How does EchelonGraph detect CIS Azure 6.1 violations?

EchelonGraph automatically detects CIS Azure 6.1 violations using scanner rule AZ-AKS-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS Azure 6.1?

Is RBAC enabled on all AKS clusters? Is Azure AD integration configured for AKS authentication? What RBAC roles are defined and who has ClusterAdmin access?

🔵CIS Azure 6.1Rule: AZ-AKS-001high

Ensure AKS clusters have RBAC enabled

Description

Azure Kubernetes Service clusters must have RBAC enabled for access control.

⚠️ Risk Impact

Without RBAC, any authenticated user can perform any action on the cluster including deploying workloads and accessing secrets.

🔍 How EchelonGraph Detects This

AZ-AKS-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Azure accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Enable RBAC during cluster creation or update existing clusters.

💀 Real-World Attack Scenario

An AKS cluster without RBAC allowed any developer with cluster credentials to access all namespaces. A junior developer accidentally ran kubectl get secrets --all-namespaces and discovered production database credentials, API keys, and TLS certificates. The credentials were copied to a personal device that was later compromised.

💰 Cost of Non-Compliance

AKS clusters without RBAC expose all secrets to all users. Average Kubernetes secret exposure incident cost: $2.4M. 67% of K8s breaches involve overprivileged access.

📋 Audit Questions

1.Is RBAC enabled on all AKS clusters?
2.Is Azure AD integration configured for AKS authentication?
3.What RBAC roles are defined and who has ClusterAdmin access?

🎯 MITRE ATT&CK Mapping

T1078 — Valid AccountsT1552.007 — Container API

⚡ Common Pitfalls

⛔RBAC cannot be enabled on existing clusters without recreation (AKS-specific)
⛔Granting cluster-admin to all developers for convenience
⛔Not integrating AKS RBAC with Azure AD for centralized identity management

📈 Business Value

AKS RBAC with Azure AD integration provides centralized, auditable access control for Kubernetes. It enables namespace-level isolation and prevents unauthorized secret access.

⏱️ Effort Estimate

Manual

4-8 hours to enable RBAC and define role bindings (may require cluster recreation)

With EchelonGraph

EchelonGraph verifies RBAC configuration across all AKS clusters

🔗 Cross-Framework References

SOC2-CC6.3ISO27001-A.9.2.3

Automate CIS Azure 6.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →