Assign CIS Kubernetes Benchmark

Implementation Effort: Medium – Requires enabling Defender for Containers and reviewing benchmark compliance across Kubernetes clusters.

User Impact: Low – Benchmark assignment and enforcement are handled by platform and security teams; end users are not directly affected.

Overview

Assigning the CIS Kubernetes Benchmark in Microsoft Defender for Containers helps organizations align their Kubernetes security posture with industry best practices. The Center for Internet Security (CIS) provides a set of security recommendations for Kubernetes environments, categorized into Level 1 (L1) for basic security and Level 2 (L2) for high-security environments.

In Azure Kubernetes Service (AKS), Microsoft Defender for Containers automatically assesses clusters against the CIS Kubernetes Benchmark v1.27 (as of May 2025), providing visibility into compliance status. Each recommendation is marked as either:

• Automated – Can be programmatically assessed and scored.
• Manual – Requires manual validation and does not affect the benchmark score.

Assessment results include:

• Pass – Recommendation is applied.
• Fail – Recommendation is not applied.
• N/A – Not applicable to AKS due to architectural differences.
• Equivalent Control – Implemented differently but achieves the same outcome 1.

To assign and monitor CIS benchmark compliance:

1. Enable Defender for Containers in Microsoft Defender for Cloud.
2. Navigate to Regulatory Compliance > CIS Kubernetes Benchmark.
3. Review the compliance dashboard and drill into failed or manual controls.
4. Use the guidance provided to remediate or document exceptions.

This capability supports the "Verify Explicitly" and "Assume Breach" principles of Zero Trust by ensuring Kubernetes clusters are hardened against known risks and continuously monitored for compliance.

Reference

• Center for Internet Security (CIS) Kubernetes benchmark – AKS
• Configure Microsoft Defender for Containers components
• Overview of Microsoft Defender for Containers