How does EchelonGraph detect CIS Kubernetes 5.1.5 violations?

EchelonGraph automatically detects CIS Kubernetes 5.1.5 violations using scanner rule K8S-SA-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

How do I remediate CIS Kubernetes 5.1.5?

kubectl patch serviceaccount default -n \u003cns\u003e -p '{"automountServiceAccountToken": false}'

☸️CIS Kubernetes 5.1.5Rule: K8S-SA-001high

Default ServiceAccount tokens not auto-mounted

Description

Default ServiceAccount tokens in every namespace must not be auto-mounted. The watcher reads the ServiceAccount object metadata for AutomountServiceAccountToken and flags any default SA where it is unset (K8s default true) or explicitly true.

⚠️ Risk Impact

Auto-mounted default SA tokens give every Pod (even a misconfigured one with no specific SA) direct API server access. Compromise the Pod, get a cluster credential.

🔍 How EchelonGraph Detects This

K8S-SA-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

kubectl patch serviceaccount default -n <ns> -p '{"automountServiceAccountToken": false}'

🔗 Cross-Framework References

NIST-AC-6PCI-7.1

Automate CIS Kubernetes 5.1.5 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →