AKS Queries

README.md

@@ -31,39 +31,41 @@
 
 | Metric | Value |
 |--------|-------|
-| Total Queries | 36 |
+| Total Queries | 43 |
 | Covered Queries | 0 |
 | Coverage Percentage | 0.0% |
-| Categories | 2 |
-| CWE Categories | 14 |
+| Categories | 3 |
+| CWE Categories | 15 |
 
 ### Coverage by Category
 
 | Category | Covered | Total | Percentage |
 |----------|---------|-------|------------|
 | Diagnostics | 0 | 2 | 0.0% |
-| Security | 0 | 34 | 0.0% |
+| Security | 0 | 40 | 0.0% |
+| Testing | 0 | 1 | 0.0% |
 
 ### Coverage by CWE
 
 | CWE | Description | Covered | Total | Percentage |
 |-----|-------------|---------|-------|------------|
 | CWE-200 | Information Exposure | 0 | 2 | 0.0% |
 | CWE-272 | Least Privilege Violation | 0 | 2 | 0.0% |
-| CWE-284 | Improper Access Control | 0 | 2 | 0.0% |
+| CWE-284 | Improper Access Control | 0 | 4 | 0.0% |
 | CWE-295 | Improper Certificate Validation | 0 | 1 | 0.0% |
-| CWE-306 | Missing Authentication | 0 | 2 | 0.0% |
-| CWE-311 | Missing Encryption | 0 | 1 | 0.0% |
+| CWE-306 | Missing Authentication | 0 | 3 | 0.0% |
+| CWE-311 | Missing Encryption | 0 | 2 | 0.0% |
 | CWE-319 | Cleartext Transmission | 0 | 4 | 0.0% |
 | CWE-327 | Broken/Risky Crypto Algorithm | 0 | 3 | 0.0% |
 | CWE-352 | Cross-Site Request Forgery | 0 | 1 | 0.0% |
-| CWE-400 | Resource Exhaustion | 0 | 1 | 0.0% |
+| CWE-400 | Resource Exhaustion | 0 | 2 | 0.0% |
 | CWE-404 | Improper Resource Shutdown | 0 | 2 | 0.0% |
+| CWE-668 | Security Vulnerability | 0 | 1 | 0.0% |
 | CWE-693 | Protection Mechanism Failure | 0 | 1 | 0.0% |
 | CWE-798 | Hard-coded Credentials | 0 | 2 | 0.0% |
 | CWE-942 | Overly Permissive CORS | 0 | 4 | 0.0% |
 
-*Last updated: 2025-06-17 15:45:17 UTC*
+*Last updated: 2025-06-25 14:04:04 UTC*
 
 <!-- COVERAGE-REPORT:END -->
 

ql/src/security/CWE-284/AKSPublicNetworkAccess.md

@@ -0,0 +1,67 @@
+# AKS cluster with public network access enabled
+
+Azure Kubernetes Service (AKS) clusters with public network access enabled can be accessed from any public IP address, which may expose the cluster to potential attackers on the internet.
+
+## Problem statement
+
+When public network access is enabled on an AKS cluster (which is the default setting), the Kubernetes API server is accessible from the internet. This increases the attack surface of the cluster and makes it vulnerable to various attacks including brute force attempts, exploitation of known vulnerabilities, and unauthorized access attempts.
+
+## Recommendation
+
+Disable public network access by setting the `publicNetworkAccess` property to `'Disabled'` and enable private cluster access using `apiServerAccessProfile.enablePrivateCluster` set to `true`. This ensures that the Kubernetes API server is only accessible from within your virtual network.
+
+```bicep
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'secureAksCluster'
+  location: location
+  properties: {
+    // Other properties...
+    publicNetworkAccess: 'Disabled'
+    apiServerAccessProfile: {
+      enablePrivateCluster: true
+    }
+    // Other properties...
+  }
+}
+```
+
+## Example
+
+### Insecure configuration (Public network access enabled)
+
+```bicep
+resource aksClusterInsecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterInsecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    publicNetworkAccess: 'Enabled' // Insecure: Public network access is enabled
+    // Default with no apiServerAccessProfile is also insecure
+    // Other properties...
+  }
+}
+```
+
+### Secure configuration (Public network access disabled)
+
+```bicep
+resource aksClusterSecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterSecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    publicNetworkAccess: 'Disabled' // Secure: Public network access is disabled
+    apiServerAccessProfile: {
+      enablePrivateCluster: true // Secure: Private cluster is enabled
+    }
+    // Other properties...
+  }
+}
+```
+
+## References
+
+* [Azure Kubernetes Service (AKS) network concepts](https://learn.microsoft.com/en-us/azure/aks/concepts-network)
+* [Create a private AKS cluster](https://learn.microsoft.com/en-us/azure/aks/private-clusters)

ql/src/security/CWE-284/AKSPublicNetworkAccess.ql

@@ -0,0 +1,33 @@
+/**
+ * @name AKS cluster with public network access enabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters with public network access enabled, which can expose the cluster to potential unauthorized access.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 6.5
+ * @precision high
+ * @id bicep/aks-public-network-access
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-284
+ */
+
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource resource, AKS::ManagedContainerProperties::Properties properties
+where
+  properties = resource.getProperties() and
+  (
+    (
+      exists(properties.getPublicNetworkAccess()) and
+      properties.getPublicNetworkAccess().getValue().toLowerCase() = "enabled"
+    ) or
+    not exists(properties.getPublicNetworkAccess()) // Default is "enabled" if not specified
+  ) and
+  // Exclude clusters that have private API server enabled
+  (
+    not exists(properties.getApiServerAccessProfile()) or
+    not exists(properties.getApiServerAccessProfile().getEnablePrivateCluster()) or
+    properties.getApiServerAccessProfile().enablePrivateCluster() = false
+  )
+select resource, "AKS cluster has public network access enabled, which can expose the cluster to unauthorized access."

