cis kube! (#16753)

Author: DukeBWard

config/_default/menus.yml

@@ -348,22 +348,26 @@ reference:
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-cis
     weight: 1
+  - name: CIS Kubernetes
+    parent: reference-pre-built-policy-packs
+    identifier: reference-pre-built-policy-packs-cis-kubernetes
+    weight: 2
   - name: HITRUST
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-hitrust
-    weight: 2
+    weight: 3
   - name: NIST
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-nist
-    weight: 3
+    weight: 4
   - name: PCI DSS
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-pci-dss
-    weight: 4
+    weight: 5
   - name: Pulumi Best Practices
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-pulumi-best-practices
-    weight: 5
+    weight: 6
 
 # -------------------------------------
 # Insights Policy Menu Section Headers

content/docs/insights/policy/policy-packs/pre-built-packs.md

@@ -31,6 +31,7 @@ The following pre-built policy packs are available out of the box in Pulumi Clou
 | Framework | Supported Cloud Providers | Description |
 | ----- | ----- | ----- |
 | **CIS 8.1** | [AWS](/docs/reference/pre-built-policy-packs/cis/aws/), [Azure](/docs/reference/pre-built-policy-packs/cis/azure/), [Google Cloud](/docs/reference/pre-built-policy-packs/cis/google-cloud/) | Enforces CIS 8.1 controls to help organizations implement industry-recognized security best practices and benchmarks across multiple cloud providers. |
+| **CIS Kubernetes** | [AWS (EKS)](/docs/reference/pre-built-policy-packs/cis-kubernetes/aws/), [Azure (AKS)](/docs/reference/pre-built-policy-packs/cis-kubernetes/azure/), [Google Cloud (GKE)](/docs/reference/pre-built-policy-packs/cis-kubernetes/google-cloud/) | Enforces CIS Kubernetes Benchmark controls for managed Kubernetes services, helping organizations secure their container orchestration platforms with industry-recognized best practices. |
 | **HITRUST CSF 11.5** | [AWS](/docs/reference/pre-built-policy-packs/hitrust/aws/), [Azure](/docs/reference/pre-built-policy-packs/hitrust/azure/), [Google Cloud](/docs/reference/pre-built-policy-packs/hitrust/google-cloud/) | Provides predefined controls that align cloud resources with HITRUST CSF requirements, helping organizations enforce security and compliance baselines across multiple providers. |
 | **NIST SP 800-53** | [AWS](/docs/reference/pre-built-policy-packs/nist/aws/) | Enforces NIST SP 800-53 rev. 5 security and privacy controls for AWS resources, helping federal agencies and organizations meet rigorous compliance requirements. |
 | **PCI DSS v4.0.1** | [AWS](/docs/reference/pre-built-policy-packs/pci-dss/aws/) | Enforces PCI DSS v4.0.1 compliance controls for AWS resources, ensuring payment card data security and helping organizations meet payment card industry standards. |

