>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

V-274884Kubernetes must limit Secret access on a need-to-know basis.

CAT II - Medium
CNTR-K8-001163

>Control Description

Kubernetes secrets may store sensitive information such as passwords, tokens, and keys. Access to these secrets should be limited to a need-to-know basis via Kubernetes RBAC.

>Check Content

Review the Kubernetes accounts and their corresponding roles. If any accounts have read (list, watch, get) access to Secrets without a documented organizational requirement, this is a finding. Run the below command to list the workload resources for applications deployed to Kubernetes: kubectl get all -A -o yaml If Secrets are attached to applications without a documented requirement, this is a finding.

>Remediation

For Kubernetes accounts that have read access to Secrets without a documented requirement, modify the corresponding Role or ClusterRole to remove list, watch, and get privileges for Secrets.

>CCI References

CCI-002476

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List
SC-28(1)
Compare

Ask AI

Configure your API key to use AI features.