| 4.1.1 Ensure that the cluster-admin role is only used where required | ACCESS CONTROL |
| 4.1.2 Minimize access to secrets | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.1.3 Minimize wildcard use in Roles and ClusterRoles | IDENTIFICATION AND AUTHENTICATION |
| 4.1.4 Ensure that default service accounts are not actively used | ACCESS CONTROL |
| 4.1.5 Ensure that Service Account Tokens are only mounted where necessary | CONFIGURATION MANAGEMENT |
| 4.1.6 Avoid use of system:masters group | ACCESS CONTROL |
| 4.1.7 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster | ACCESS CONTROL |
| 4.1.8 Avoid bindings to system:anonymous | ACCESS CONTROL |
| 4.1.9 Avoid non-default bindings to system:unauthenticated | ACCESS CONTROL |
| 4.1.10 Avoid non-default bindings to system:authenticated | ACCESS CONTROL |
| 4.2.1 Ensure that the cluster enforces Pod Security Standard Baseline profile or stricter for all namespaces. | CONFIGURATION MANAGEMENT |
| 4.6.1 Create administrative boundaries between resources using namespaces | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.1 Enable VPC Flow Logs and Intranode Visibility | AUDIT AND ACCOUNTABILITY |
