Using cloud credentials
Info
ID: MS-TA9001
Tactic: Initial Access
MITRE technique: T1078.004
In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster’s management layer.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| MS-M9001 | Multi-factor Authentication | Use multi-factor authentication for cloud accounts which can be elevated to access Kubernetes clusters in that cloud. |
| MS-M9002 | Restrict access to the API server using IP firewall | Restrict access of cloud accounts to API server from trusted IP addresses only. |
| MS-M9003 | Adhere to least-privilege principle | Limit RBAC privileges in the cloud account to retrieve access credentials to managed Kubernetes clusters. |