AWS EKS access entry unexpectedly created allowing admin access
Description
AlphaSOC detected the creation of an Amazon Elastic Kubernetes Service (EKS) access entry granting admin access. These entries control IAM principal access to Kubernetes clusters by defining RBAC permissions. Since principal bindings persist until modified or revoked, compromised credentials may allow unauthorized cluster access until remediation.
Impact
Creation of admin access entries enables threat actors to move laterally between AWS cloud resources and Kubernetes clusters. The permanent binding of principals to access entries makes unauthorized changes harder to detect. Adversaries can leverage these permissions to access cluster workloads, deploy malicious containers, and pivot to other AWS services.
Severity
Severity | Condition |
---|---|
Low | AWS EKS access entry created granting admin access |
Medium | Unexpected action, ASN, user agent, or region |
Investigation and Remediation
Examine CloudTrail logs to identify the principal that created the access entry. Verify if the creation aligns with security policies. Remove unauthorized access entries and audit all actions taken by the associated principal. Review existing entries to enforce least-privilege access. Monitor for unexpected access patterns between cloud and cluster resources.