Mitigations
Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
| ID | Name |
|---|---|
| MS-M9001 | Multi-factor authentication |
| MS-M9002 | Restrict access to the API server using IP firewall |
| MS-M9003 | Adhere to least-privilege principle |
| MS-M9004 | Secure CI/CD environment |
| MS-M9005 | Image assurance policy |
| MS-M9006 | Enable Just In Time access to API server |
| MS-M9007 | Network intrusion prevention |
| MS-M9008 | Limit access to services over network |
| MS-M9009 | Require strong authentication to services |
| MS-M9010 | Restrict exec commands on pods |
| MS-M9011 | Restrict container runtime using LSM |
| MS-M9012 | Remove tools from container images |
| MS-M9013 | Restrict over permissive containers |
| MS-M9014 | Network segmentation |
| MS-M9015 | Avoid running management interface on containers |
| MS-M9016 | Restrict file and directory permissions |
| MS-M9017 | Ensure that pods meet defined Pod Security Standards |
| MS-M9018 | Restricting cloud metadata API access |
| MS-M9019 | Allocate specific identities to pods |
| MS-M9020 | Collect logs to remote data storage |
| MS-M9021 | Restrict the usage of unauthenticated APIs in the Cluster |
| MS-M9022 | Use managed secret store |
| MS-M9023 | Remove unused secrets from the cluster |
| MS-M9024 | Restrict access to etcd |
| MS-M9025 | Disable service account auto mount |
| MS-M9026 | Avoid using plain text credentials |
| MS-M9027 | Use NodeRestriction admission controller |
| MS-M9028 | Use CNIs that are not prone to ARP poisoning |
| MS-M9029 | Set requests and limits for containers |
| MS-M9030 | Use cloud storage provider |
| MS-M9031 | Implement data backup strategy |
| MS-M9032 | Avoid using web-hosted manifest for Kubelet |