CIS AKS Azure Linux 3 Benchmark, continuously evidenced.
The CIS AKS Azure Linux 3 Benchmark defines 141 controls for Azure Linux 3-based AKS nodes. Azure Linux 3 is the latest container-optimized OS for AKS, with hardened kernel defaults, Trusted Platform Module integration, and additional supply-chain attestation. The benchmark refines the Azure Linux 2 control set for these new capabilities.
AKS Azure Linux 3 benchmark at a glance.
- Benchmark version
- v1.0.0
- Total controls
- 141
- Scan type
- Agent
- Available tier
- All plans
- Category
- Endpoint
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- Azure Linux 3 node hardening
- TPM-backed attestation
- Hardened kernel defaults
- Container runtime configuration
- kubelet + network hardening
- Supply-chain integrity expectations
AKS Azure Linux 3 questions, answered directly.
When should I use Azure Linux 3 vs Azure Linux 2?
Azure Linux 3 is the newer container-optimized OS, with stronger default hardening and additional supply-chain attestation. Microsoft recommends Azure Linux 3 for new AKS deployments. Existing Azure Linux 2 clusters can migrate gradually; CISGuard scans both with the appropriate benchmark per node.
Does CISGuard validate TPM attestation?
Yes. CIS AKS Azure Linux 3 Benchmark includes TPM-backed attestation controls. CISGuard validates that TPM is initialized, attestation chain is intact, and the expected measurements are present. This evidence is increasingly important for sovereign deployments where supply-chain integrity is non-negotiable.
How is supply-chain integrity validated?
Azure Linux 3 ships with cryptographic measurements of system components: kernel, container runtime, kubelet. CISGuard validates these measurements against the expected baseline. Drift in supply-chain measurements is flagged immediately, satisfying SLSA-style supply-chain integrity expectations.
Often deployed together with AKS Azure Linux 3.
Want a AKS Azure Linux 3 scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.