AWS principal assigned administrative privileges in an EKS cluster

Goal

Detect when an AWS principal is assigned administrative permissions on an Amazon EKS cluster.

Strategy

This rule allows you to monitor CloudTrail and detect if someone grants administrative permissions to an EKS cluster, through the following events:

  • CreateAccessEntry
  • UpdateAccessEntry
  • AssociateAccessPolicy

It triggers when an AWS principal is assigned the managed access policy, AmazonEKSAdminPolicy or AmazonEKSClusterAdminPolicy, or if the access entry corresponding to the principal is assigned the built-in cluster-admin Kubernetes group.

To learn more about EKS Cluster Access Management, see this guide on Datadog Security Labs: Deep dive into the new Amazon EKS Cluster Access Management features.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have granted permissions on the EKS cluster.
  2. If the API calls were not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Revert the permissions change by removing the access entry.
  1. If the API calls were made by the user:
  • Determine if the user should be granting access to the cluster.
  • If not, see if other API calls were made by the user and determine if they warrant further investigation.
PREVIEWING: brett0000FF/node-compatibility