content/docs/reference/pre-built-policy-packs/cis-kubernetes/aws.md

@@ -0,0 +1,43 @@
+---
+title: "AWS (EKS)"
+meta_desc: Complete list of CIS Kubernetes Benchmark compliance policies for AWS EKS.
+h1: "CIS Kubernetes - AWS (EKS)"
+menu:
+  reference:
+    identifier: reference-pre-built-policy-packs-cis-kubernetes-aws
+    parent: reference-pre-built-policy-packs-cis-kubernetes
+    weight: 1
+---
+
+This page lists all 27 policies in the **CIS Kubernetes** pack for **AWS (EKS)**.
+
+| Policy Name | Description | Framework Reference | Framework Specification |
+| ----- | ----- | ----- | ----- |
+| eks-cluster-audit-logging-enabled | Ensure EKS clusters have audit logging enabled to track all API server requests. | 2.1 | Enable audit logs for EKS clusters to track all API server requests and administrative actions. |
+| eks-cluster-cloudwatch-logs-enabled | Ensure EKS clusters have CloudWatch Logs enabled for centralized log management. | 2.1 | Enable audit logs for EKS clusters to track all API server requests and administrative actions. |
+| eks-node-group-launch-template-required | Ensure EKS node groups use launch templates for consistent configuration. | 3.1-3.2 | Ensure kubelet configuration follows security best practices including proper authentication, authorization, and file permissions. |
+| eks-launch-template-kubelet-config | Ensure EKS launch templates have secure kubelet configuration. | 3.1-3.2 | Ensure kubelet configuration follows security best practices including proper authentication, authorization, and file permissions. |
+| eks-cluster-access-manager-enabled | Ensure EKS clusters have access manager enabled for centralized access control. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| eks-iam-authenticator-enabled | Ensure EKS clusters use IAM authenticator for secure authentication. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-cluster-admin-role-binding-minimized | Minimize the use of cluster-admin role bindings in Kubernetes. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-rbac-secret-access-minimized | Minimize access to secrets in Kubernetes RBAC policies. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-rbac-wildcard-use-minimized | Minimize the use of wildcards in Kubernetes RBAC policies. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-rbac-create-pods-minimized | Minimize the ability to create pods in Kubernetes RBAC policies. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-rbac-bind-impersonate-escalate-minimized | Minimize bind, impersonate, and escalate permissions in Kubernetes RBAC policies. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-default-service-accounts-not-used | Ensure default service accounts are not actively used in Kubernetes. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-service-account-token-mounted-minimized | Minimize automatic mounting of service account tokens in Kubernetes. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-pod-security-privileged-containers-minimized | Minimize the admission of privileged containers in Kubernetes. | 4.2 | Implement and manage a firewall on servers. Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-pod-security-host-pid-minimized | Minimize the admission of containers with hostPID in Kubernetes. | 4.2 | Implement and manage a firewall on servers. Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-pod-security-host-ipc-minimized | Minimize the admission of containers with hostIPC in Kubernetes. | 4.2 | Implement and manage a firewall on servers. Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-pod-security-host-network-minimized | Minimize the admission of containers with hostNetwork in Kubernetes. | 4.2 | Implement and manage a firewall on servers. Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-pod-security-allow-privilege-escalation-minimized | Minimize the admission of containers with allowPrivilegeEscalation in Kubernetes. | 4.2 | Implement and manage a firewall on servers. Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-secrets-as-files-not-env-vars | Prefer using secrets as files over secrets as environment variables in Kubernetes. | 4.4-4.5 | Prefer using secrets as files over secrets as environment variables. Ensure default namespace is not used for workloads. |
+| k8s-default-namespace-not-used | Ensure the default namespace is not used for workloads in Kubernetes. | 4.4-4.5 | Prefer using secrets as files over secrets as environment variables. Ensure default namespace is not used for workloads. |
+| eks-ecr-image-scanning-enabled | Ensure Amazon ECR image scanning is enabled for vulnerability detection. | 5.1 | Ensure Image Vulnerability Scanning using Amazon ECR image scanning. Minimize user access to Amazon ECR. |
+| eks-ecr-private-repository | Ensure ECR repositories are private to minimize unauthorized access. | 5.1 | Ensure Image Vulnerability Scanning using Amazon ECR image scanning. Minimize user access to Amazon ECR. |
+| eks-service-accounts-iam-role-binding | Prefer using dedicated EKS Service Accounts with IAM role bindings. | 5.2-5.3 | Prefer using dedicated EKS Service Accounts. Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS. |
+| eks-secrets-encryption-kms-enabled | Ensure Kubernetes Secrets are encrypted using KMS Customer Master Keys. | 5.2-5.3 | Prefer using dedicated EKS Service Accounts. Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS. |
+| eks-node-group-iam-role-minimal-policy | Ensure EKS node group IAM roles follow the principle of least privilege. | 5.2-5.3 | Prefer using dedicated EKS Service Accounts. Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS. |
+| eks-cluster-endpoint-restrict-public-access | Restrict access to the EKS control plane endpoint. | 5.4 | Restrict Access to the Control Plane Endpoint. Ensure Network Policy is Enabled and set as appropriate. Encrypt traffic to HTTPS load balancers with TLS certificates. |
+| eks-network-policy-enabled | Ensure Network Policy is enabled and configured appropriately in EKS. | 5.4 | Restrict Access to the Control Plane Endpoint. Ensure Network Policy is Enabled and set as appropriate. Encrypt traffic to HTTPS load balancers with TLS certificates. |
+| eks-load-balancer-tls-encryption | Encrypt traffic to HTTPS load balancers with TLS certificates. | 5.4 | Restrict Access to the Control Plane Endpoint. Ensure Network Policy is Enabled and set as appropriate. Encrypt traffic to HTTPS load balancers with TLS certificates. |

content/docs/reference/pre-built-policy-packs/cis-kubernetes/azure.md

@@ -0,0 +1,45 @@
+---
+title: "Azure (AKS)"
+meta_desc: Complete list of CIS Kubernetes Benchmark compliance policies for Azure AKS.
+h1: "CIS Kubernetes - Azure (AKS)"
+menu:
+  reference:
+    identifier: reference-pre-built-policy-packs-cis-kubernetes-azure
+    parent: reference-pre-built-policy-packs-cis-kubernetes
+    weight: 2
+---
+
+This page lists all 30 policies in the **CIS Kubernetes** pack for **Azure (AKS)**.
+
+| Policy Name | Description | Framework Reference | Framework Specification |
+| ----- | ----- | ----- | ----- |
+| aks-cluster-audit-logging-enabled | Ensure AKS clusters have audit logging enabled to track all API server requests. | 2.1 | Enable audit logs for AKS clusters to track all API server requests and administrative actions. |
+| k8s-cluster-admin-role-binding-minimized | Minimize the use of cluster-admin role bindings in Kubernetes. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-rbac-secret-access-minimized | Minimize access to secrets in Kubernetes RBAC policies. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-rbac-wildcard-use-minimized | Minimize the use of wildcards in Kubernetes RBAC policies. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-rbac-create-pods-minimized | Minimize the ability to create pods in Kubernetes RBAC policies. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-default-service-accounts-not-used | Ensure default service accounts are not actively used in Kubernetes. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-service-account-token-mounted-minimized | Minimize automatic mounting of service account tokens in Kubernetes. | 4.1 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Implement proper RBAC controls. |
+| k8s-pod-security-privileged-containers-minimized | Minimize the admission of privileged containers in Kubernetes. | 4.2 | Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-pod-security-host-pid-minimized | Minimize the admission of containers with hostPID in Kubernetes. | 4.2 | Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-pod-security-host-ipc-minimized | Minimize the admission of containers with hostIPC in Kubernetes. | 4.2 | Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-pod-security-host-network-minimized | Minimize the admission of containers with hostNetwork in Kubernetes. | 4.2 | Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-pod-security-allow-privilege-escalation-minimized | Minimize the admission of containers with allowPrivilegeEscalation in Kubernetes. | 4.2 | Minimize the admission of privileged containers and containers with dangerous capabilities. |
+| k8s-namespaces-network-policies-defined | Ensure that all Namespaces have Network Policies defined. | 4.4 | Ensure that all Namespaces have Network Policies defined. |
+| k8s-secrets-as-files-not-env-vars | Prefer using secrets as files over secrets as environment variables in Kubernetes. | 4.5-4.6 | Prefer using secrets as files over secrets as environment variables. Ensure default namespace is not used for workloads. Apply security context to pods and containers. |
+| k8s-resource-namespace-boundaries | Ensure resources are deployed within appropriate namespace boundaries. | 4.5-4.6 | Prefer using secrets as files over secrets as environment variables. Ensure default namespace is not used for workloads. Apply security context to pods and containers. |
