EKS

This rule detects successful Amazon EKS UpdateClusterConfig requests that disable control plane logging, potentially indicating defense evasion via compromised AWS credentials or unauthorized administrative access that reduces visibility into cluster activity.

Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with a principal via the EKS Access Entries API, effectively granting full cluster-admin access and enabling potential privilege escalation and persistence.

Successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster, potentially indicating persistence or privilege escalation are detected.

This rule detects modifications to the aws-auth ConfigMap in Amazon EKS clusters, enabling attackers to grant cluster-admin access by mapping AWS IAM roles to the system:masters group, achieving persistence and privilege escalation.

This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.

Detects successful AWS `AssumeRoleWithWebIdentity` calls where the caller identity is a Kubernetes service account and the source autonomous system organization is not `Amazon.com, Inc.`, which may indicate a stolen or misused projected service-account token being exchanged for IAM credentials off-cluster.