C-0190 - Ensure that Service Account Tokens are only mounted where necessary
Framework
cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0
Severity
Medium
Description of the the issue
Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.
Avoiding mounting these tokens removes this attack avenue.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, ServiceAccount, StatefulSet
What does this control test
Check that all service accounts and workloads disable automount of service account tokens.
How to check it manually
Review pod and service account objects in the cluster and ensure that the option below is set, unless the resource explicitly requires this access.
automountServiceAccountToken: false
Remediation
Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.
Impact Statement
Pods mounted without service account tokens will not be able to communicate with the API server, except where the resource is available to unauthenticated principals.
Default Value
By default, all pods get a service account token mounted in them.
Example
No example
Updated 11 days ago