Skip to content

Using cloud credentials


ID: MS-TA9001
Tactic: Initial Access
MITRE technique: T1078.004

In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster’s management layer.


ID Mitigation Description
MS-M9001 Multi-factor Authentication Use multi-factor authentication for cloud accounts which can be elevated to access Kubernetes clusters in that cloud.
MS-M9002 Restrict access to the API server using IP firewall Restrict access of cloud accounts to API server from trusted IP addresses only.
MS-M9003 Adhere to least-privilege principle Limit RBAC privileges in the cloud account to retrieve access credentials to managed Kubernetes clusters.