aquasecurity · simar7 · Nov 26, 2025 · Nov 13, 2025 · Nov 13, 2025 · Nov 13, 2025
@@ -0,0 +1,23 @@
+
+Provision the AKS cluster with `private_cluster_enabled = true` and use private endpoints.
+
+```hcl
+resource "azurerm_kubernetes_cluster" "good_example" {
+  name                = "example-aks"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  dns_prefix          = "exampleaks"
+
+  private_cluster_enabled = true
+
+  default_node_pool {
+    name       = "default"
+    node_count = 1
+    vm_size    = "Standard_D2_v2"
+  }
+}
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#private_cluster_enabled
+
@@ -0,0 +1,14 @@
+
+A public AKS API server endpoint increases exposure to unauthorized access or attack. Enable private cluster to ensure the API server endpoint is only accessible from within the virtual network.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#private_cluster_enabled
+
+
@@ -0,0 +1,23 @@
+
+Enable Azure Policy add-on on the AKS cluster to enforce governance policies.
+
+```hcl
+resource "azurerm_kubernetes_cluster" "good_example" {
+  name                = "example-aks"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  dns_prefix          = "exampleaks"
+
+  azure_policy_enabled = true
+
+  default_node_pool {
+    name       = "default"
+    node_count = 1
+    vm_size    = "Standard_D2_v2"
+  }
+}
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_policy_enabled
+
@@ -0,0 +1,14 @@
+
+Azure Kubernetes Service should enable Azure Policy Add-On to enforce compliance and governance policies on the cluster. The add-on extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA).
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_policy_enabled
+
+
@@ -0,0 +1,22 @@
+
+Configure a disk encryption set ID for the AKS cluster to enable customer-managed key encryption.
+
+```hcl
+resource "azurerm_kubernetes_cluster" "good_example" {
+  name                   = "example-aks"
+  location               = azurerm_resource_group.example.location
+  resource_group_name    = azurerm_resource_group.example.name
+  dns_prefix             = "exampleaks"
+  disk_encryption_set_id = azurerm_disk_encryption_set.example.id
+
+  default_node_pool {
+    name       = "default"
+    node_count = 1
+    vm_size    = "Standard_D2_v2"
+  }
+}
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id
+
@@ -0,0 +1,14 @@
+
+Azure Kubernetes clusters should define a disk encryption set ID to ensure encrypted storage for OS and data disks. This provides an additional layer of security by encrypting data at rest.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id
+
+
@@ -0,0 +1,39 @@
+# METADATA
+# title: Ensure AKS cluster has Azure Policy add-on enabled
+# description: |
+#   Azure Kubernetes Service should enable Azure Policy Add-On to enforce compliance and governance policies on the cluster. The add-on extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA).
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_policy_enabled
+# custom:
+#   id: AVD-AZU-0066
+#   avd_id: AVD-AZU-0066
+#   provider: azure
+#   service: container
+#   severity: LOW
+#   short_code: enable-azure-policy-addon
+#   recommended_action: Enable Azure Policy add-on on the AKS cluster to enforce governance policies.
+#   minimum_trivy_version: 0.68.0
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: container
+#             provider: azure
+#   examples: checks/cloud/azure/container/enable_azure_policy_addon.yaml
+package builtin.azure.container.azure0066
+
+import rego.v1
+
+import data.lib.cloud.metadata
+
+deny contains res if {
+	some cluster in input.azure.container.kubernetesclusters
+	not cluster.addonprofile.azurepolicy.enabled.value
+	res := result.new(
+		"Cluster does not have Azure Policy add-on enabled.",
+		metadata.obj_by_path(cluster, ["addonprofile", "azurepolicy", "enabled"]),
+	)
+}
@@ -0,0 +1,48 @@
+terraform:
+  links:
+    - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_policy_enabled
+  good:
+    - |-
+      resource "azurerm_kubernetes_cluster" "good_example" {
+        name                = "example-aks"
+        location            = azurerm_resource_group.example.location
+        resource_group_name = azurerm_resource_group.example.name
+        dns_prefix          = "exampleaks"
+
+        azure_policy_enabled = true
+
+        default_node_pool {
+          name       = "default"
+          node_count = 1
+          vm_size    = "Standard_D2_v2"
+        }
+      }
+  bad:
+    - |-
+      resource "azurerm_kubernetes_cluster" "bad_example" {
+        name                = "example-aks"
+        location            = azurerm_resource_group.example.location
+        resource_group_name = azurerm_resource_group.example.name
+        dns_prefix          = "exampleaks"
+
+        azure_policy_enabled = false
+
+        default_node_pool {
+          name       = "default"
+          node_count = 1
+          vm_size    = "Standard_D2_v2"
+        }
+      }
+    - |-
+      resource "azurerm_kubernetes_cluster" "bad_example" {
+        name                = "example-aks"
+        location            = azurerm_resource_group.example.location
+        resource_group_name = azurerm_resource_group.example.name
+        dns_prefix          = "exampleaks"
+
+        default_node_pool {
+          name       = "default"
+          node_count = 1
+          vm_size    = "Standard_D2_v2"
+        }
+      }
@@ -0,0 +1,23 @@
+package builtin.azure.container.azure0066_test
+
+import rego.v1
+
+import data.builtin.azure.container.azure0066 as check
+
+test_deny_azure_policy_disabled if {
+	inp := {"azure": {"container": {"kubernetesclusters": [{"addonprofile": {"azurepolicy": {"enabled": {"value": false}}}}]}}}
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_azure_policy_not_specified if {
+	inp := {"azure": {"container": {"kubernetesclusters": [{}]}}}
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_azure_policy_enabled if {
+	inp := {"azure": {"container": {"kubernetesclusters": [{"addonprofile": {"azurepolicy": {"enabled": {"value": true}}}}]}}}
+	res := check.deny with input as inp
+	res == set()
+}
@@ -0,0 +1,44 @@
+# METADATA
+# title: Ensure AKS cluster has disk encryption set ID configured
+# description: |
+#   Azure Kubernetes clusters should define a disk encryption set ID to ensure encrypted storage for OS and data disks. This provides an additional layer of security by encrypting data at rest.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id
+# custom:
+#   id: AVD-AZU-0067
+#   avd_id: AVD-AZU-0067
+#   provider: azure
+#   service: container
+#   severity: LOW
+#   short_code: enable-disk-encryption
+#   recommended_action: Configure a disk encryption set ID for the AKS cluster to enable customer-managed key encryption.
