EKS Authentication Configuration Modified

This detection rule identifies modifications to the aws-auth ConfigMap within Amazon EKS clusters. The aws-auth ConfigMap is critical for mapping AWS IAM roles and users to Kubernetes RBAC groups. Attackers can exploit this by modifying the ConfigMap to grant any IAM role cluster-admin privileges, adding a mapping to the system:masters group. This technique is a well-documented persistence mechanism as it survives pod restarts, node replacements, and RBAC changes, because the authentication mapping resides outside of normal Kubernetes Role objects. Normal operations rarely require modifications to aws-auth, typically limited to initial cluster provisioning and updates during node group or access configuration changes.

Attack Chain

1. The attacker compromises an AWS IAM role with permissions to modify Kubernetes ConfigMaps in the kube-system namespace.
2. The attacker uses the compromised IAM role to authenticate to the AWS API.
3. The attacker uses kubectl or similar tools to interact with the Kubernetes API.
4. The attacker modifies the aws-auth ConfigMap in the kube-system namespace, adding a mapping between an AWS IAM role and the system:masters group.
5. The attacker’s AWS IAM role now has cluster-admin privileges within the Kubernetes cluster.
6. The attacker uses their new cluster-admin privileges to create or modify deployments, services, or other Kubernetes resources.
7. The attacker deploys malicious containers or modifies existing ones to execute arbitrary code.
8. The attacker achieves persistence within the cluster, maintaining access even if pods are restarted or nodes are replaced.

Impact

Successful exploitation allows attackers to gain complete control over the Kubernetes cluster, enabling them to deploy malicious workloads, steal sensitive data, or disrupt services. Unauthorized modifications to the aws-auth ConfigMap can lead to privilege escalation and persistent access, potentially impacting all applications and data within the compromised EKS cluster. If Access Entries are enabled, attackers may escalate privileges via eks:CreateAccessEntry or eks:AssociateAccessPolicy API calls.

Recommendation

• Deploy the Sigma rule to your SIEM and tune for your environment to detect unauthorized modifications to the aws-auth ConfigMap based on kubernetes.audit.objectRef.name:"aws-auth" and kubernetes.audit.objectRef.namespace:"kube-system".
• Audit IAM policies to restrict eks:UpdateClusterConfig and ConfigMap write access to the kube-system namespace as described in the rule’s note section.
• Investigate any alerts generated by the Sigma rule, correlating with AWS CloudTrail logs for related EKS or IAM API activity.
• Review and revert any unauthorized changes to the aws-auth ConfigMap from a known-good backup as described in the rule’s note section.
• Monitor CloudTrail for eks:CreateAccessEntry, eks:AssociateAccessPolicy, and similar API calls if Access Entries are enabled, referencing the documentation in the references section.