets
Maintain Inventory of Authorized Software
Ensure Software is Supported by Vendor
Utilize Software Inventory Tools
Track Software Inventory Information
Integrate Software and Hardware Asset Inventories
Address unapproved software
Utilize Application Whitelisting
Implement Application Whitelisting of Libraries
Implement Application Whitelisting of Scripts
Physically or Logically Segregate High Risk Applications
Run Automated Vulnerability Scanning Tools
Perform Authenticated Vulnerability Scanning
Protect Dedicated Assessment Accounts
Deploy Automated Operating System Patch Management Tools
Deploy Automated Software Patch Management Tools
Compare Back-to-Back Vulnerability Scans
Utilize a Risk-Rating Process
Maintain Inventory of Administrative Accounts
Change Default Passwords
Ensure the Use of Dedicated Administrative Accounts
Use Unique Passwords
Use Multi-Factor Authentication for All Administrative Access
Use Dedicated Workstations For All Administrative Tasks
Limit Access to Script Tools
Log and Alert on Changes to Administrative Group Membership
Log and Alert on Unsuccessful Administrative Account Login
Establish Secure Configurations
Maintain Secure Images
Securely Store Master Images
Deploy System Configuration Management Tools
Implement Automated Configuration Monitoring Systems
Utilize Three Synchronized Time Sources
Activate Audit Logging
Enable Detailed Logging
Ensure Adequate Storage for Logs
Central Log Management
Deploy SIEM or Log Analytic Tools
Regularly Review Logs
Regularly Tune SIEM
Ensure Use of Only Fully Supported Browsers and Email Clients
Disable Unnecessary or Unauthorized Browser or Email Client Plugins
Limit Use of Scripting Languages in Web Browsers and Email Clients
Maintain and Enforce Network-Based URL Filters
Subscribe to URL-Categorization Service
Log All URL requester
Use of DNS Filtering Services
Implement DMARC and Enable Receiver-Side Verification
Block Unnecessary File Types
Sandbox All Email Attachments
Utilize Centrally Managed Anti-malware Software
Ensure Anti-Malware Software and Signatures Are Updated
Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
Configure Anti-Malware Scanning of Removable Devices
Configure Devices to Not Auto-Run Content
Centralize Anti-Malware Logging
Enable DNS Query Logging
Enable Command-Line Audit Logging
Associate Active Ports, Services, and Protocols to Asset Inventory
Ensure Only Approved Ports, Protocols, and Services Are Running
Perform Regular Automated Port Scans
Apply Host-Based Firewalls or Port-Filtering
Implement Application Firewalls
Ensure Regular Automated BackUps
Perform Complete System Backups
Test Data on Backup Media
Protect Backups
Ensure All Backups Have at Least One Offline Backup Destination
Maintain Standard Security Configurations for Network Devices
Document Traffic Configuration Rules
Use Automated Tools to Verify Standard Device Configurations and Detect Changes
Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
Use Dedicated Machines For All Network Administrative Tasks
Manage Network Infrastructure Through a Dedicated Network
Maintain an Inventory of Network Boundaries
Scan for Unauthorized Connections Across Trusted Network Boundaries
Deny Communications With Known Malicious IP Addresses
Deny Communication Over Unauthorized Ports
Configure Monitoring Systems to Record Network Packets
Deploy Network-Based IDS Sensors
Deploy Network-Based Intrusion Prevention Systems
Deploy NetFlow Collection on Networking Boundary Devices
Deploy Application Layer Filtering Proxy Server
Decrypt Network Traffic at Proxy
Require All Remote Login to Use Multi-Factor Authentication
Manage All Devices Remotely Logging into Internal Network
Maintain an Inventory of Sensitive Information
Remove Sensitive Data or Systems Not Regularly Accessed by Organization
Monitor and Block Unauthorized Network Traffic
Only Allow Access to Authorized Cloud Storage or Email Providers
Monitor and Detect Any Unauthorized Use of Encryption
Encrypt Mobile Device Data
Manage USB Devices
Manage System's External Removable Media's Read/Write Configurations
Encrypt Data on USB Storage Devices
Segment the Network Based on Sensitivity
Enable Firewall Filtering Between VLANs
Disable Workstation to Workstation Communication
Encrypt All Sensitive Information in Transit
Utilize an Active Discovery Tool to Identify Sensitive Data
Protect Information Through Access Control Lists
Enforce Access Control to Data Through Automated Tools
Encrypt Sensitive Information at Rest
Enforce Detail Logging for Access or Changes to Sensitive Data
Maintain an Inventory of Authorized Wireless Access Points
Detect Wireless Access Points Connected to the Wired Network
Use a Wireless Intrusion Detection System
Disable Wireless Access on Devices if Not Required
Limit Wireless Access on Client Devices
Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients
Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication
Disable Wireless Peripheral Access of Devices
Create Separate Wireless Network for Personal and Untrusted Devices
Maintain an Inventory of Authentication Systems
Configure Centralized Point of Authentication
Require Multi-Factor Authentication
Encrypt or Hash all Authentication Credentials
Encrypt Transmittal of Username and Authentication Credentials
Maintain an Inventory of Accounts
Establish Process for Revoking Access
Disable Any Unassociated Accounts
Disable Dormant Accounts
Ensure All Accounts Have An Expiration Date
Lock Workstation Sessions After Inactivity
Monitor Attempts to Access Deactivated Accounts
Alert on Account Login Behavior Deviation
Perform a Skills Gap Analysis
Deliver Training to Fill the Skills Gap
Implement a Security Awareness Program
Update Awareness Content Frequently
Train Workforce on Secure Authentication
Train Workforce on Identifying Social Engineering Attacks
Train Workforce on Sensitive Data Handling
Train Workforce on Causes of Unintentional Data Exposure
Train Workforce Members on Identifying and Reporting Incidents
Establish Secure Coding Practices
Ensure That Explicit Error Checking is Performed for All In-House Developed Software
Verify That Acquired Software is Still Supported
Only Use Up-to-Date and Trusted Third-Party Components
Use Only Standardized and Extensively Reviewed Encryption Algorithms
Ensure Software Development Personnel are Trained in Secure Coding
Apply Static and Dynamic Code Analysis Tools
Establish a Process to Accept and Address Reports of Software Vulnerabilities
Separate Production and Non-Production Systems
Deploy Web Application Firewalls
Use Standard Hardening Configuration Templates for Databases
Document Incident Response Procedures
Assign Job Titles and Duties for Incident Response
Designate Management Personnel to Support Incident Handling
Devise Organization-wide Standards for Reporting Incidents
Maintain Contact Information For Reporting Security Incidents
Publish Information Regarding Reporting Computer Anomalies and Incidents
Conduct Periodic Incident Scenario Sessions for Personnel
Create Incident Scoring and Prioritization Schema
Establish a Penetration Testing Program
Conduct Regular External and Internal Penetration Tests
Perform Periodic Red Team Exercises
Include Tests for Presence of Unprotected System Information and Artifacts
Create Test Bed for Elements Not Typically Tested in Production
Use Vulnerability Scanning and Penetration Testing Tools in Concert
Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
Control and Monitor Accounts Associated with Penetration Testing
IG
2
3
2
1
2
1
2
3
1
1
2
2
3
1
3
3
3
3
2
2
2
1
1
2
2
2
1
1
2
2
3
2
2
2
1
2
2
2
2
2
1
2
2
2
2
2
3
1
2
2
2
2
2
1
2
2
1
2
1
2
1
1
2
2
2
2
2
2
1
3
1
1
2
1
1
2
2
2
1
2
2
2
1
2
2
1
2
2
3
2
3
3
2
3
1
1
3
2
3
1
2
3
3
2
2
2
2
3
1
3
3
3
2
2
2
3
3
2
1
3
2
1
2
2
2
2
2
2
2
1
1
2
1
2
3
2
2
1
2
1
1
1
1
1
2
2
2
2
2
2
2
2
2
2
2
1
2
1
2
1
1
2
3
2
2
3
2
2
2
3
2
Rec # Control Map 1 Control Map 2 Control Map 3 What IG? (Map 1)
0 0 0
0 0 0
0 0 0 0
2.1.1 6 0 0
0 0 0 0
0 0 0 0
3.1.1 5.2 0 0 2
3.1.2 5.2 0 0 2
3.1.3 5.2 0 0 2
3.1.4 5.2 0 0 2
0 0 0 0
3.2.1 14 0 0
3.2.2 14 0 0
3.2.3 14.4 0 0 2
3.2.4 9.2 0 0 2
3.2.5 9 0 0
3.2.6 5.2 0 0 2
3.2.7 9 0 0
3.2.8 5 0 0
3.2.9 6 0 0
3.2.10 14.4 0 0 2
3.2.11 14.4 0 0 2
0 0 0 0
0 0 0 0
4.1.1 5.1 0 0 1
4.1.2 5.2 0 0 2
4.1.3 5.1 0 0 1
4.1.4 5.2 0 0 2
4.1.5 4.3 5.2 0 1
4.1.6 5.2 0 0 2
0 0 0 0
4.2.1 5.2 0 0 2
4.2.2 5.2 0 0 2
4.2.3 5.2 0 0 2
4.2.4 5.2 0 0 2
4.2.5 5.2 0 0 2
4.2.6 5.2 0 0 2
4.2.7 5.2 0 0 2
4.2.8 5.2 0 0 2
4.2.9 5.2 0 0 2
0 0 0 0
0 0 0 0
4.4.1 18.4 0 0 2
4.4.2 14.1 14.2 0 2
0 0 0 0
4.5.1 14.4 14.8 0 2
4.5.2 14.8 0 0 3
0 0 0 0
4.6.1 12 0 0
0 0 0 0
4.7.1 14 0 0
4.7.2 5 0 0
4.7.3 5.1 0 0 1
0 0 0 0
0 0 0 0
5.1.1 3 3.1 3.2
5.1.2 14.6 0 0 1
5.1.3 3.2 0 0 2
5.1.4 5.2 5.3 0 2
0 0 0 0
5.2.1 4.3 0 0 1
0 0 0 0
5.3.1 14.8 0 0 3
0 0 0 0
5.4.1 0 0
5.4.2 12 0 0
5.4.3 12 0 0
5.4.4 9.2 9.4 0 2
5.4.5 14.4 0 0 2
0 0 0 0
5.5.1 16.2 0 0 2
5.5.2 5.1 0 0 1
0 0 0 0
5.6.1 18 0 0
5.6.2 14.1 0 0 2
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
What IG? (Map 2) What IG? (Map 3) Lowest IG
2
2
2
2
2
2
2
2
1
2
1
2
2 1
2
2
2
2
2
2
2
2
2
2
2
2 2
3 2
3
2 2 2
1
2
2 2
1 1
2
2
1
2
Rec Title
Logging
Enable audit Logs
Worker Nodes
Kubelet
Policies
Azure Policy / OPA
CNI Plugin
Secrets Management
General Policies
Managed services
Cluster Networking
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
V7 Safeguard CISSafeguard Asset Type Security Function
1.1 1.3 Devices Detect
1.3 1.4 Devices Identify
1.6 1.2 Devices Respond
1.7 13.9 Devices Protect
2.1 2.1 Applications Identify
2.3 2.4 Applications Detect
2.6 2.3 Applications Respond
2.7 2.5 Applications Protect

