...
To understand all further references in this document, the Azure Hierarchy as well as the basic principles of Azure Entra ID (and its permissions) have to be understood.
...
Data exfiltration in general (someone or Unique extracting/stealing data of any classification but naturally mostly classified data)
Data exfiltration via the Kubernetes Data Plane
Data exfiltration via Privileged Roles
Misconfiguration of Cloud Resources
Over-Provisioning or cost escalations
Security vulnerabilities in third-party application applications which could also result in data exfiltration
...
| Note |
|---|
Unique always uses and means to advice to use PIM and does not repeat that statement in every chapter and section. PIM and PIM only! |
Reference
Overall concept
Uniques Unique's reference architecture bases is based mainly on two key concepts from Microsoft:
...
Note that the more the client automates, the less fewer of the roles and permissions outlined below are needed. How much of the setup is automated from the client side also has a pricing and timeline impact as human actions always take longer than those of machines.
...
| Gliffy | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Unique advises to segregate segregating resources at a resource group level using the following groups:
...
The content of the main group, primarily based on https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks-pci/aks-pci-ra-code-assets. Besides the Infrastructure requirements, some more resources are recommended to be deployed in order to run 
.
...
Roles
| Panel | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
To understand the content of this section, https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles must be read and understood. |
...