+| k8s-pod-security-context-applied | Ensure security context is applied to pods and containers. | 4.5-4.6 | Prefer using secrets as files over secrets as environment variables. Ensure default namespace is not used for workloads. Apply security context to pods and containers. |
+| k8s-default-namespace-not-used | Ensure the default namespace is not used for workloads in Kubernetes. | 4.5-4.6 | Prefer using secrets as files over secrets as environment variables. Ensure default namespace is not used for workloads. Apply security context to pods and containers. |
+| aks-defender-container-scanning-enabled | Ensure Image Vulnerability Scanning using Microsoft Defender for Cloud is enabled. | 5.1 | Ensure Image Vulnerability Scanning using Microsoft Defender for Cloud (MDC). Minimize user access to Azure Container Registry (ACR). |
+| acr-user-access-minimized | Minimize user access to Azure Container Registry (ACR). | 5.1 | Ensure Image Vulnerability Scanning using Microsoft Defender for Cloud (MDC). Minimize user access to Azure Container Registry (ACR). |
+| aks-acr-readonly-access | Ensure AKS clusters have read-only access to ACR. | 5.1 | Ensure Image Vulnerability Scanning using Microsoft Defender for Cloud (MDC). Minimize user access to Azure Container Registry (ACR). |
+| aks-approved-registries-only | Ensure AKS clusters only pull images from approved registries. | 5.1 | Ensure Image Vulnerability Scanning using Microsoft Defender for Cloud (MDC). Minimize user access to Azure Container Registry (ACR). |
+| aks-dedicated-service-accounts | Prefer using dedicated AKS Service Accounts. | 5.2 | Prefer using dedicated AKS Service Accounts. |
+| aks-secrets-encryption-enabled | Ensure Kubernetes Secrets are encrypted in AKS. | 5.3 | Ensure Kubernetes Secrets are encrypted. |
+| aks-cluster-endpoint-restrict-public-access | Restrict access to the AKS control plane endpoint. | 5.4 | Restrict Access to the Control Plane Endpoint. Ensure clusters are created with Private Endpoints and Private Nodes. Enable Network Policy. Encrypt traffic to HTTPS load balancers. |
+| aks-private-endpoint-enabled | Ensure AKS clusters are created with Private Endpoints. | 5.4 | Restrict Access to the Control Plane Endpoint. Ensure clusters are created with Private Endpoints and Private Nodes. Enable Network Policy. Encrypt traffic to HTTPS load balancers. |
+| aks-private-nodes-enabled | Ensure AKS clusters are created with Private Nodes. | 5.4 | Restrict Access to the Control Plane Endpoint. Ensure clusters are created with Private Endpoints and Private Nodes. Enable Network Policy. Encrypt traffic to HTTPS load balancers. |
+| aks-network-policy-enabled | Ensure Network Policy is enabled and configured appropriately in AKS. | 5.4 | Restrict Access to the Control Plane Endpoint. Ensure clusters are created with Private Endpoints and Private Nodes. Enable Network Policy. Encrypt traffic to HTTPS load balancers. |
+| aks-load-balancer-tls-encryption | Encrypt traffic to HTTPS load balancers with TLS certificates. | 5.4 | Restrict Access to the Control Plane Endpoint. Ensure clusters are created with Private Endpoints and Private Nodes. Enable Network Policy. Encrypt traffic to HTTPS load balancers. |
+| aks-azure-ad-integration-enabled | Manage Kubernetes RBAC users with Azure AD. | 5.5 | Manage Kubernetes RBAC users with Azure AD. Use Azure RBAC for Kubernetes Authorization. |
+| aks-azure-rbac-enabled | Use Azure RBAC for Kubernetes Authorization. | 5.5 | Manage Kubernetes RBAC users with Azure AD. Use Azure RBAC for Kubernetes Authorization. |