lacework-global-332
This rule also encompasses lacework-global-662. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.
4.1.2 Minimize access to secrets in ClusterRoleBindings (Automated)
This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Restrict access to these secrets to the smallest possible group of users to reduce the risk of privilege escalation.
Rationale
Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.
Impact
Care should be taken not to remove access to secrets to system components which require this for their operation
Audit
Review the users who have get, list or watch access to secrets objects in the Kubernetes API.
Remediation
Where possible, remove get, list and watch access to secret objects in the cluster.
References
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrolebinding-example