+#   minimum_trivy_version: 0.68.0
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: container
+#             provider: azure
+#   examples: checks/cloud/azure/container/enable_disk_encryption.yaml
+package builtin.azure.container.azure0067
+
+import rego.v1
+
+import data.lib.cloud.metadata
+import data.lib.cloud.value
+
+deny contains res if {
+	some cluster in input.azure.container.kubernetesclusters
+	is_disk_encryption_missing(cluster)
+	res := result.new(
+		"Cluster does not have disk encryption set ID configured.",
+		metadata.obj_by_path(cluster, ["diskencryptionsetid"]),
+	)
+}
+
+is_disk_encryption_missing(cluster) if value.is_empty(cluster.diskencryptionsetid)
+
+is_disk_encryption_missing(cluster) if not cluster.diskencryptionsetid
@@ -0,0 +1,32 @@
+terraform:
+  links:
+    - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id
+  good:
+    - |-
+      resource "azurerm_kubernetes_cluster" "good_example" {
+        name                   = "example-aks"
+        location               = azurerm_resource_group.example.location
+        resource_group_name    = azurerm_resource_group.example.name
+        dns_prefix             = "exampleaks"
+        disk_encryption_set_id = azurerm_disk_encryption_set.example.id
+
+        default_node_pool {
+          name       = "default"
+          node_count = 1
+          vm_size    = "Standard_D2_v2"
+        }
+      }
+  bad:
+    - |-
+      resource "azurerm_kubernetes_cluster" "bad_example" {
+        name                = "example-aks"
+        location            = azurerm_resource_group.example.location
+        resource_group_name = azurerm_resource_group.example.name
+        dns_prefix          = "exampleaks"
+
+        default_node_pool {
+          name       = "default"
+          node_count = 1
+          vm_size    = "Standard_D2_v2"
+        }
+      }
@@ -0,0 +1,23 @@
+package builtin.azure.container.azure0067_test
+
+import rego.v1
+
+import data.builtin.azure.container.azure0067 as check
+
+test_deny_disk_encryption_not_configured if {
+	inp := {"azure": {"container": {"kubernetesclusters": [{}]}}}
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_disk_encryption_empty if {
+	inp := {"azure": {"container": {"kubernetesclusters": [{"diskencryptionsetid": {"value": ""}}]}}}
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_disk_encryption_configured if {
+	inp := {"azure": {"container": {"kubernetesclusters": [{"diskencryptionsetid": {"value": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/example/providers/Microsoft.Compute/diskEncryptionSets/example"}}]}}}
+	res := check.deny with input as inp
+	res == set()
+}
@@ -0,0 +1,39 @@
+# METADATA
+# title: Ensure AKS cluster has private cluster enabled
+# description: |
+#   A public AKS API server endpoint increases exposure to unauthorized access or attack. Enable private cluster to ensure the API server endpoint is only accessible from within the virtual network.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#private_cluster_enabled
+# custom:
+#   id: AVD-AZU-0065
+#   avd_id: AVD-AZU-0065
+#   provider: azure
+#   service: container
+#   severity: MEDIUM
+#   short_code: enable-private-cluster
+#   recommended_action: Provision the AKS cluster with `private_cluster_enabled = true` and use private endpoints.
+#   minimum_trivy_version: 0.68.0
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: container
+#             provider: azure
+#   examples: checks/cloud/azure/container/enable_private_cluster.yaml
+package builtin.azure.container.azure0065
+
+import rego.v1
+
+import data.lib.cloud.metadata
+
+deny contains res if {
+	some cluster in input.azure.container.kubernetesclusters
+	not cluster.enableprivatecluster.value
+	res := result.new(
+		"Cluster does not have private cluster enabled.",
+		metadata.obj_by_path(cluster, ["enableprivatecluster"]),
+	)
+}