ql/src/security/CWE-284/AKSRbacDisabled.md

@@ -0,0 +1,60 @@
+# AKS cluster with RBAC disabled
+
+Azure Kubernetes Service (AKS) clusters should have Role-Based Access Control (RBAC) enabled to properly restrict access to cluster resources based on user roles and permissions.
+
+## Problem statement
+
+When RBAC is disabled in AKS, anyone with access to the cluster can potentially perform any action on any resource within the cluster. This creates a significant security vulnerability as there's no fine-grained access control to protect sensitive operations.
+
+## Recommendation
+
+Always enable RBAC for AKS clusters by setting `enableRBAC` to `true` in your Bicep template:
+
+```bicep
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'secureAksCluster'
+  location: location
+  properties: {
+    // Other properties...
+    enableRBAC: true
+    // Other properties...
+  }
+}
+```
+
+## Example
+
+### Insecure configuration (RBAC disabled)
+
+```bicep
+resource aksClusterInsecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterInsecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    enableRBAC: false // Insecure: RBAC is disabled
+    // Other properties...
+  }
+}
+```
+
+### Secure configuration (RBAC enabled)
+
+```bicep
+resource aksClusterSecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterSecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    enableRBAC: true // Secure: RBAC is enabled
+    // Other properties...
+  }
+}
+```
+
+## References
+
+* [Azure Kubernetes Service RBAC](https://learn.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-rbac)
+* [Security best practices for AKS](https://learn.microsoft.com/en-us/azure/aks/security-best-practices)

ql/src/security/CWE-284/AKSRbacDisabled.ql

@@ -0,0 +1,25 @@
+/**
+ * @name AKS cluster with RBAC disabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters where RBAC is disabled, which can lead to unauthorized access to the cluster.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id bicep/aks-rbac-disabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-284
+ */
+
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource resource, AKS::ManagedContainerProperties::Properties properties
+where
+  properties = resource.getProperties() and
+  (
+    // RBAC is explicitly disabled
+    exists(properties.getEnableRBAC()) and
+    properties.getEnableRBAC().getBool() = false
+  )
+select resource, "AKS cluster has RBAC disabled, which can lead to unauthorized access to the cluster."

ql/src/security/CWE-306/AKSLocalAccountsEnabled.md

@@ -0,0 +1,74 @@
+# AKS cluster with local accounts enabled
+
+Azure Kubernetes Service (AKS) clusters should have local Kubernetes accounts disabled in favor of Azure Active Directory (Azure AD) integration for stronger authentication controls.
+
+## Problem statement
+
+When local accounts are enabled in AKS clusters:
+
+1. Authentication relies on locally stored credentials rather than centralized Azure AD identities
+2. User access management is more manual and error-prone
+3. Central audit and monitoring of access is more difficult
+4. Advanced security features like Conditional Access policies cannot be applied
+
+## Recommendation
+
+Disable local accounts in AKS clusters by setting `disableLocalAccounts` to `true` and configure Azure AD integration:
+
+```bicep
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'secureAksCluster'
+  location: location
+  properties: {
+    // Other properties...
+    disableLocalAccounts: true
+    aadProfile: {
+      managed: true
+      enableAzureRBAC: true
+    }
+    // Other properties...
+  }
+}
+```
+
+## Example
+
+### Insecure configuration (Local accounts enabled)
+
+```bicep
+resource aksClusterInsecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterInsecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    disableLocalAccounts: false // Insecure: Local accounts are explicitly enabled
+    // Or omitting disableLocalAccounts entirely (defaults to false)
+    // Other properties...
+  }
+}
+```
+
+### Secure configuration (Local accounts disabled)
+
+```bicep
+resource aksClusterSecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterSecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    disableLocalAccounts: true // Secure: Local accounts are disabled
+    aadProfile: {
+      managed: true
+      enableAzureRBAC: true
+    }
+    // Other properties...
+  }
+}
+```
+
+## References
+
+* [Use Azure AD with AKS](https://learn.microsoft.com/en-us/azure/aks/managed-aad)
+* [AKS best practices for authentication and authorization](https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-identity)

ql/src/security/CWE-306/AKSLocalAccountsEnabled.ql

@@ -0,0 +1,24 @@
+/**
+ * @name AKS cluster with local accounts enabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters with local accounts enabled, which can lead to weaker authentication controls.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id bicep/aks-local-accounts-enabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-306
+ */
+
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource resource, AKS::ManagedContainerProperties::Properties properties
+where
+  properties = resource.getProperties() and
+  (
+    not exists(properties.getDisableLocalAccounts()) or
+    properties.getDisableLocalAccounts().getBool() = false
+  )
+select resource, "AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication."