Azure API calls indicating AKS cluster modification
Description
AlphaSOC detected modification of an Azure Kubernetes Service (AKS) cluster
configuration via Microsoft.ContainerService/managedClusters/write.
Configuration changes to AKS clusters can affect security posture of the
organization. Threat actors with compromised cloud credentials may modify
cluster configurations to weaken security controls or facilitate further
attacks.
Impact
Unauthorized cluster modifications can weaken security posture by disabling authentication requirements, modifying network policies, or granting excessive RBAC permissions. Threat actors may use configuration changes to expose the cluster to external access, disable audit logging, establish persistence within the Kubernetes environment, or distrupt services.
Severity
| Severity | Condition |
|---|---|
Low | AKS cluster modification detected |
Medium | Anomalous AKS cluster modification |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.ContainerService/managedClusters/write action. Examine what
configuration settings were changed and identify the principal responsible.
Compare the current cluster configuration against baseline security settings.
If unauthorized, revert the configuration changes to restore the expected security posture. Review audit logs for related suspicious activities. Rotate credentials for the compromised identity and implement Azure Policy to enforce required cluster configuration standards.