2.10 3.12 Network Protect
3.3 5.5 Users Identify
4.2 4.7 Users Protect
4.8 8.5 Network Detect




10.1 11.2 Data Recover

10.4 11.3 Data Protect

12.1 12.4 Network Identify

13.1 3.2 Data Identify


14.9 3.14 Data Detect

16.8 5.3 Users Respond

17.2 14.9 N/A Protect

19.1 17.4 N/A Respond

19.7 17.7 N/A Recover
19.8 17.9 N/A Recover
20.1 18.1 N/A Identify
New 3.1 Data Identify
New 3.4 Data Protect

New 4.6 Network Protect
New 4.8 Devices Protect
New 4.10 Devices Respond
New 5.5 Users Identify
New 6.1 Users Protect
New 7.1 Applications Protect
New 7.2 Applications Respond
New 7.7 Applications Respond
New 8.12 Data Detect

New 10.7 Devices Detect
New 11.1 Data Recover
New 13.2 Devices Detect
New 14.7 N/A Protect
New 15.1 N/A Identify
New 15.6 Data Detect

New 17.6 N/A Respond
New 17.8 N/A Recover
4
5
10
11
12
13
14
15
16
17
18
Title
Utilize an Active Discovery Tool
Use Dynamic Host Configuration Protocol

(DHCP) Logging to Update Enterprise
Asset Inventory
Establish and Maintain Detailed Enterprise

Asset Inventory

Asset Inventory
Address Unauthorized Assets
Deploy Port-Level Access Control
Deploy Port-Level Access Control
Establish and Maintain a Software

Inventory
Ensure Authorized Software is Currently

Supported
Utilize Automated Software Inventory

Tools
Establish and Maintain a Software

Inventory
Address Unauthorized Software
Allowlist Authorized Software

Allowlist Authorized Libraries
Allowlist Authorized Scripts
Segment Data Processing and Storage

Based on Sensitivity
Perform Automated Vulnerability Scans of
Internal Enterprise Assets
Externally-Exposed Enterprise Assets
Establish and Maintain an Inventory of

Service Accounts
Perform Automated Operating System

Patch Management
Perform Automated Application Patch
Management
Establish and Maintain a Remediation
Process
Process
Establish and Maintain a Severity Rating

System and Process for Application
Vulnerabilities
Remediate Penetration Test Findings

Accounts
Manage Default Accounts on Enterprise

Assets and Software
Restrict Administrator Privileges to
Dedicated Administrator Accounts
Use Unique Passwords
Require MFA for Administrative Access
Establish and Maintain Dedicated

Computing Resources For all
Administrative Work
Collect Detailed Audit Logs

Establish and Maintain a Secure
Configuration Process

Standardize Time Synchronization
Collect Audit Logs
Ensure Adequate Audit Log Storage

Centralize Audit Logs
Centralize Security Event Alerting
Conduct Audit Log Reviews
Tune Security Event Alerting Thresholds

Ensure Use of Only Fully Supported
Browsers and Email Clients
Restrict Unnecessary or Unauthorized
Browser and Email Client Extensions
Maintain and Enforce Network-Based URL

Filters

Filters
Collect URL Request Audit Logs

Use DNS Filtering Services
Implement DMARC
Block Unnecessary File Types

Deploy and Maintain Email Server Anti-
Malware Protections
Centrally Manage Anti-Malware Software
Configure Automatic Anti-Malware
Signature Updates
Enable Anti-Exploitation Features
Configure Automatic Anti-Malware

Scanning of Removable Media
Disable Autorun and Autoplay for
Removable Media
Collect Audit Logs
Collect DNS Query Audit Logs
Collect Command-Line Audit Logs

Asset Inventory
Implement and Manage a Firewall on

Servers
Implement and Manage a Firewall on End-
User Devices
Servers
User Devices
Perform Application Layer Filtering
Perform Automated Backups
Perform Automated Backups
Test Data Recovery

Protect Recovery Data
Establish and Maintain an Isolated
Instance of Recovery Data
Configuration Process for Network
Infrastructure
Servers
User Devices
Configuration Process for Network
Infrastructure
Perform Automated Application Patch
Management
Ensure Network Infrastructure is Up-to-
Date
Securely Manage Network Infrastructure

Administrative Work
Administrative Work
Establish and Maintain Architecture
Diagram(s)
Manage Access Control for Remote

Assets
Use DNS Filtering Services

Servers
User Devices
Deploy a Network Intrusion Detection
Solution
Deploy a Network Intrusion Prevention
Solution
Collect Network Traffic Flow Logs
Require MFA for Remote Network Access
Manage Access Control for Remote

Assets
Establish and Maintain a Data Inventory
Securely Dispose of Data
Deploy a Data Loss Prevention Solution
Address Unauthorized Software

Filters
Encrypt Data on End-User Devices
Encrypt Data on Removable Media

Encrypt Data on Removable Media
Segment Data Processing and Storage
Based on Sensitivity
Perform Traffic Filtering Between Network
Segments

Encrypt Sensitive Data in Transit
Configure Data Access Control Lists
Encrypt Sensitive Data at Rest
Log Sensitive Data Access

Asset Inventory
Deploy a Network Intrusion Prevention

Solution
Uninstall or Disable Unnecessary Services
on Enterprise Assets and Software
Use of Secure Network Management and

Communication Protocols
Establish and Maintain a Secure Network
Architecture
Authentication and Authorization Systems
Centralize Account Management
Require MFA for Externally-Exposed
Applications
Encrypt Sensitive Data at Rest

Accounts
Establish an Access Revoking Process

Configure Automatic Session Locking on
Enterprise Assets
Conduct Role-Specific Security Awareness

and Skills Training
Establish and Maintain a Security

Awareness Program
Establish and Maintain a Security

Awareness Program
Train Workforce Members on

Authentication Best Practices
Train Workforce Members to Recognize
Social Engineering Attacks
Train Workforce on Data Handling Best

Practices
Train Workforce Members on Causes of

Unintentional Data Exposure
Train Workforce Members on Recognizing
and Reporting Security Incidents
Application Development Process
Apply Secure Design Principles in

Application Architectures
Establish and Manage an Inventory of

Third-Party Software Components
Use Up-to-Date and Trusted Third-Party

Software Components
Leverage Vetted Modules or Services for

Application Security Components
Train Developers in Application Security

Concepts and Secure Coding
Implement Code-Level Security Checks
Establish and Maintain a Process to

Accept and Address Software
Vulnerabilities
Separate Production and Non-Production

Systems
Use Standard Hardening Configuration

Templates for Application Infrastructure
Establish and Maintain an Incident

Response Process
Assign Key Roles and Responsibilities

Designate Personnel to Manage Incident
Handling
Establish and Maintain an Enterprise

Process for Reporting Incidents
Establish and Maintain Contact Information

for Reporting Security Incidents
Establish and Maintain an Enterprise

Process for Reporting Incidents
Conduct Routine Incident Response

Exercises
Establish and Maintain Security Incident

Thresholds
Establish and Maintain a Penetration

Testing Program
Perform Periodic External Penetration

Tests
Perform Periodic Internal Penetration

Tests

Tests
Perform Periodic Internal Penetration

Tests

Tests

Service Accounts
Establish and Maintain a Data

Management Process
Enforce Data Retention
Securely Dispose of Data

Establish and Maintain a Data
Classification Scheme
Document Data Flows
Securely Manage Enterprise Assets and

Software

Configure Trusted DNS Servers on
Enterprise Assets
Enforce Automatic Device Lockout on

Portable End-User Devices
Enforce Remote Wipe Capability on

Portable End-User Devices
Separate Enterprise Workspaces on

Mobile End-User Devices

Service Accounts
Establish an Access Granting Process
Require MFA for Externally-Exposed

Applications
Centralize Access Control
Define and Maintain Role-Based Access

Control
Establish and Maintain a Vulnerability

Management Process
Process
Remediate Detected Vulnerabilities
Establish and Maintain an Audit Log

Management Process
Retain Audit Logs
Collect Service Provider Logs
Deploy and Maintain Email Server Anti-

Malware Protections
Deploy and Maintain Anti-Malware
Software
Use Behavior-Based Anti-Malware
Software
Establish and Maintain a Data Recovery

Process
Establish and Maintain a Secure Network

Architecture
Centralize Network Authentication,
Authorization, and Auditing (AAA)
Use of Secure Network Management and
Communication Protocols
Ensure Remote Devices Utilize a VPN and
are Connecting to an Enterprise’s AAA
Infrastructure
Deploy a Host-Based Intrusion Detection
Solution
Deploy a Host-Based Intrusion Prevention
Solution
Train Workforce on How to Identify and
Report if Their Enterprise Assets are
Missing Security Updates
Train Workforce on the Dangers of
Connecting to and Transmitting Enterprise
Data Over Insecure Networks

Service Providers
Establish and Maintain a Service Provider

Management Policy
Classify Service Providers
Ensure Service Provider Contracts Include

Security Requirements
Assess Service Providers
Monitor Service Providers
Securely Decommission Service Providers

Perform Root Cause Analysis on Security
Vulnerabilities
Establish and Manage an Inventory of

Third-Party Software Components
Establish and Maintain a Severity Rating

System and Process for Application
Vulnerabilities
Apply Secure Design Principles in

Application Architectures
Leverage Vetted Modules or Services for

Application Security Components
Implement Code-Level Security Checks
Conduct Application Penetration Testing
Conduct Threat Modeling
Define Mechanisms for Communicating

During Incident Response
Conduct Post-Incident Reviews
Remediate Penetration Test Findings
Validate Security Measures
Inventory and Control of Enterprise Assets
Inventory and Control of Software

Assets
Data Protection
Secure Configuration of Enterprise
Assets and Software
Account Management
Access Control Management
Continuous Vulnerability Management
Audit Log Management
Email and Web Browser Protections
Malware Defenses
Data Recovery
Network Infrastructure Management
Network Monitoring and Defense
Security Awareness and Skills Training
Service Provider Management
Application Software Security
Incident Response Management
Penetration Testing
Description
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to
execute daily, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the
enterprise’s asset inventory at least weekly, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset
inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or proc
data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers.
Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department f
each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools
support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, rem
and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-
annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asse
from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as
certificates, and may incorporate user and/or device authentication.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as
certificates, and may incorporate user and/or device authentication.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must
document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Unifor
Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the
software inventory bi-annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If soft
is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls
residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Revie
the software list to verify software support at least monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of insta
software.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must
document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Unifor
Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the
software inventory bi-annually, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Revie
monthly, or more frequently.
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed.
Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to
into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequen
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as
specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more
frequently.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets
intended for lower sensitivity data.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both
authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning t
Perform scans on a monthly, or more frequent, basis.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review
and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent
basis.
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent
reviews.
reviews.
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in
which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing c
or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ens
the most severe bugs are fixed first. Review and update the system and process annually.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and
administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequentl
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor acco
Example implementations can include: disabling default accounts or making them unusable.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities
such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password
accounts using MFA and a 14-character password for accounts not using MFA.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or thr
a third-party provider.
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or ta
requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not
allowed internet access.
frequently.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestam
source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; n
computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise
assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation require
use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant
correlation alerts also satisfies this Safeguard.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on
weekly, or more frequent, basis.
Tune security event alerting thresholds monthly, or more frequently.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of
browsers and email clients provided through the vendor.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, a
add-on applications.
frequently.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapprove
websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists
Enforce filters for all enterprise assets.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Centrally manage anti-malware software.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Preven
(DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Configure anti-malware software to automatically scan removable media.
Disable autorun and autoplay auto-execute functionality for removable media.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise
assets.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remo
administrative terminals.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating sy
firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all tra
except those services and ports that are explicitly allowed.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of
data.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of
data.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirem
Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup
destinations through offline, cloud, or off-site systems or services.
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or whe
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or whe
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software
and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
verify software support.
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the u
secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise reso
based on: up-to-date anti-malware software installed, configuration compliance with the enterprise’s secure configuration proce
and ensuring the operating system and applications are up-to-date.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the us
a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intru
Prevention System (NIPS) or equivalent CSP service.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Require MFA for remote network access.
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise reso
based on: up-to-date anti-malware software installed; configuration compliance with the enterprise’s secure configuration proce
and ensuring the operating system and applications are up-to-date.
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a
minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method ar
commensurate with the data sensitivity.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, proce
or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterpri
sensitive data inventory.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Revie
monthly, or more frequently.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker ®, Apple
FileVault®, Linux® dm-crypt.
Encrypt data on removable media.
Encrypt data on removable media.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets
intended for lower sensitivity data.
Perform traffic filtering between network segments, where appropriate.
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell
(OpenSSH).
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access
permissions, to local and remote file systems, databases, and applications.
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also
known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may includ
application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit
access to the plain-text data.
Log sensitive data access, including modification and disposal.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the
enterprise’s asset inventory at least weekly, or more frequently.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intru
Prevention System (NIPS) or equivalent CSP service.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web
application module, or service function.
(OpenSSH).
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or
greater).
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privileg
and availability, at a minimum.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site
a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
Centralize account management through a directory or identity service.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a
directory service or SSO provider is a satisfactory implementation of this Safeguard.
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also
known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may includ
application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit
access to the plain-text data.
(OpenSSH).
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and
administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequentl
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts
immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, ma
necessary to preserve audit trails.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating sys
the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Conduct role-specific security awareness and skills training. Example implementations include secure system administration co
for IT professionals, (OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterpri
workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum,
annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterpri
workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum,
annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential
management.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes
training workforce members on clear screen and desk best practices, such as locking their screen when they step away from th
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensiti
data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
Establish and maintain a secure application development process. In the process, address such items as: secure application de
standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application
security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that cou
impact this Safeguard.
Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and
enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Example
include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and accept
ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off
unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts.
Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill of mate
as well as components slated for future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the compone
still supported.
Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and
libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabil
before use.
Leverage vetted modules or services for application security components, such as identity management, encryption, and auditi
and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood o
design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and
authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensivel
reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.
Ensure that all software development personnel receive training in writing secure code for their specific development environme
and responsibilities. Training can include general security principles and application security standard practices. Conduct trainin
least annually and design in a way to promote security within the development team, and build a culture of security among the
developers.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for exte
entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process,
responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing.
part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for
identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant ente
changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside
stakeholders.
Maintain separate environments for production and non-production systems.
Use standard, industry-recommended hardening configuration templates for application infrastructure components. This include
underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, an
SaaS components. Do not allow in-house developed software to weaken configuration hardening.
Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a
communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public
relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise
changes occur that could impact this Safeguard.
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management
personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least
person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occu
could impact this Safeguard.
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting
timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is
publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include inter
staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and
Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting
timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is
publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response proces
prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflow
Conduct testing on an annual basis, at a minimum.
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event.
Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetr
testing program characteristics include scope, such as network, web application, Application Programming Interface (API), host
services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of
contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing
include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized
and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear bo
opaque box.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear bo
opaque box.
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, dat
retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum
timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method ar
commensurate with the data sensitivity.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,
“Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annu
or when significant enterprise changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s da
management process. Review and update documentation annually, or when significant enterprise changes occur that could imp
this Safeguard.
Securely manage enterprise assets and software. Example implementations include managing configuration through version-
controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell
(SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype
Network) and HTTP, unless operationally essential.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-
controlled DNS servers and/or reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-us
devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, n
more than 10 failed authentication attempts. Example implementations include Microsoft ® InTune Device Lock and Apple®
Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stol
devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations incl
using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or ro
change of a user.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a
directory service or SSO provider is a satisfactory implementation of this Safeguard.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Define and maintain role-based access control, through determining and documenting the access rights necessary for each role
within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validat
that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentat
reviews.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on t
remediation process.
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, ad
the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when
Retain audit logs across enterprise assets for a minimum of 90 days.
Collect service provider logs, where supported. Example implementations include collecting authentication and authorization ev
data creation and disposal events, and user management events.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Deploy and maintain anti-malware software on all enterprise assets.
Use behavior-based anti-malware software.
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritiz
and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur tha
could impact this Safeguard.
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privileg
and availability, at a minimum.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or
greater).
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources
end-user devices.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example
implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and
tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activitie
the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home netwo
infrastructure.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classificatio
and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory,
assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significan
enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data
volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications
Ensure service provider contracts include security requirements. Example requirements may include minimum security program
requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal
commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Revie
service provider contracts annually to ensure contracts are not missing security requirements.
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary ba
on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous
processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic
reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account deactivation, termination o
data flows, and secure disposal of enterprise data within service provider systems.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evalua
underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual
vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill of mate
as well as components slated for future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the compone
still supported.
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in
which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing c
or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ens
the most severe bugs are fixed first. Review and update the system and process annually.
Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and
enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Example
include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and accept
ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off
unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity management, encryption, and auditi
and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood o
design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and
authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensivel
reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding bus
logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to
manually manipulate an application as an authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a
design, before code is created. It is conducted through specially trained individuals who evaluate the application design and ga
security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a
structured way to understand its weaknesses.
Determine which primary and secondary mechanisms will be used to communicate and report during a security incident.
Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected
during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and
follow-up action.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the
techniques used during testing.
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network
devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remo
and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within th
enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so th
only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and
prevented from installation or execution.
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile
network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator
accounts, as well as service accounts, to enterprise assets and software.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administra
and service accounts for enterprise assets and software.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private
industry sources for new threat and vulnerability information.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to
manipulate human behavior through direct engagement.
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise asse
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and
trusted state.
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from
exploiting vulnerable network services and access points.
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against sec
threats across the enterprise’s network infrastructure and user base.
Establish and maintain a security awareness program to influence behavior among the workforce to be security consc
and properly skilled to reduce cybersecurity risks to the enterprise.
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical
platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate
security weaknesses before they can impact the enterprise.
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined
roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls
(people, processes, and technology), and simulating the objectives and actions of an attacker.
IG1 IG2 IG3
x x
x x
x x x
x x x
x x x
x x x
x x x
x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x x x
x x x
x x
x x x
x x
x x x
x x
x x
x x
x x x
x x
x x
x x
x x
x x x
x x
x x
x x
x x x
x x
x x
x x x
x x x
x x
x x
x x x
x x x
x x x
x x
x x
x x x
x x x
x x x
x x x
x x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x
x x
x
x x x
x x
x x x
x x x
x x x
x x
x x x
x x
x x
x x
x x
x x x
x x
x x x
x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x
x x
x x x
x x
x x
x x
x x
x x
x x x
x x x
x x
x x x
x x x
x x
x x x
x x
x
x x x
x x
x x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x
x x
x x
x x
x x
x x
x x
x x
x x
x
Final Draft V8 Sub-
title
Control # IG
1.1 Establish and Maintain Detailed Enterprise Asset Inventory 1
1.2 Address Unauthorized Assets 1
1.3 Utilize an Active Discovery Tool 2
Use Dynamic Host Configuration Protocol (DHCP) Logging to
1.4
Update Enterprise Asset Inventory 2
1.5 Use a Passive Asset Discovery Tool 3
2.1 Establish and Maintain a Software Inventory 1
2.2 Ensure Authorized Software is Currently Supported 1
2.3 Address Unauthorized Software 1
2.4 Utilize Automated Software Inventory Tools 2
2.5 Allowlist Authorized Software 2
2.6 Allowlist Authorized Libraries 2
2.7 Allowlist Authorized Scripts 3
3.1 Establish and Maintain a Data Management Process 1
3.2 Establish and Maintain a Data Inventory 1
3.3 Configure Data Access Control Lists 1
3.4 Enforce Data Retention 1
3.5 Securely Dispose of Data 1
3.6 Encrypt Data on End-User Devices 1
3.7 Establish and Maintain a Data Classification Scheme 2
3.8 Document Data Flows 2
3.9 Encrypt Data on Removable Media 2
3.10 Encrypt Sensitive Data in Transit 2
3.11 Encrypt Sensitive Data At Rest 2
3.12 Segment Data Processing and Storage Based on Sensitivity 2
3.13 Deploy a Data Loss Prevention Solution 3
3.14 Log Sensitive Data Access 3
4.1 Establish and Maintain a Secure Configuration Process 1
Establish and Maintain a Secure Configuration Process for
4.2
Network Infrastructure 1
4.3 Configure Automatic Session Locking on Enterprise Assets 1
4.4 Implement and Manage a Firewall on Servers 1
4.5 Implement and Manage a Firewall on End-User Devices 1
4.6 Securely Manage Enterprise Assets and Software 1
4.7 Manage Default Accounts on Enterprise Assets and Software 1
Uninstall or Disable Unnecessary Services on Enterprise Assets
4.8
and Applications 2
4.9 Configure Trusted DNS Servers on Enterprise Assets 2
Enforce Automatic Device Lockout on Portable End-User
4.10
Devices 2
4.11 Enforce Remote Wipe Capability on Portable End-User Devices 2
4.12 Separate Enterprise Workspaces on Mobile End-User Devices 3
5.1 Establish and Maintain an Inventory of Accounts 1
5.2 Use Unique Passwords 1
5.3 Disable Dormant Accounts 1
Restrict Administrator Privileges to Dedicated Administrator
5.4
Accounts 1
5.5 Establish and Maintain an Inventory of Service Accounts 2
5.6 Centralize Account Management 2
6.1 Establish an Access Granting Process 1
6.2 Establish an Access Revoking Process 1
6.3 Require MFA for Externally-Exposed Applications 1
6.4 Require MFA for Remote Network Access 1
6.5 Require MFA for Administrative Access 1
Establish and Maintain an Inventory of Authentication and
6.6
Authorization Systems 2
6.7 Centralize Access Control 2
6.8 Define and Maintain Role-Based Access Control 3
7.1 Establish and Maintain a Vulnerability Management Process 1
7.2 Establish and Maintain a Remediation Process 1
7.3 Perform Automated Operating System Patch Management 1
7.4 Perform Automated Application Patch Management 1
Perform Automated Vulnerability Scans of Internal Enterprise
7.5
Assets 2
Perform Automated Vulnerability Scans of Externally-Exposed
7.6
Enterprise Assets 2
7.7 Remediate Detected Vulnerabilities 2
8.1 Establish and Maintain an Audit Log Management Process 1
8.2 Collect Audit Logs 1
8.3 Ensure Adequate Audit Log Storage 1
8.4 Standardize Time Synchronization 2
8.5 Collect Detailed Audit Logs 2
8.6 Collect DNS Query Audit Logs 2
8.7 Collect URL Request Audit Logs 2
8.8 Collect Command-Line Audit Logs 2
8.9 Centralize Audit Logs 2
8.1 Retain Audit Logs 2
8.11 Conduct Audit Log Reviews 2
8.12 Collect Service Provider Logs 3
9.1 Ensure Use of Only Fully Supported Browsers and Email Clients 1
9.2 Use DNS Filtering Services 1
9.3 Maintain and Enforce Network-Based URL Filters 2
Restrict Unnecessary or Unauthorized Browser and Email Client
9.4
Extensions 2
9.5 Implement DMARC 2
9.6 Block Unnecessary File Types 2
9.7 Deploy and Maintain Email Server Anti-Malware Protections 3
10.1 Deploy and Maintain Anti-Malware Software 1
10.2 Configure Automatic Anti-Malware Signature Updates 1
10.3 Disable Autorun and Autoplay for Removable Media 1
Configure Automatic Anti-Malware Scanning of Removable
10.4
Media 2
10.5 Enable Anti-Exploitation Features 2
10.6 Centrally Manage Anti-Malware Software 2
10.7 Use Behavior-Based Anti-Malware Software 2
11.1 Establish and Maintain a Data Recovery Process 1
11.2 Perform Automated Backups 1
11.3 Protect Recovery Data 1
11.4 Establish and Maintain an Isolated Instance of Recovery Data 1
11.5 Test Data Recovery 2
12.1 Ensure Network Infrastructure is Up-to-Date 1
12.2 Establish and Maintain a Secure Network Architecture 2
12.3 Securely Manage Network Infrastructure 2
12.4 Establish and Maintain Architecture Diagram(s) 2
Centralize Network Authentication, Authorization, and Auditing
12.5
(AAA) 2
Use of Secure Network Management and Communication
12.6
Protocols 2
Ensure Remote Devices Utilize a VPN and are Connecting to an
12.7
Enterprise’s AAA Infrastructure 2
Establish and Maintain Dedicated Computing Resources For All
12.8
Administrative Work 3
13.1 Centralize Security Event Alerting 2
13.2 Deploy a Host-Based Intrusion Detection Solution 2
13.3 Deploy a Network Intrusion Detection Solution 2
13.4 Perform Traffic Filtering Between Network Segments 2
13.5 Manage Access Control for Remote Assets 2
13.6 Collect Network Traffic Flow Logs 2
13.7 Deploy a Host-Based Intrusion Prevention Solution 3
13.8 Deploy a Network Intrusion Prevention Solution 3
13.9 Deploy Port-Level Access Control 3
13.10 Perform Application Layer Filtering 3
13.11 Tune Security Event Alerting Thresholds 3
14.1 Establish and Maintain a Security Awareness Program 1
Train Workforce Members to Recognize Social Engineering
14.2
Attacks 1
14.3 Train Workforce Members on Authentication Best Practices 1
14.4 Train Workforce on Data Handling Best Practices 1
Train Workforce Members on Causes of Unintentional Data
14.5
Exposure 1
Train Workforce Members on Recognizing and Reporting
14.6
Security Incidents 1
Train Workforce on How to Identify and Report if their Enterprise
14.7
Assets are Missing Security Updates 1
Train Workforce on the Dangers of Connecting to and
14.8
Transmitting Enterprise Data Over Insecure Networks 1
14.9 Conduct Role-Specific Security Awareness and Skills Training 2
15.1 Establish and Maintain an Inventory of Service Providers 1
15.2 Establish and Maintain a Service Provider Management Policy 2
15.3 Classify Service Providers 2
Ensure Service Provider Contracts Include Security
15.4
Requirements 2
15.5 Assess Service Providers 2
15.6 Monitor Service Providers 3
15.7 Securely Decommission Service Providers 3
Establish and Maintain a Secure Application
16.1
Development Process 2
Establish and Maintain a Process to Accept and Address
16.2
Software Vulnerabilities 2
16.3 Perform Root Cause Analysis on Security Vulnerabilities 2
Establish and Manage an Inventory of Third-Party Software
16.4
Components 2
16.5 Use Up-to-Date and Trusted Third-Party Software Components 2
Establish and Maintain a Severity Rating System and Process
16.6
for Application Vulnerabilities 2
Use Standard Hardening Configuration Templates for
16.7
Application Infrastructure 2
16.8 Separate Production and Non-Production Systems 2
Train Developers in Application Security Concepts and Secure
16.9
Coding 2
16.10 Apply Secure Design Principles in Application Architectures 2
Leverage Vetted Modules or Services for Application Security
16.11
Components 2
16.12 Implement Code-Level Security Checks 3
16.13 Conduct Application Penetration Testing 3
16.14 Conduct Threat Modeling 3
17.1 Designate Personnel to Manage Incident Handling 1
Establish and Maintain Contact Information for Reporting
17.2
Security Incidents 1
Establish and Maintain an Enterprise Process for Reporting
17.3
Incidents 1
17.4 Establish and Maintain an Incident Response Process 2
17.5 Assign Key Roles and Responsibilities 2
Define Mechanisms for Communicating During Incident
17.5
Response 2
17.6 Conduct Routine Incident Response Exercises 2
17.7 Conduct Post-Incident Reviews 2
17.8 Establish and Maintain Security Incident Thresholds 2
17.9 Establish and Maintain Security Incident Thresholds 3
18.1 Establish and Maintain a Penetration Testing Program 2
18.2 Perform Periodic External Penetration Tests 2
18.3 Remediate Penetration Test Findings 2
18.4 Validate Security Measures 3
18.5 Perform Periodic Internal Penetration Tests 3
Rec # Control Map 1 Control Map 2 Control Map 3 What IG? (Map 1)
0 0 0
0 0
0 0 0
2.1.1 6 0 0
0 0 0
0 0 0
3.1.1 4.1 0 0 1
3.1.2 4.1 0 0 1
3.1.3 4.1 0 0 1
3.1.4 3.10 0 0 2
0 0 0 0
3.2.1 0 0 0
3.2.2 4.1 0 0 1
3.2.3 4.1 0 0 1
3.2.4 4.1 0 0 1
3.2.5 4.1 0 0 1
3.2.6 4.7 0 0 1
3.2.7 4.1 0 0 1
3.2.8 4.1 0 0 1
3.2.9 4.1 0 0 1
3.2.10 4.1 0 0 1
3.2.11 4.1 0 0 1
0 0 0
0 0 0
4.1.1 4.1 0 0 1
4.1.2 4.1 0 0 1
4.1.3 4.1 0 0 1
4.1.4 4.1 0 0 1
4.1.5 16.5 0 0 2
4.1.6 4.1 0 0 1
0 0 0 0
4.2.1 13.5 0 0 2
4.2.2 4.1 0 0 1
4.2.3 4.6 0 0 1
4.2.4 4.1 0 0 1
4.2.5 4.1 0 0 1
4.2.6 7.6 0 0 2
4.2.7 3.3 0 0 1
4.2.8 3.3 0 0 1
4.2.9 4.1 0 0 1
0 0 0
0 0 0 0
4.4.1 3.11 0 0 2
4.4.2 13.4 0 0 2
0 0 0
4.5.1 4.4 0 0 1
4.5.2 4.4 0 0 1
0 0 0 0
4.6.1 13.5 0 0 2
0 0 0
4.7.1 8.2 8.5 0 1
4.7.2 3.10 0 0 2
4.7.3 4.1 0 0 1
0 0 0
0 0 0
5.1.1 6 0 0 1
5.1.2 6 0 0 1
5.1.3 4.6 0 0 1
5.1.4 4.6 0 0 1
0 2.5 0 0 2
5.2.1 4.4 0 0 1
0 0 0
5.3.1 6.8 0 0 3
0 0 0
5.4.1 0 0
5.4.2 4.4 1
5.4.3 4.4 1
5.4.4 4.4 4.4 1
5.4.5 3.10 2
0
5.5.1 5.6 2
5.5.2 4.1 1
0
5.6.1 3.12 2
5.6.2 3.12 2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
Err:509 Err:509 Err:509 Err:509
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
What IG? (Map 2) What IG? (Map 3) Lowest IG
1
1
1
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
1
2
1
1
1
1
2
1
1
1
2
2
1
1
2 1
2
1
1
1
1
1
2
1
1
1
1 1
2
2
1
2
2
Rec Title
Logging
Enable audit Logs
Worker Nodes
Kubelet
Policies
Azure Policy / OPA
CNI Plugin
Secrets Management
General Policies
Managed services
Cluster Networking
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
Err:509
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

