☸️CIS Kubernetes 5.4.1Rule: K8S-SEC-001medium

Secrets via volume not env

Description

Mount Secrets as volumes rather than environment variables.

⚠️ Risk Impact

Env vars are visible to anyone with kubectl exec or pod logs access. Volumes provide better access isolation.

🔍 How EchelonGraph Detects This

K8S-SEC-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

Use volumeMounts with Secret volume. Avoid envFrom secretRef + valueFrom secretKeyRef.

💀 Real-World Attack Scenario

An application logged its environment variables for debugging. The logs went to a SIEM accessible to support engineers. Secret values were visible in plaintext logs.

💰 Cost of Non-Compliance

Env-var leak to logs: avg $400K incident.

📋 Audit Questions

  • 1.Secrets mounted as volumes?
  • 2.envFrom secretRef pattern?
  • 3.Log scrubbing?

🎯 MITRE ATT&CK Mapping

T1552 — Unsecured Credentials

⚡ Common Pitfalls

  • Default helm chart patterns use env
  • Migration breaks application config
  • Log scrubbing incomplete

📈 Business Value

Volume-mounted Secrets reduce credential-exposure paths.

⏱️ Effort Estimate

Manual

Per-app migration

With EchelonGraph

EchelonGraph identifies env-mounted secrets

Automate CIS Kubernetes 5.4.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →