Disable default SA token auto-mount
Description
Default ServiceAccount in every namespace should not auto-mount its token into pods.
⚠️ Risk Impact
Auto-mounted tokens give every Pod implicit access to the K8s API. Compromised application = K8s API access regardless of application design.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Patch every default SA: kubectl patch sa default -p '{"automountServiceAccountToken": false}' per namespace.
💀 Real-World Attack Scenario
A web application pod was compromised via Log4Shell. The default SA token was auto-mounted; attacker used it to enumerate the K8s API + discover other pods + read secrets. Without auto-mount, the attack would have been contained to the single pod.
💰 Cost of Non-Compliance
Default-SA-mount-related K8s breaches: 18% of K8s incidents (Aqua 2024).
📋 Audit Questions
- 1.Default SA auto-mount disabled across all namespaces?
- 2.How is new-namespace creation handled?
🎯 MITRE ATT&CK Mapping
🏗️ Infrastructure as Code Fix
resource "kubernetes_service_account_v1" "default" {
metadata { name = "default"; namespace = "my-ns" }
automount_service_account_token = false
}⚡ Common Pitfalls
- ⛔Manual patching skips new namespaces
- ⛔No admission policy to enforce
- ⛔Workloads that depend on auto-mount break silently
📈 Business Value
Disabling default-SA auto-mount limits K8s API access blast radius.
⏱️ Effort Estimate
Per-namespace patching
EchelonGraph enforces via Kyverno/OPA
🔗 Cross-Framework References
Automate CIS Kubernetes 5.1.4 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →