<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Close icon
Search bar icon

CIS Kubernetes Benchmark Implementation Recommendations

The CIS Kubernetes Benchmark is a set of prescriptive recommendations assembled to guide administrators to achieve good security hygiene and results in strengthened security outcomes for their Kubernetes environments. 

Because the recommendations are prescriptive (as they are for most of the CIS Benchmarks), they describe a specific command or setting to be made on a Kubernetes component, what problem the recommendation mitigates, the test for a successful outcome and a remediation to satisfy the recommendation.

At the end of the recommendation made by the CIS Benchmark, there is a mapping to specific CIS Critical Security Controls Safeguards. The Controls Safeguards are aligned with StrongDM’s capabilities.

CIS Recommendations Guidelines for StrongDM

Our role in helping Kubernetes admins focuses on proactive prevention. Meaning, of the relevant recommendations, StrongDM would prevent the issue described from happening in the first place.

StrongDM proactively prevents the following issues addressed by CIS for Kubernetes: the Kubernetes API service (Section 1.2), Authentication and Authorization System (Section 3.1), and the RBAC and Service Accounts Components (Section 5.1).

1. Standing access and standing privileges

StrongDM’s Access Workflows and Just-In-Time access capabilities allow teams to implement access to critical Kubernetes administrative components only when needed and for the duration required. Eliminate standing access and privileges to Kubernetes admins and grant access to components only when needed via automated and manual workflows.

2. Credentials exposure

StrongDM never exposes the credentials needed to access target resources, including Kubernetes, to end users. Rather, the credentials are obtained from a secure vault of your choosing, and exchanged between the StrongDM Gateway and Resource in an encrypted exchange and are never stored on permanent media. 

3. Least privilege reporting

The StrongDM Least Privilege Report provides information about access grants to Kubernetes and other resources that have been inactive for a certain period of time, displaying information such as the user’s name and permission level, the name and type of resource they were granted access, and the last time the resource was accessed. This report allows admins to easily see which users are not using the resources available to them, and assess whether or not their access should be revoked.

💡Make it easy: Fine-tune least privilege by analyzing and responding to comprehensive access insights. Easily report on which privileges are being used (or not). Try it for yourself.


4. Session recording and audit logs for auditing and visibility

StrongDM provides session recordings and audit logs for all access to Kubernetes resources, including the kubectl commands issued, which are critical for identifying root cause and responsible entity in security incidents. This improves Mean Time to Investigate (MTTI) and Mean Time to Respond (MTTR) to any incident. 

Conclusion: StrongDM Is Critical for Implementing CIS Kubernetes Benchmark

StrongDM provides a robust set of capabilities that simplify access, while maintaining the most secure posture for administrative access to Kubernetes. Support of Kubernetes is just one component that makes up our Dynamic Access Management (DAM) platform. Knowing that Kubernetes hosts and is adjacent to a myriad of applications and services critical to your business, we also support resources such as databases and cloud accounts, legacy as well as cloud-native applications, and we centralize access to every one of those resources.


Want to see more DAM Kubernetes in action? Book a demo.

About the Author

, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

5 Methods to Restart Kubernetes Pods Using Kubectl
How to Restart Kubernetes Pods with Kubectl: 5 Methods
Kubernetes pod restarts are important for efficiently managing containerized applications in a dynamic microservices architecture. Understanding how to effectively restart pods using kubectl will help you streamline operations and minimize downtime. This article describes five methods to restart Kubernetes pods empowering you to maintain application health and performance confidently.
MITRE ATT&CK Framework Containers Matrix for Kubernetes
MITRE ATT&CK Framework Containers Matrix for Kubernetes
If you’re Kuberntes admin and you’re not familiar with the tactics outlined in the MITRE ATT&CK framework, this blog post is for you. MITRE ATT&CK framework is an extensive knowledge base of tactics and techniques employed by bad actors that defensive security experts use to help defend their organizations against attack, and many times, used by their offensive security counterparts to test their weaknesses.
Simplify Kubernetes Management on AWS
Simplify Kubernetes Management on AWS
Secure access controls must be applied universally and consistently across all your infrastructure—from the Linux boxes in your datacenter to your Kubernetes clusters in AWS. StrongDM Dynamic Access Management is uniquely positioned to provide seamless, secure access across your entire stack, simplifying access management and compliance for your legacy systems and modern cloud stack.
SSH and Kubernetes Remote Identities
Supercharge Your SSH and Kubernetes Resources with Remote Identities
Learn how Remote Identities helps you leverage SSH and k8s capabilities to capitalize on infrastructure workflow investments you’ve already made.
Enterprise Kubernetes
Kubernetes in the Enterprise Webinar Recap
Join strongDM CTO Justin McCarthy and a panel of experts as they discuss the challenges, complexities, and best practices of enterprise k8s adoption.