Expel's Azure Kubernetes Service (AKS) offering consumes audit logs from the Azure platform via Azure Log Analytics  (aka Azure Monitor). Additionally, via a read-only Azure Role, Expel is able to communicate with AKS clusters. This visibility allows Expel to identify activity of interest in AKS, investigate, and notify organizations when action is recommended.

Screenshot_2023-07-20_at_1_45_59_PM.png

Prerequisites

Important

Before you begin onboarding for Azure Kubernetes Service, ensure you meet the following prerequisite.

 

Step-1: Create a storage account for AKS logs

The steps below outline creating a storage account for AKS logs. Expel integrates with this storage bucket to consume logs.

 

  1. Log in to the Azure Portal

  2. Navigate to the Storage accounts page

  3. Click Create storage account and fill out the required fields. Assign the storage account to a subscription / resource group and then name it.

    Screenshot_2023-07-20_at_1_46_48_PM.png
  4. Leave all other settings to the defaults. Optionally, you can restrict network access to Expel’s egress IPs:

    1. 34.75.13.114

    2. 34.75.152.7

    3. 35.243.190.98

    4. 104.196.158.205

    5. 34.75.81.28

    6. 34.75.210.18

  5. Create the storage account

Step-2: Configure Microsoft Entra ID application registration

The steps below outline enabling the required audit logging for onboarding AKS with Expel Workbench.

  1. Log in to the Azure Portal

  2. Navigate to the Kubernetes service page.

    Screenshot_2023-07-20_at_1_46_59_PM.png
  3. Select your Kubernetes cluster(s) and navigate to Diagnostic settings.

    Screenshot_2023-07-20_at_1_47_08_PM.png
  4. Select Add diagnostic setting to begin configuring audit logging for the cluster.

  5. Select kube-audit only, and choose the destination Storage account. Select the storage account we created earlier. Specify a minimum of 7 days as the retention period (this can optionally be extended).

    Note

    Additional diagnostic logs can optionally be enabled, but are not used by Expel for security monitoring and can incur additional Azure cost.

    Screenshot_2023-07-20_at_1_47_21_PM.png
  6. Click Save.

Step-3: Create Microsoft Entra ID application registration

The steps below outline how to grant Expel access to Kubernetes audit log data in Azure Log Analytics for onboarding with Expel Workbench.

  1. Log in to the Azure Portal

  2. Navigate to Azure Active Directory.

    Screenshot_2023-07-20_at_1_47_34_PM.png
  3. Select App registrations and then + New registration.

    Screenshot_2023-07-20_at_1_47_45_PM.png
  4. Name the application registration, and leave Supported account types to the default selection.

    Screenshot_2023-07-20_at_1_48_10_PM.png
  5. Copy the Application (client) ID and Directory (tenant) ID for later.

    Screenshot_2023-07-20_at_1_48_23_PM.png
  6. Navigate to API permissions and then click Add a permission.

  7. Select APIs my organization uses and then search for Log Analytics API.

  8. Select Application permissions and check Data.Read and then Add permissions.

    Screenshot_2023-07-20_at_1_48_42_PM.png
  9. Navigate to Certificates & secrets and select New client secret.

  10. Add a description for the secret, choose an expiration, and select Add.

    Screenshot_2023-07-20_at_1_48_53_PM.png
  11. Copy the secret value after it’s created.

Step-4: Creating a custom Azure role for Expel

Expel requires a custom Azure IAM role to grant finely grained read-only access to AKS clusters. This access is used to investigate security alerts as well as for proactive risk management.

  1. Navigate to Subscriptions and select the subscription to be monitored.

  2. Select Access control (IAM) and then click the Plus (+) button to select Custom role.

    Screenshot_2023-07-20_at_1_49_04_PM.png
  3. On the next screen, choose Start from JSON and upload ExpelAKSRole.json which will preload Expel’s required permissions for the role.

    Screenshot_2023-07-20_at_1_49_11_PM.png
  4. On the Permissions tab, review the permissions for the custom role. You see 2 permissions of type Action followed by a list of DataAction permissions.

  5. On the Assignable scopes tab, add any scopes where this role will be assigned. For example, any subscriptions or management groups where AKS clusters exist that Expel will monitor.

  6. Finally, on the Review + create tab, click Create.

Step-5: Add role assignments

Step 5a: Grant required permissions for each monitored subscription

For each Azure subscription with AKS clusters to be monitored, we need to add:

  • the Log Analytics Reader, which allows Expel to query log data ad-hoc during investigations

  • the custom Expel AKS Role (created in step 4) role assignments to the Expel application registration we created.

Do the following steps for each subscription:

  1. Navigate to Subscriptions and select the subscription to be monitored.

  2. Select Access control (IAM) and then select the Role assignments tab.

    Screenshot_2023-07-20_at_1_49_21_PM.png
  3. Select Add to add a new role assignment.

  4. Assign to Entra ID user, group or application, and select the Expel application registration that was created earlier.

  5. Assign the Log Analytics Reader role.

Step 5b: Grant access to the storage blob

To grant Expel access to the storage blob containing AKS logs, we need to create an additional role assignment.

  1. Navigate to the subscription where the storage account exists and select Access control (IAM) & Role assignments.

  2. Press Create role assignment.

  3. Select Add to add a new role assignment.

  4. Select the Storage Blob Data Reader role.

    Screenshot_2023-07-20_at_1_49_29_PM.png
  5. Assign the role to the Expel application created earlier.

    Screenshot_2023-07-20_at_1_49_36_PM.png
  6. On the Conditions (optional) page, create a new condition that allows All data read operations when the resource (the storage account) name equals the storage account created earlier. This ensures Expel can only read from that specific storage account.

    Screenshot_2023-07-20_at_1_49_43_PM.png
  7. Finally, Review + Assign the role assignment.

    Screenshot_2023-07-20_at_1_49_50_PM.png

Step-6: Onboarding to Expel Workbench

The steps below outline how to finish onboarding AKS in Expel Workbench.

  1. Log in to Expel Workbench

  2. Navigate to Settings & Security devices.

  3. Select Add security device.

  4. Select Azure Kubernetes Service.

  5. Name the device, provide a description, and fill in the Application (client) ID, Directory (tenant) ID, Application secret, and Storage account name.

  6. Save the device.