Authorization Bypass Due to Enabled Local Admin Account in AKS Cluster in Terraform

High Risk Infrastructure Security
azureakskubernetesauthenticationlocal-admin

What it is

Attackers using leaked or shared local admin credentials can gain full cluster control, bypassing Azure AD integration and RBAC protections.

Why it happens

AKS clusters created without explicitly setting local_account_disabled leave the local admin account enabled by default.

Root causes

Default Configuration Left Enabled

AKS clusters created without explicitly setting local_account_disabled leave the local admin account enabled by default.

Legacy Automation Dependencies

CI/CD pipelines or automation scripts relying on local admin kubeconfig files instead of Azure AD service principals.

Break-Glass Access Misconception

Keeping local admin enabled as a 'break-glass' emergency access method without understanding the security implications.

Fixes

1

Disable Local Admin Account

Set local_account_disabled = true in your azurerm_kubernetes_cluster resource to force Azure AD authentication.

2

Enable Azure AD RBAC

Configure azure_active_directory_role_based_access_control with managed = true and azure_rbac_enabled = true.

3

Use Azure AD Groups for Access Control

Create Azure AD groups with specific permissions and assign users to groups rather than using shared credentials.

Detect This Vulnerability in Your Code

Sourcery automatically identifies authorization bypass due to enabled local admin account in aks cluster in terraform and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities