Allocate specific identities to pods
Info
ID: MS-M9019
MITRE mitigation: -
When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node’s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9020 | Access cloud resources | Use dedicated allocated identities to pods |
| MS-TA9028 | Access Managed Identity credentials | Allocate specific identities to pods. |