CIS Azue Kubernetes Service Benchmark (AKS) V1.1.0 - CERT

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Azue Kubernetes Service Benchmark (AKS) V1.1.0 - CERT

Uploaded by

Copyright:

Available Formats

License

Please see our terms of service here: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

Level 1 (L1) = Level 1 (L1) - Corporate/Enterprise Environment (general use)

BitLocker (BL) = BitLocker (BL) for when BitLocker is deployed

Assessment Status - Automated and Manual Recommendations

CIS Controls Implementation Groups (IGs)

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge)

1 Master (Control Plane) Components

The RBAC role

- Azure Kubernetes Service (AKS)

Admission controllers limit requests to create, delete, modify o

When implementing Endpoint Priv

Virtual nodes are deployed to an additional subnet in the sam

er upgrades and stay within Azure support.

aged and maintained by Microsoft.

sing need to deprecate ahead of Kubernetes.

1 Master (Control Plane) Components

These policies relate to general cluster management topics, li

This section contains recommendations relating to network se

For these types of hostile multi-tenant workloads, you should

TITLE:Perform Traffic Filtering Between Network Segments CO

TITLE:Access Control Management CONTROL:v8 6 DESCRIPTION:Us

bjects in the cluster.

TITLE:Implement and Manage a Firewall on Servers CONTROL:

TITLE:Segment Data Processing and Storage Based on Sensitiv

report on the 5.2

14.1 14.2 X X https://kubernetes.io/docs/concepts/services-networking/networkpolicies/:h

14.4 14.8 X X https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets:htt

5.2 5.3 X X https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-a

on and drain process as a cluster upgrade.

eprecate ahead of Kubernetes.

Master (Control Plane) Components

T1222 T1083 M1022 M1018 5.2 2 4.1

T1190 T1210 M1025 14

T1078 T1078.002 M1026 5.1 1 4.1

T1611 M1048 M1038 5.2 2 13.5

T1046 M1030 M1042 18.4 2 3.11

T1133 T1195 M1042 M1016 12 13.5

T1609 T1106 M1038 14 8.2

T1071 M1016 M1031 3 3.1 3.2 2 6

T1552 M1041 14.8 3 6.8

T1190 T1133 M1030 12 4.4

T1078 T1078.002 M1026 16.2 2 5.6

T1203 M1048 18 3.12

Err:508 Err:508 Err:508 Err:508 Err:508 Err:508 Err:508 Err:508

Err:508 Err:508 Err:508 Err:508 Err:508 Err:508 Err:508 Err:508

Err:508 Err:508 Err:508 Err:508 Err:508 Err:508 Err:508 Err:508

Err:508 Err:508 Err:508

Err:508 Err:508 Err:508

Err:508 Err:508 Err:508

Err:508 Err:508 Err:508

Err:508 Err:508 Err:508

Err:508 Err:508 Err:508

Err:508 Err:508 Err:508

Create administrative boundaries between resources using namespaces

The default namespace should not be used

Image Registry and Image Scanning

Minimize cluster access to read-only for Azure Container Registry (ACR)

Access and identity options for Azure Kubernetes Service (AKS)

Prefer using dedicated AKS Service Accounts

Restrict Access to the Control Plane Endpoint

1.1 1.3 Devices Detect

1.2 1.5 Devices Detect

1.3 1.4 Devices Identify