Skip to main content

AWS EKS access entry unexpectedly created allowing admin access

ID:aws_eks_admin_access_entry_anomaly
Data type:AWS CloudTrail
Severity:
Low
-
Medium
MITRE ATT&CK:TA0003:T1098.006

Description

AlphaSOC detected the creation of an Amazon Elastic Kubernetes Service (EKS) access entry granting admin access. These entries control IAM principal access to Kubernetes clusters by defining RBAC permissions. Since principal bindings persist until modified or revoked, compromised credentials may allow unauthorized cluster access until remediation.

Impact

Creation of admin access entries enables threat actors to move laterally between AWS cloud resources and Kubernetes clusters. The permanent binding of principals to access entries makes unauthorized changes harder to detect. Adversaries can leverage these permissions to access cluster workloads, deploy malicious containers, and pivot to other AWS services.

Severity

SeverityCondition
Low
AWS EKS access entry created granting admin access
Medium
Unexpected action, ASN, user agent, or region

Investigation and Remediation

Examine CloudTrail logs to identify the principal that created the access entry. Verify if the creation aligns with security policies. Remove unauthorized access entries and audit all actions taken by the associated principal. Review existing entries to enforce least-privilege access. Monitor for unexpected access patterns between cloud and cluster resources.