AWS principal assigned administrative privileges in an EKS cluster
Goal
Detect when an AWS principal is assigned administrative permissions on an Amazon EKS cluster.
Strategy
This rule allows you to monitor CloudTrail and detect if someone grants administrative permissions to an EKS cluster, through the following events:
CreateAccessEntry
UpdateAccessEntry
AssociateAccessPolicy
It triggers when an AWS principal is assigned the managed access policy, AmazonEKSAdminPolicy
or AmazonEKSClusterAdminPolicy
, or if the access entry corresponding to the principal is assigned the built-in cluster-admin
Kubernetes group.
To learn more about EKS Cluster Access Management, see this guide on Datadog Security Labs: Deep dive into the new Amazon EKS Cluster Access Management features.
Triage and response
- Determine if
{{@userIdentity.session_name}}
should have granted permissions on the EKS cluster. - If the API calls were not made by the user:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Revert the permissions change by removing the access entry.
- If the API calls were made by the user:
- Determine if the user should be granting access to the cluster.
- If not, see if other API calls were made by the user and determine if they warrant further investigation.