Skip to main content
← All benchmarks
CIS Azure AKS Benchmark

CIS Azure AKS Benchmark, continuously evidenced.

The CIS Azure Kubernetes Service Benchmark v1.8.0 defines 49 controls specific to AKS clusters: Azure RBAC integration, managed identity, network policy, Azure Policy for AKS, and AKS-specific control-plane hardening. Combined with the CIS Kubernetes Benchmark and the AKS Azure Linux benchmark, this provides full-stack AKS evidence.

Container & OrchestrationAgentlessPro+ tier
Quick Facts

Azure AKS benchmark at a glance.

Benchmark version
v1.8.0
Total controls
49
Scan type
Agentless
Available tier
Pro and above
Category
Container & Orchestration
Drift detection
Yes, between every scheduled scan
Coverage

What this benchmark actually covers.

  • Azure RBAC for Kubernetes Authorization
  • Managed Identity integration
  • Network Policy (Azure or Calico)
  • Azure Policy for AKS
  • AKS API server access (authorized IP ranges, private cluster)
  • AKS-specific control-plane hardening
Frequently Asked

Azure AKS questions, answered directly.

How does the AKS benchmark relate to the Kubernetes benchmark?

They complement rather than overlap. The CIS Kubernetes Benchmark covers vanilla Kubernetes control-plane and workload configuration. The CIS Azure AKS Benchmark covers AKS-specific features: Azure RBAC integration, managed identity, Azure Policy integration. Together with the AKS Azure Linux benchmark, they cover the full AKS stack.

Does CISGuard support private AKS clusters?

Yes. Private AKS clusters (where the API server is not internet-accessible) require CISGuard's scanner to be deployed inside the cluster's VNet. CISGuard's scanner runs as a Kubernetes deployment with appropriate networking; configuration accommodates the private-cluster networking model.

Can CISGuard validate Azure Policy for AKS?

Yes. CIS Azure AKS Benchmark requires Azure Policy add-on enabled with specific policy assignments. CISGuard validates the add-on is enabled, the expected policy assignments are present, and the assignments are in Enforce mode (not Audit-only).

Related Benchmarks

Often deployed together with Azure AKS.

Container & Orchestration

Kubernetes

127 controls · v1.12.0

Read more →
Endpoint

AKS Azure Linux 2

135 controls · v1.1.0

Read more →
Endpoint

AKS Azure Linux 3

141 controls · v1.0.0

Read more →
Cloud

Azure Foundations

155 controls · v5.0.0

Read more →

Want a Azure AKS scan of your environment?

Our compliance engineers will scope your environment and quote within one business day of an initial briefing.

Request Executive Briefingsales@cisguard.ae →