AWS EKS cluster endpoint modified to allow public access
Description
AlphaSOC detected a modification to an Amazon Elastic Kubernetes Service (EKS) cluster endpoint configuration enabling public access. EKS endpoints allow communication with the Kubernetes API server. Modifying endpoint access controls can expose cluster management capabilities to unauthorized users on the internet.
Impact
Public access to EKS endpoints creates a risk of unauthorized cluster access, potential container compromise, and resource hijacking for cryptomining. Threat actors can exploit public endpoints to enumerate resources, deploy malicious workloads, or pivot to other AWS services.
Severity
| Severity | Condition |
|---|---|
Low | AWS EKS cluster endpoint modified to allow public access |
Investigation and Remediation
Review CloudTrail logs to identify users who modified endpoints. Analyze IAM policies and RBAC settings for unauthorized changes. Reconfigure endpoints to restrict access to the private VPC and implement security group controls. Review cluster resources for signs of unauthorized access.
Known False Positives
- Initial cluster creation with default public endpoints