The GKE GCE instance metadata API can be used from pods to extract node credentials. This presents a security risk if a pod becomes compromised. To improve your cluster's security, disable the GCE metadata endpoint.
| Framework | Control # | Control description |
|---|---|---|
| CIS Google Kubernetes Engine (GKE) Benchmark ⧉ | 5.4.1 | Disable the legacy GCE instance metadata APIs for GKE nodes. Under some circumstances, these can be used from within a pod to extract the node's credentials. |
| CSA CCM ⧉ | IAM-05 | Employ the least privilege principle when implementing information system access. |
| ISO IEC 27001 ⧉ | A.9.1.2 | Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
| AICPA SOC 2 ⧉ | cc6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
| CSA CCM ⧉ | IAM-09 | Define, implement and evaluate processes, procedures and technical measures for the segregation of privileged access roles such that administrative access to data, encryption and key management capabilities and logging capabilities are distinct and separated. |
| ISO IEC 27001 ⧉ | A.13.1.1 | Networks shall be managed and controlled to protect information in systems and applications. |
| CIS Google Kubernetes Engine (GKE) Benchmark ⧉ | 5.4.1 | Disable the legacy GCE instance metadata APIs for GKE nodes. Under some circumstances, these can be used from within a pod to extract the node's credentials. |
| NIST SP 800-53 ⧉ | SC-7(11) | Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]. |
| FedRAMP ⧉ | SC-7(5) | Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]. |
| NIST SP 800-53 ⧉ | SC-7(5) | Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems] ]. |
| CSA CCM ⧉ | IAM-06 | Access to the organization's own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software shall be appropriately restricted following the rule of least privilege based on job function as per established user access policies and procedures. |
| HITRUST CSF ⧉ | 01.e | All access rights shall be regularly reviewed by management via a formal documented process. |
| AICPA SOC 2 ⧉ | cc6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives. |
| CSA CCM ⧉ | IAM-10 | Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access. |
| US HIPAA 164 ⧉ | 308.a.1.ii.b | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). |
| CSA CCM ⧉ | IAM-02 | * User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes, and measures must incorporate the following: • Procedures, supporting roles, and responsibilities for provisioning and de-provisioning user account entitlements following the rule of least privilege based on job function (e.g., internal employee and contingent staff personnel changes, customer-controlled access, suppliers' business relationships, or other third-party business relationships) * Business case considerations for higher levels of assurance and multi-factor authentication secrets (e.g., management interfaces, key generation, remote access, segregation of duties, emergency access, large-scale provisioning or geographically-distributed deployments, and personnel redundancy for critical systems) * Access segmentation to sessions and data in multi-tenant architectures by any third party (e.g., provider and/or other customer (tenant)) * Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and federation) * Account credential lifecycle management from instantiation through revocation• Account credential and/or identity store minimization or re-use when feasible * Authentication, authorization, and accounting (AAA) rules for access to data and sessions (e.g., encryption and strong/multi-factor, expireable, non-shared authentication secrets) * Permissions and supporting capabilities for customer (tenant) controls over authentication, authorization, and accounting (AAA) rules for access to data and sessions * Adherence to applicable legal, statutory, or regulatory compliance requirements |