Overview
This lab deploys a complete AKS runtime security stack using Microsoft Defender for Cloud:
- Gated Deployment (GA) โ Admission control blocks vulnerable container images
- Binary Drift Detection (GA detect / Preview block) โ Catches executables not in the original image
- Container Anti-Malware (Preview) โ Real-time malware detection and blocking inside containers
- Sentinel Analytics Rules โ 4 detection rules for SOC monitoring
- Sentinel Workbook โ Container Runtime Security Dashboard
Prerequisites
- Azure subscription with Owner or Contributor + User Access Administrator
- Azure CLI v2.60+
- kubectl v1.28+
- Helm v3.12+
- PowerShell 7
Quick Start
git clone https://github.com/j-dahl7/aks-runtime-security-lab.git
cd aks-runtime-security-lab
# Deploy everything
./scripts/Deploy-Lab.ps1 -Location "eastus"
# Run test scenarios
./scripts/Test-RuntimeSecurity.ps1
What Gets Deployed
| Resource | Type | Purpose |
|---|---|---|
aks-runtime-lab | AKS Cluster | Single-node cluster with Defender sensor |
aks-runtime-lab-law | Log Analytics | Container Insights + Sentinel |
| Defender for Containers | Security Plan | Subscription-level enablement |
| 4 Analytics Rules | Sentinel | Binary drift, malware, gated deployment, kubectl exec |
| 1 Workbook | Sentinel | Container Runtime Security Dashboard |
Test Scenarios
Test 1: Binary Drift
kubectl run drift-test --image=nginx:1.27-alpine --restart=Never
kubectl exec drift-test -- /bin/sh -c \
"echo '#!/bin/sh' > /tmp/notinimage.sh && chmod +x /tmp/notinimage.sh && /tmp/notinimage.sh"
Expected: “Binary drift detected” alert in Defender for Cloud (5-15 min)
Test 2: Anti-Malware (EICAR)
kubectl run malware-test --image=nginx:1.27-alpine --restart=Never
kubectl exec malware-test -- /bin/sh -c \
"echo 'WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=' | base64 -d > /tmp/eicar.com"
Expected: “Malicious file detected” alert (5-15 min)
Test 3: Gated Deployment
kubectl run vuln-test --image=nginx:1.14.0 --restart=Never
Expected: Deployment blocked (Deny mode) or audit recommendation (Audit mode)
Estimated Cost
| Resource | Approx. Monthly Cost |
|---|---|
| AKS (1x Standard_D4s_v3) | ~$140 |
| Defender for Containers | ~$7/vCore/month |
| Log Analytics (30-day retention) | ~$2.76/GB |
Total: ~$150-170/month for a single-node lab cluster.
Cleanup
./scripts/Deploy-Lab.ps1 -Destroy
Or manually:
az group delete --name aks-runtime-lab-rg --yes --no-wait
Companion Blog Post
AKS Runtime Security: Binary Drift, Anti-Malware & Gated Deployment with Defender for Cloud