CIS AKS Azure Linux 2 Benchmark, continuously evidenced.
The CIS Azure Kubernetes Service (AKS) Azure Linux 2 Benchmark defines 135 controls specific to AKS node operating system hardening. Azure Linux (formerly CBL-Mariner) is Microsoft's container-optimized Linux distribution for AKS. The benchmark covers initial setup, services, network, logging, and access control calibrated for the AKS node role.
AKS Azure Linux 2 benchmark at a glance.
- Benchmark version
- v1.1.0
- Total controls
- 135
- Scan type
- Agent
- Available tier
- All plans
- Category
- Endpoint
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- AKS-specific node hardening
- Container runtime configuration
- Network + kubelet hardening
- Logging + monitoring integration
- Access control (no human SSH expected)
- Read-only root filesystem expectations
AKS Azure Linux 2 questions, answered directly.
How is this benchmark different from the Kubernetes benchmark?
The CIS Kubernetes Benchmark covers cluster control-plane and workload configuration (kube-apiserver, etcd, RBAC, pods). The AKS Azure Linux 2 Benchmark covers the underlying node operating system. Both apply to a typical AKS deployment; they complement rather than overlap.
Does CISGuard scan AKS nodes automatically?
Yes. CISGuard runs as a DaemonSet on AKS clusters, scanning every node automatically as it joins the cluster. Per-node evidence aggregates to the cluster-level posture report. Node lifecycle events (scale-up, scale-down) are handled without manual intervention.
Is Azure Linux 3 supported?
Yes. CISGuard supports the CIS AKS Azure Linux 3 Benchmark separately. AKS clusters running mixed Azure Linux 2 and 3 nodes scan each node against the matching benchmark automatically.
Often deployed together with AKS Azure Linux 2.
Want a AKS Azure Linux 2 scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.